Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issues on Windows 10 lock screen #5269

Closed
nvaccessAuto opened this issue Aug 6, 2015 · 4 comments
Closed

Security issues on Windows 10 lock screen #5269

nvaccessAuto opened this issue Aug 6, 2015 · 4 comments
Labels
bug security
Milestone
2015.3

Comments

@nvaccessAuto
Copy link

Reported by jteh on 2015-08-06 00:42
Unlike earlier versions of Windows, the Windows 10 lock screen no longer runs on the winlogon secure desktop. Instead, it runs on the default (normal) desktop, but you can't switch apps, bring other windows to the foreground, etc. Unfortunately, this doesn't stop users from exploring other apps with the review cursor, reading/manipulating the clipboard, messing with the user's NVDA configuration, etc. IMO, this is a pretty nasty security issue in Windows itself, but this is apparently what Microsoft have chosen to do.

We can't simply start a secure copy of NVDA, as that would involve restarting the user's normal copy (since this is on the default desktop), which would result in loss of state and potentially be a bit slow. Therefore, we're going to have to somehow disable relevant parts of NVDA.

I think this will basically consist of three parts:

  1. Preventing the user from object navigating out of the lock screen;
  2. Blocking all non-essential scripts;
  3. If we want to allow the synth settings ring commands, creating a temporary configuration which is thrown away when the lock screen goes away.
@nvaccessAuto
Copy link
Author

Comment 1 by James Teh <jamie@... on 2015-08-06 07:23
In [6795af8]:

On the Windows 10 lock screen, it is no longer possible to read the clipboard, access running applications with the review cursor, change NVDA configuration, etc.

Also, NVDA no longer says "LockAppHostFrameWindow" just before the lock screen appears.
Fixes #5269.

Changes:
State: closed

@nvaccessAuto
Copy link
Author

Comment 2 by jteh on 2015-08-06 07:24
In the end, I didn't bother allowing the user to change configuration at all. This makes things simpler and this has limited usefulness anyway, since some configuration can't be accessed without using GUI anyway.

@nvaccessAuto nvaccessAuto added this to the 2015.3 milestone Nov 10, 2015
jcsteh added a commit that referenced this issue Nov 23, 2015
@jcsteh
On the Windows 10 lock screen, it is no longer possible to read the c…
6795af8 
…lipboard, access running applications with the review cursor, change NVDA configuration, etc.

Also, NVDA no longer says "LockAppHostFrameWindow" just before the lock screen appears.
Fixes #5269.
@Mohamed00
Copy link

Mohamed00 commented Feb 17, 2019
edited

It seems like part of this fix is broken on Windows 10 1903. When I tested on this version of Windows, I was able to successfully leave the lock screen with the review cursor, though I couldn't view what was on the clipboard. Can anyone else test this?

@jcsteh
Copy link
Contributor

jcsteh commented Feb 18, 2019

Ug. I can confirm with Windows 10 1809. I'm not sure what changed, but it seems you can now go next from the window. Perhaps this was always possible and I just missed this, but I doubt it.

Technical: event_NVDAObject_init in appModules/lockapp.py needs to disable next and previous. Currently, it only disables parent. Unfortunately, I can't deal with this myself right now; testing fixes on screens like this is pretty time consuming. CC @michaelDCurran.

@seanbudd seanbudd mentioned this issue Feb 10, 2022
Merged
7 tasks
seanbudd added a commit that referenced this issue Feb 11, 2022
@seanbudd
Prevent Object Navigation Outside of the Lock Screen (#13328)
c29fa56 
Link to issue number:
None, follow up on #5269

Summary of the issue:
On earlier Windows 10 builds, the top-level Window (Role.WINDOW) of the lock screen cannot directly navigate to the system with object navigation, but its parent can. This was fixed in a commit addressing #5269.

On Windows 11 and newer Windows 10 builds, the top-level Window can directly navigate to the system with object navigation.

STR:

1. Press Windows+L
1. press containing object (NVDA+numpad8/NVDA+shift+upArrow),
1. then you can use next object (NVDA+numpad6/NVDA+shift+rightArrow) to navigate the system.
1. On Windows 10 and 11, using "Navigate to the object under the mouse" (NVDA+numpadMultiply/NVDA+shift+n), you can navigate outside to the system from the lock screen.

Microsoft is aware of this issue.

Description of how this pull request fixes the issue:
This PR adds a function which checks if the lockapp is the foreground window, and if so, if a given object is outside of the lockapp.
To prevent focus objects being set or used for navigation, this function is utilised in various api methods.

An overlay class is also added which prevents navigation and announcement of content outside of the lockapp.

This PR also adds `GlobalCommands.script_navigatorObject_devInfo` to the allowed commands on the lockscreen to aid with debugging.

This command should be safe as:
- The command only logs objects it can navigate to
- The log viewer cannot be accessed from the lockscreen

Testing strategy:
Manual testing on Windows 11, Windows 10 21H2, Windows 10 1809
- Attempt to navigate outside the top level window of the lock screen using object navigation using STR
- Ensure the lock screen can still be navigated with object navigation

An advisory is required to be sent out for earlier NVDA versions.
seanbudd added a commit that referenced this issue Feb 18, 2022
@seanbudd
Prevent Object Navigation Outside of the Lock Screen (#13328)
7fc48c2 
Link to issue number:
None, follow up on #5269

Summary of the issue:
On earlier Windows 10 builds, the top-level Window (Role.WINDOW) of the lock screen cannot directly navigate to the system with object navigation, but its parent can. This was fixed in a commit addressing #5269.

On Windows 11 and newer Windows 10 builds, the top-level Window can directly navigate to the system with object navigation.

STR:

1. Press Windows+L
1. press containing object (NVDA+numpad8/NVDA+shift+upArrow),
1. then you can use next object (NVDA+numpad6/NVDA+shift+rightArrow) to navigate the system.
1. On Windows 10 and 11, using "Navigate to the object under the mouse" (NVDA+numpadMultiply/NVDA+shift+n), you can navigate outside to the system from the lock screen.

Microsoft is aware of this issue.

Description of how this pull request fixes the issue:
This PR adds a function which checks if the lockapp is the foreground window, and if so, if a given object is outside of the lockapp.
To prevent focus objects being set or used for navigation, this function is utilised in various api methods.

An overlay class is also added which prevents navigation and announcement of content outside of the lockapp.

This PR also adds `GlobalCommands.script_navigatorObject_devInfo` to the allowed commands on the lockscreen to aid with debugging.

This command should be safe as:
- The command only logs objects it can navigate to
- The log viewer cannot be accessed from the lockscreen

Testing strategy:
Manual testing on Windows 11, Windows 10 21H2, Windows 10 1809
- Attempt to navigate outside the top level window of the lock screen using object navigation using STR
- Ensure the lock screen can still be navigated with object navigation

An advisory is required to be sent out for earlier NVDA versions.
seanbudd added a commit that referenced this issue Feb 21, 2022
@seanbudd
Prevent Object Navigation Outside of the Lock Screen (#13328)
ab24b5e 
Link to issue number:
None, follow up on #5269

Summary of the issue:
On earlier Windows 10 builds, the top-level Window (Role.WINDOW) of the lock screen cannot directly navigate to the system with object navigation, but its parent can. This was fixed in a commit addressing #5269.

On Windows 11 and newer Windows 10 builds, the top-level Window can directly navigate to the system with object navigation.

STR:

1. Press Windows+L
1. press containing object (NVDA+numpad8/NVDA+shift+upArrow),
1. then you can use next object (NVDA+numpad6/NVDA+shift+rightArrow) to navigate the system.
1. On Windows 10 and 11, using "Navigate to the object under the mouse" (NVDA+numpadMultiply/NVDA+shift+n), you can navigate outside to the system from the lock screen.

Microsoft is aware of this issue.

Description of how this pull request fixes the issue:
This PR adds a function which checks if the lockapp is the foreground window, and if so, if a given object is outside of the lockapp.
To prevent focus objects being set or used for navigation, this function is utilised in various api methods.

An overlay class is also added which prevents navigation and announcement of content outside of the lockapp.

This PR also adds `GlobalCommands.script_navigatorObject_devInfo` to the allowed commands on the lockscreen to aid with debugging.

This command should be safe as:
- The command only logs objects it can navigate to
- The log viewer cannot be accessed from the lockscreen

Testing strategy:
Manual testing on Windows 11, Windows 10 21H2, Windows 10 1809
- Attempt to navigate outside the top level window of the lock screen using object navigation using STR
- Ensure the lock screen can still be navigated with object navigation

An advisory is required to be sent out for earlier NVDA versions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
2015.3
Development

No branches or pull requests
3 participants
@jcsteh @nvaccessAuto @Mohamed00