Important Message For Joseph - Serious Security Flaw Identified In the Windows 10 App Essentials Add-On

Laughing Thunder
 

Hello,

I believe I have identified a serious security flaw in the Windows 10 App Essentials add-on for NVDA. The add-on should never check for updates, or present the dialog asking if the user would like to update the add-on while NVDA is running on the log on and other secure screens. I know that NVDA does warn if add-ons are found while copying the configuration to the system profile, but I feel that this warning cannot be relied upon to prevent serious security issues, such as the one described above. I cannot be the only user who allows some add-ons, such as speech synthesizers and other low-risk add-ons on the secure desktop intentionally for convenience. I feel that this should be addressed by preventing the Windows 10 App Essentials add-on from displaying update messages on secure screens, just in case it ends up in that configuration.

Also, NVDA should never display any add-on help entries in the NVDA help menu when running on secure screens, in the same way that custom preferences menu entries are hidden. I.E. if the NoBeepsSpeechMode add-on is installed in the system configuration, its help menu entry is displayed in the NVDA help menu on secure screens.

Join nvda@nvda.groups.io to automatically receive all group messages.