Re: Important Message For Joseph - Serious Security Flaw Identified In the Windows 10 App Essentials Add-On

 

Hi,
Right - I'll add an issue on the GitHub page for the add-on. Thanks for bringing this up (will release 17.03.1 that addresses this problem soon).
Cheers,
Joseph

-----Original Message-----
From: nvda@nvda.groups.io [mailto:nvda@nvda.groups.io] On Behalf Of Laughingthunder
Sent: Saturday, February 25, 2017 11:36 AM
To: nvda@nvda.groups.io
Subject: [nvda] Important Message For Joseph - Serious Security Flaw Identified In the Windows 10 App Essentials Add-On

Hello,

I believe I have identified a serious security flaw in the Windows 10 App Essentials add-on for NVDA. The add-on should never check for updates, or present the dialog asking if the user would like to update the add-on while NVDA is running on the log on and other secure screens.
I know that NVDA does warn if add-ons are found while copying the configuration to the system profile, but I feel that this warning cannot be relied upon to prevent serious security issues, such as the one described above. I cannot be the only user who allows some add-ons, such as speech synthesizers and other low-risk add-ons on the secure desktop intentionally for convenience. I feel that this should be addressed by preventing the Windows 10 App Essentials add-on from displaying update messages on secure screens, just in case it ends up in that configuration.

Also, NVDA should never display any add-on help entries in the NVDA help menu when running on secure screens, in the same way that custom preferences menu entries are hidden. I.E. if the NoBeepsSpeechMode add-on is installed in the system configuration, its help menu entry is displayed in the NVDA help menu on secure screens.

Join nvda@nvda.groups.io to automatically receive all group messages.