In this article
Overview
We have identified a vulnerability in the Microsoft Windows sign in screen when using a third-party (3P) Input Method Editor (IME) to sign in. This vulnerability could potentially compromise the security of your device during the sign in process. The Windows security update released on or after October 8, 2024 can help protect you from using a third-party (3P) IME when you sign in to your device. For more information about the vulnerability when using a third-party IME, see CVE-2024-43583.
Recommended actions
To address this vulnerability, ensure that a Microsoft first-party (1P) IME is enabled on your device.
For example before the Windows security update released on October 8, 2024 is installed, this screenshot of the sign in screen shows a first-party (1P) English IME and two Simplified Chinese first-party (1P) IMEs are installed and all are available for use. If a third-party (3P) IME was also installed, it would be available for use and you might experience the vulnerability when you use it to sign in.
After the Windows security update released on or after October 8, 2024 is installed, this screenshot of the sign in screen shows the same first-party (1P) IMEs installed and available for use. Additionally, two Simplified Chinese third-party (3P) IMEs are installed but are not available for use. The Windows security update released on or after October 8, 2024 makes the third-party (3P) IMEs unavailable on the sign in screen and prevents the vulnerability when you sign in.
IMPORTANT Please note that this change only affects the sign in process. You can continue to use a third-party (3P) IME for other purposes without any impact. This measure is solely to enhance security during the sign in process.
How to enable a first-party (1P) IME
If you have removed the Microsoft first-party (1P) IME or have not installed a Microsoft first-party (1P) IME, follow these steps:
-
Open Settings on your device.
-
Click Time & language.
-
Under Time & language, click Language & region.
-
Under Preferred languages, click Add a language.
-
In the Choose a language to install dialog box, select the language you need and then click Next.
-
In the Install language features dialog box, select your language preferences, and then click Install.
How to install a first-party (1P) IME keyboard
If you have a first-party (1P) IME installed but have removed the associated keyboard, follow these steps to install the keyboard:
-
Open Settings on your device.
-
Click Time & language.
-
Under Time & language, click Language & region.
-
Under Preferred languages, click the … (More Options) button for the language you need to reinstall the keyboard.
-
Click Language options from the popup menu.
-
Under Keyboards, click Add a keyboard.
-
Select a first-party (1P) keyboard from the popup menu.
Ensure that the Microsoft first-party (1P) IME is an input method option at the sign in screen. Keyboard options are displayed in the lower-right corner of the lock screen.
Conclusion
By following these recommendations of adding a Microsoft first-party (1P) IME to the sign in screen, you can help protect your device from potential vulnerabilities associated with a third-party (3P) IME during the sign in process. Ensuring that a Microsoft first-party (1P) IME is enabled will provide a more secure environment for your device. For further assistance or questions, please contact Microsoft Support.
References
Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. We make no warranty, implied or otherwise, about the performance or reliability of these products.
We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.
