Require UAC prompt to Install add-ons to installed NVDA copy: Install to Program Files, not AppData

[seanbudd]

Is your feature request related to a problem? Please describe.

Add-ons are currently installed to AppData, a user specific folder generally used for holding app configuration and data.
Add-ons are executable code, that runs at a system level.

Windows is designed to protect the system from installation of dangerous code through using the Write protected folders for Program Files.
Code that must run at a system level is generally installed to program files, and protected by UAC administrator approval for installation.

A commonly raised security concern is that NVDA users can install malicious add-ons, meaning that a malicious or naïve user can wreak havoc on their system.
Secure mode prevents the installation or modification of add-ons, however in many environments secure mode is overkill.
By installing add-ons to Program Files, and requiring admin approval for each install, we are following the common Windows patterns associated with installing potentially dangerous software.
By performing the UAC approval on a per add-on basis, users may better understand the risk involved, and approach with the same caution that they would when installing any software with a UAC prompt.

Describe the solution you'd like

Installing add-ons to program files would ensure that administrator approval is required for the installation of any add-on.
It would have the side affect of installing add-ons for all users of a machine, so different users of the same machine would have to disable/enable desired installed add-ons on their own profile.

Add-on authors would probably have to be conscious of the change, differentiating between the add-on installation folder, and the add-on individual user config folder.
As such, this is probably an API breaking change.

For portable copies, this won't be a significant change, as the config directory is stored within the portable copy and portable copies are can be inherently packaged with arbitrary insecure code.

Describe alternatives you've considered

The current warning system conveys appropriate risk, and administrators are able to prevent modification/installation of add-ons with secure mode.
As such, this change is not of a large material benefit.
This proposal just aims to align the process with a common UX for windows.

Additional context

Other extension libraries generally don't require a UAC prompt to install an add-on, but these extension systems generally aren't as risky as NVDA, and are safely sandboxed.

[josephsl]

Hi,

While I understand the security implications for moving add-on data to program files (with or without "x86" suffix), I think this is quite an overkill. More importantly, the proposed change does not align with portable NVDA where add-ons are used by users for various reasons, or when wishing to make a portable backup of NVDA installation which includes add-ons for currently logged on user. Also, add-on authors must declare that their add-ons are secure and are trustworthy, including not abusing admin privileges because just saying "yes" to UAC does not fully guarantee that Python/C code are secure (UAC communicates two things: the code about to be executed is trustworthy, and users really know what they are doing). In summary, relying on UAC and its messaging/experience may provide appearance of asking for trust, but it does not fully guarantee what the add-on does is what it claims to do (for that, I think source code audit of add-ons is more effective).

Thanks.

[seanbudd]

@josephsl

More importantly, the proposed change does not align with portable NVDA where add-ons are used by users for various reasons, or when wishing to make a portable backup of NVDA installation which includes add-ons for currently logged on user.

Maybe this title is misleading. The idea here is installing add-ons to the install directory, not the config directory. For portable copies, these are more or less the same (userConfig in the portable copy directory).

Also, add-on authors must declare that their add-ons are secure and are trustworthy, including not abusing admin privileges because just saying "yes" to UAC does not fully guarantee that Python/C code are secure (UAC communicates two things: the code about to be executed is trustworthy, and users really know what they are doing).

We don't have the capacity to meaningfully declare add-ons as secure or trustworthy. What we can do is ensure users understand these risks clearly and only users with permission to install software can take these risks.

I disagree here with your understanding of the purpose of UAC prompts. Users most often run into this prompt when installing software. For most users it is about trusting the source of the software and being willing to let it modify your system. I am not sure to what extent users trust the code itself just because it requires administrator approval to install it.
You perform the same UAC operation on installing unsafe packages, trust in the code itself is independent of the safety process around restricting installation. At the UAC installation prompt is where the admin/trusted user decides "I trust this software installation to let it modify my machine".

[Adriani90]

I agree with @seanbudd. This will definitely increase the trust in NVDA in corporate environments.
However, I think a separate manual or a help notice for system admins on the NV Access website would be really helpful.
This shelp notice should include all security related features, command line parameters, help on minimizing security risk from originating from NVDA etc.

[seanbudd]

@Adriani90 - we try to include all that information here: https://www.nvaccess.org/corporate-government/

[XLTechie]

@seanbudd

about trusting the source of the software and being willing to let it modify your system. I am not sure to what extent users trust the code itself just because it requires administrator approval to install it. You perform the same UAC operation on installing unsafe packages, trust in the code itself is independent of the safety process around restricting installation. At the UAC installation prompt is where the admin/trusted user decides "I trust this software installation to let it modify my machine".

But doesn't that make the problem worse, not better? Now, instead of installing a potentially unsafe add-on in a non-admin account, I must install it in an account with--or that can get--admin privs. Therefore an add-on that was only installed in one, potentially non-privileged account before, must now be installed for all accounts, system wide. I think this also means that we must remove the scratchpad feature. Else any add-on could be installed there, circumventing this supposedly more secure add-on paradigm. Lastly, doesn't this just contribute to "UAC autonomy"? I was just watching a video today, from a former high level Microsoft developer, complaining that apps and installers are requesting admin access for operations that don't, and shouldn't, require it, just because they don't know any better way. He pointed out that this is leading to users developing an automatic approval mentality for UAC requests, that is diluting their intended function. I predict this is going to lead to a thought process of "just agree, that's something they make you do for add-ons now", not the effect that you are expecting it to have.

