Impact
It is possible to use NVDA's object navigation to read content on the desktop from the lock screen. This affects Windows 10 and 11.
However, this requires local access, so it is only a potential issue for locked computers in shared areas.
Object navigation can only occur from the lock screen, not the secure sign-in screen where your password is entered.
Patches
NVDA 2021.3.3 disallows object navigation from ever escaping the windows lock screen.
Workarounds
You can prevent this issue when using older NVDA versions by disabling the lock screen. Disabling the Windows lock screen will cause locking the computer to go straight to the secure sign-in screen. To do this:
- Open the run dialog with Windows+R
- Enter and run: gpedit.msc (may require administrative access)
- Using the “Local Group Policy Editor” window
- Navigate to Local Computer Policy, Computer Configuration, Administrative Templates, Control Panel, Personalization, Do Not Display the Lock Screen
- Enable "Do Not Display the Lock Screen"
- Confirm with Windows+L that the lock screen is skipped and Windows goes directly to the secure sign-on screen.
References
For more information
If you have any questions or comments about this advisory:
Impact
It is possible to use NVDA's object navigation to read content on the desktop from the lock screen. This affects Windows 10 and 11.
However, this requires local access, so it is only a potential issue for locked computers in shared areas.
Object navigation can only occur from the lock screen, not the secure sign-in screen where your password is entered.
Patches
NVDA 2021.3.3 disallows object navigation from ever escaping the windows lock screen.
Workarounds
You can prevent this issue when using older NVDA versions by disabling the lock screen. Disabling the Windows lock screen will cause locking the computer to go straight to the secure sign-in screen. To do this:
References
For more information
If you have any questions or comments about this advisory: