Topics

Important Message For Joseph - Serious Security Flaw Identified In the Windows 10 App Essentials Add-On


Laughing Thunder
 

Hello,

I believe I have identified a serious security flaw in the Windows 10 App Essentials add-on for NVDA. The add-on should never check for updates, or present the dialog asking if the user would like to update the add-on while NVDA is running on the log on and other secure screens. I know that NVDA does warn if add-ons are found while copying the configuration to the system profile, but I feel that this warning cannot be relied upon to prevent serious security issues, such as the one described above. I cannot be the only user who allows some add-ons, such as speech synthesizers and other low-risk add-ons on the secure desktop intentionally for convenience. I feel that this should be addressed by preventing the Windows 10 App Essentials add-on from displaying update messages on secure screens, just in case it ends up in that configuration.

Also, NVDA should never display any add-on help entries in the NVDA help menu when running on secure screens, in the same way that custom preferences menu entries are hidden. I.E. if the NoBeepsSpeechMode add-on is installed in the system configuration, its help menu entry is displayed in the NVDA help menu on secure screens.


 

Hi,
Right - I'll add an issue on the GitHub page for the add-on. Thanks for bringing this up (will release 17.03.1 that addresses this problem soon).
Cheers,
Joseph

-----Original Message-----
From: nvda@nvda.groups.io [mailto:nvda@nvda.groups.io] On Behalf Of Laughingthunder
Sent: Saturday, February 25, 2017 11:36 AM
To: nvda@nvda.groups.io
Subject: [nvda] Important Message For Joseph - Serious Security Flaw Identified In the Windows 10 App Essentials Add-On

Hello,

I believe I have identified a serious security flaw in the Windows 10 App Essentials add-on for NVDA. The add-on should never check for updates, or present the dialog asking if the user would like to update the add-on while NVDA is running on the log on and other secure screens.
I know that NVDA does warn if add-ons are found while copying the configuration to the system profile, but I feel that this warning cannot be relied upon to prevent serious security issues, such as the one described above. I cannot be the only user who allows some add-ons, such as speech synthesizers and other low-risk add-ons on the secure desktop intentionally for convenience. I feel that this should be addressed by preventing the Windows 10 App Essentials add-on from displaying update messages on secure screens, just in case it ends up in that configuration.

Also, NVDA should never display any add-on help entries in the NVDA help menu when running on secure screens, in the same way that custom preferences menu entries are hidden. I.E. if the NoBeepsSpeechMode add-on is installed in the system configuration, its help menu entry is displayed in the NVDA help menu on secure screens.


 

hi joseph.
do other addons check for update automaticly or checking for update is
special for only this one?

On 2/25/17, Joseph Lee <@joslee> wrote:
Hi,
Right - I'll add an issue on the GitHub page for the add-on. Thanks for
bringing this up (will release 17.03.1 that addresses this problem soon).
Cheers,
Joseph

-----Original Message-----
From: nvda@nvda.groups.io [mailto:nvda@nvda.groups.io] On Behalf Of
Laughingthunder
Sent: Saturday, February 25, 2017 11:36 AM
To: nvda@nvda.groups.io
Subject: [nvda] Important Message For Joseph - Serious Security Flaw
Identified In the Windows 10 App Essentials Add-On

Hello,

I believe I have identified a serious security flaw in the Windows 10 App
Essentials add-on for NVDA. The add-on should never check for updates, or
present the dialog asking if the user would like to update the add-on while
NVDA is running on the log on and other secure screens.
I know that NVDA does warn if add-ons are found while copying the
configuration to the system profile, but I feel that this warning cannot be
relied upon to prevent serious security issues, such as the one described
above. I cannot be the only user who allows some add-ons, such as speech
synthesizers and other low-risk add-ons on the secure desktop intentionally
for convenience. I feel that this should be addressed by preventing the
Windows 10 App Essentials add-on from displaying update messages on secure
screens, just in case it ends up in that configuration.

Also, NVDA should never display any add-on help entries in the NVDA help
menu when running on secure screens, in the same way that custom preferences
menu entries are hidden. I.E. if the NoBeepsSpeechMode add-on is installed
in the system configuration, its help menu entry is displayed in the NVDA
help menu on secure screens.







--
we have not sent you but as a mercy to the creation.
holy quran, chapter 21, verse 107.
in the very authentic narration is:
imam hosein is the beacon of light and the ark of salvation.
best website for studying islamic book in different languages
al-islam.org


Brian's Mail list account <bglists@...>
 

Its a relative new feature allowed by nvda I think.
Brian

bglists@...
Sent via blueyonder.
Please address personal email to:-
briang1@..., putting 'Brian Gaff'
in the display name field.

----- Original Message -----
From: "nasrin khaksar" <nasrinkhaksar3@...>
To: <nvda@nvda.groups.io>
Sent: Monday, February 27, 2017 6:35 AM
Subject: Re: [nvda] Important Message For Joseph - Serious Security Flaw Identified In the Windows 10 App Essentials Add-On


hi joseph.
do other addons check for update automaticly or checking for update is
special for only this one?

On 2/25/17, Joseph Lee <@joslee> wrote:
Hi,
Right - I'll add an issue on the GitHub page for the add-on. Thanks for
bringing this up (will release 17.03.1 that addresses this problem soon).
Cheers,
Joseph

-----Original Message-----
From: nvda@nvda.groups.io [mailto:nvda@nvda.groups.io] On Behalf Of
Laughingthunder
Sent: Saturday, February 25, 2017 11:36 AM
To: nvda@nvda.groups.io
Subject: [nvda] Important Message For Joseph - Serious Security Flaw
Identified In the Windows 10 App Essentials Add-On

Hello,

I believe I have identified a serious security flaw in the Windows 10 App
Essentials add-on for NVDA. The add-on should never check for updates, or
present the dialog asking if the user would like to update the add-on while
NVDA is running on the log on and other secure screens.
I know that NVDA does warn if add-ons are found while copying the
configuration to the system profile, but I feel that this warning cannot be
relied upon to prevent serious security issues, such as the one described
above. I cannot be the only user who allows some add-ons, such as speech
synthesizers and other low-risk add-ons on the secure desktop intentionally
for convenience. I feel that this should be addressed by preventing the
Windows 10 App Essentials add-on from displaying update messages on secure
screens, just in case it ends up in that configuration.

Also, NVDA should never display any add-on help entries in the NVDA help
menu when running on secure screens, in the same way that custom preferences
menu entries are hidden. I.E. if the NoBeepsSpeechMode add-on is installed
in the system configuration, its help menu entry is displayed in the NVDA
help menu on secure screens.








--
we have not sent you but as a mercy to the creation.
holy quran, chapter 21, verse 107.
in the very authentic narration is:
imam hosein is the beacon of light and the ark of salvation.
best website for studying islamic book in different languages
al-islam.org