[seanbudd]

Therefore an add-on that was only installed in one, potentially non-privileged
account before, must now be installed for all accounts, system wide.

Add-ons are inherently capable of performing privileged actions even from non-privileged accounts. There is a pending advisory related to this, but this is also documented in the user guide and corporate page. As such, this change doesn't really affect the range of risk, but more accurately reflects it.

I think this also means that we must remove the scratchpad feature. Else any
add-on could be installed there, circumventing this supposedly more secure
add-on paradigm.

This could also be moved to program files? I guess the other concern is the python console also has the same risks as scratchpad and add-ons, and that is included by default.
I think the python console should probably be disabled by default on release builds and enabled via a registry key parameter .
Being able to disable the python console individually via the registry, or even have it off by default is something often requested by corporate environments.

I disagree with the UAC autonomy note, as I believe this is a clear example of when UAC should be used, i.e. when installing code that can run at system level.

[Adriani90]

@XLTechie

Therefore an add-on that was only installed in one, potentially non-privileged
account before, must now be installed for all accounts, system wide.

Are you completely sure? I am on a corporate environment with quite strict security policies, I cannot update or install anything and every UAC promt requires admin priviledges to be accepted.
Still I can install addons without any restriction.

@seanbudd
I am not sure if I miss something, but I think we should mention in the documentation on the corporate environment page that admins will have to allow the configuration of addons if they allow their installation.
It would be very annoying if we are allowed to install addons in a compnay but the configuration is not saved.
Maybe it is possible to split the install path for addons but maintain their configuration in the appdata.
Also can we actually pretend that addons from the addon store are secure? Is there any security check happening on the addon submission repository?

[LeonarddeR]

@seanbudd I think there are some statements in your proposal that are not true, at least not necessarily.

Add-ons are executable code, that runs at a system level.

If I'm running NVDA as a standard Windows user (not administrator), apart from UI Access, the add-on has no more permissions than every other application running either portable or installed on a per user basis (see below).

By installing add-ons to Program Files, and requiring admin approval for each install, we are following the common Windows patterns associated with installing potentially dangerous software.

I think this is also incorrect. With the Windows Store, Microsoft is following a pattern in which applications are installed on a user basis (see %localappdata%\Microsoft\WindowsApps).

In my opinion, NVDA has no duty to avoid running malicious code, that's up to the system. Instead, it should avoid installing it. The patterns that Microsoft follows are also much more meaningful in that case. I can think of:

• Installing third party add-ons (outside the store) should be something that can be disabled without explicitly enabling secure mode. it makes sense to make that the default and explicitly opt-in.
• Introduce a security mechanism where add-on packages or manifests must be signed, though that's probably a bit overkill.

[seanbudd]

@Adriani90

I am not sure if I miss something, but I think we should mention in the documentation on the corporate environment page that admins will have to allow the configuration of addons if they allow their installation.
It would be very annoying if we are allowed to install addons in a compnay but the configuration is not saved.
Maybe it is possible to split the install path for addons but maintain their configuration in the appdata.

As mentioned in the proposal, add-ons would continue to have a separate configuration folder with NVDA config, e.g. in AppData.

Also can we actually pretend that addons from the addon store are secure? Is there any security check happening on the addon submission repository?

No - this is not in any way a change how add-ons are perceived security wise. As mentioned all over NVDA, add-ons are not secure or tested and you must trust the author if you wish to install one. The idea here is to highlight that you are essentially installing a new independent and unverified program every time you install an add-on.

[seanbudd]

@LeonarddeR

If I'm running NVDA as a standard Windows user (not administrator), apart from UI Access, the add-on has no more permissions than every other application running either portable or installed on a per user basis (see below).

As mentioned earlier, add-ons can run at whatever level NVDA is running, including as administrator. i.e. when performing an update or running the com reg fixing tool add-ons can hijack UAC elevated privileges.
This is documented in the user guide and corporate page:

NVDA allows the installation of custom add-ons, which can execute arbitrary code, including when NVDA is elevated to administrator privileges.

https://www.nvaccess.org/files/nvda/releases/2024.1beta10/documentation/userGuide.html#SecureMode

[seanbudd]

Installing third party add-ons (outside the store) should be something that can be disabled without explicitly enabling secure mode. it makes sense to make that the default and explicitly opt-in.

This would be a false sense of security. There is no security difference between add-ons from outside of the add-on store and add-on store add-ons.

Introduce a security mechanism where add-on packages or manifests must be signed, though that's probably a bit overkill.

I think implementation of this and adoption of this from add-on authors would be more challenging, but this is certainly an alternative proposal.

[seanbudd]

With the Windows Store, Microsoft is following a pattern in which applications are installed on a user basis (see %localappdata%\Microsoft\WindowsApps).

I think a difference with this case is these applications are not being run from Program Files, I think the explicit issue is we take code from AppData and execute it from Program Files.