New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issues on Windows 10 lock screen #5269
Comments
Comment 1 by James Teh <jamie@... on 2015-08-06 07:23
Changes:
|
Comment 2 by jteh on 2015-08-06 07:24 |
…lipboard, access running applications with the review cursor, change NVDA configuration, etc. Also, NVDA no longer says "LockAppHostFrameWindow" just before the lock screen appears. Fixes #5269.
It seems like part of this fix is broken on Windows 10 1903. When I tested on this version of Windows, I was able to successfully leave the lock screen with the review cursor, though I couldn't view what was on the clipboard. Can anyone else test this? |
Ug. I can confirm with Windows 10 1809. I'm not sure what changed, but it seems you can now go next from the window. Perhaps this was always possible and I just missed this, but I doubt it. Technical: |
Link to issue number: None, follow up on #5269 Summary of the issue: On earlier Windows 10 builds, the top-level Window (Role.WINDOW) of the lock screen cannot directly navigate to the system with object navigation, but its parent can. This was fixed in a commit addressing #5269. On Windows 11 and newer Windows 10 builds, the top-level Window can directly navigate to the system with object navigation. STR: 1. Press Windows+L 1. press containing object (NVDA+numpad8/NVDA+shift+upArrow), 1. then you can use next object (NVDA+numpad6/NVDA+shift+rightArrow) to navigate the system. 1. On Windows 10 and 11, using "Navigate to the object under the mouse" (NVDA+numpadMultiply/NVDA+shift+n), you can navigate outside to the system from the lock screen. Microsoft is aware of this issue. Description of how this pull request fixes the issue: This PR adds a function which checks if the lockapp is the foreground window, and if so, if a given object is outside of the lockapp. To prevent focus objects being set or used for navigation, this function is utilised in various api methods. An overlay class is also added which prevents navigation and announcement of content outside of the lockapp. This PR also adds `GlobalCommands.script_navigatorObject_devInfo` to the allowed commands on the lockscreen to aid with debugging. This command should be safe as: - The command only logs objects it can navigate to - The log viewer cannot be accessed from the lockscreen Testing strategy: Manual testing on Windows 11, Windows 10 21H2, Windows 10 1809 - Attempt to navigate outside the top level window of the lock screen using object navigation using STR - Ensure the lock screen can still be navigated with object navigation An advisory is required to be sent out for earlier NVDA versions.
Link to issue number: None, follow up on #5269 Summary of the issue: On earlier Windows 10 builds, the top-level Window (Role.WINDOW) of the lock screen cannot directly navigate to the system with object navigation, but its parent can. This was fixed in a commit addressing #5269. On Windows 11 and newer Windows 10 builds, the top-level Window can directly navigate to the system with object navigation. STR: 1. Press Windows+L 1. press containing object (NVDA+numpad8/NVDA+shift+upArrow), 1. then you can use next object (NVDA+numpad6/NVDA+shift+rightArrow) to navigate the system. 1. On Windows 10 and 11, using "Navigate to the object under the mouse" (NVDA+numpadMultiply/NVDA+shift+n), you can navigate outside to the system from the lock screen. Microsoft is aware of this issue. Description of how this pull request fixes the issue: This PR adds a function which checks if the lockapp is the foreground window, and if so, if a given object is outside of the lockapp. To prevent focus objects being set or used for navigation, this function is utilised in various api methods. An overlay class is also added which prevents navigation and announcement of content outside of the lockapp. This PR also adds `GlobalCommands.script_navigatorObject_devInfo` to the allowed commands on the lockscreen to aid with debugging. This command should be safe as: - The command only logs objects it can navigate to - The log viewer cannot be accessed from the lockscreen Testing strategy: Manual testing on Windows 11, Windows 10 21H2, Windows 10 1809 - Attempt to navigate outside the top level window of the lock screen using object navigation using STR - Ensure the lock screen can still be navigated with object navigation An advisory is required to be sent out for earlier NVDA versions.
Link to issue number: None, follow up on #5269 Summary of the issue: On earlier Windows 10 builds, the top-level Window (Role.WINDOW) of the lock screen cannot directly navigate to the system with object navigation, but its parent can. This was fixed in a commit addressing #5269. On Windows 11 and newer Windows 10 builds, the top-level Window can directly navigate to the system with object navigation. STR: 1. Press Windows+L 1. press containing object (NVDA+numpad8/NVDA+shift+upArrow), 1. then you can use next object (NVDA+numpad6/NVDA+shift+rightArrow) to navigate the system. 1. On Windows 10 and 11, using "Navigate to the object under the mouse" (NVDA+numpadMultiply/NVDA+shift+n), you can navigate outside to the system from the lock screen. Microsoft is aware of this issue. Description of how this pull request fixes the issue: This PR adds a function which checks if the lockapp is the foreground window, and if so, if a given object is outside of the lockapp. To prevent focus objects being set or used for navigation, this function is utilised in various api methods. An overlay class is also added which prevents navigation and announcement of content outside of the lockapp. This PR also adds `GlobalCommands.script_navigatorObject_devInfo` to the allowed commands on the lockscreen to aid with debugging. This command should be safe as: - The command only logs objects it can navigate to - The log viewer cannot be accessed from the lockscreen Testing strategy: Manual testing on Windows 11, Windows 10 21H2, Windows 10 1809 - Attempt to navigate outside the top level window of the lock screen using object navigation using STR - Ensure the lock screen can still be navigated with object navigation An advisory is required to be sent out for earlier NVDA versions.
Reported by jteh on 2015-08-06 00:42
Unlike earlier versions of Windows, the Windows 10 lock screen no longer runs on the winlogon secure desktop. Instead, it runs on the default (normal) desktop, but you can't switch apps, bring other windows to the foreground, etc. Unfortunately, this doesn't stop users from exploring other apps with the review cursor, reading/manipulating the clipboard, messing with the user's NVDA configuration, etc. IMO, this is a pretty nasty security issue in Windows itself, but this is apparently what Microsoft have chosen to do.
We can't simply start a secure copy of NVDA, as that would involve restarting the user's normal copy (since this is on the default desktop), which would result in loss of state and potentially be a bit slow. Therefore, we're going to have to somehow disable relevant parts of NVDA.
I think this will basically consist of three parts:
The text was updated successfully, but these errors were encountered: