Security Fix: Prevent privilege escalation on secure screens

[seanbudd]

Use this discussion for any technical questions surrounding the security fix for privilege escalation on secure screens. Please responsibly disclose potential security issues to [email protected].

NVDA 2021.3.2 introduces a fix that prevents privilege escalation from secure screens. When performing an administrative action that requires a secure screen, a user can open a command prompt with system privileges.

To enter a secure screen:

• Run an application as administrator, causing the User Access Control dialog to appear
• Enable NVDA to run during sign-in, then lock the desktop and continue to the password entry sign-in screen.

To reproduce using the addons manager dialog:

1. Enter a secure screen
2. Use an input gesture to open the addons manager dialog
3. Attempt to install an addon, which opens a file explorer browse dialog with system privileges
4. Open the context menu in a directory
5. Run command prompt with system privileges

To reproduce using context help:

1. Enter a secure screen
2. Press F1, to open context help in Internet explorer with system privileges
3. Press Control+O, to open a file explorer browse dialog with system privileges
4. Open the context menu in a directory
5. Run command prompt with system privileges

NVDA now disables context help and the addons manager dialog in secure screens. (#13059, #13353)

For further information, please contact NV Access via [email protected].

[seanbudd]

I'm going to hide this as off-topic.
As per What's new in NVDA

This release is identical to 2021.3.2. A bug existed in NVDA 2021.3.2 where it incorrectly identified itself as 2021.3.1. This release correctly identifies itself as 2021.3.3.

buildVersion.version_minor was incorrectly set to "1" in 2021.3.2.