This morning, while updating JAWS for Windows to version 2026.2512.50 (Script Revision: 0), I took a close look at the Copyright Acknowledgement in the “About” section of the application. I used Microsoft 365 Copilot to help me do this.
What I’ve Discovered? There’s quite a list of third-party software components listed as being included in the product. Many of the items mentioned in the Acknowledgements are labeled as “unmodified,” which signals to me that they were integrated as-is, without updates or patches. If the credited version is old, that likely means that the code they’ve been using in JAWS with each new upgrade is just as old, “Right?”
Why This Matters? Outdated components often have known vulnerabilities. Attackers can exploit these if the software hasn’t been patched. Libraries like XML parsers, image processors, and compression tools have historically been targets for remote code execution and denial-of-service attacks.
Does JAWS Run with High Privileges? JAWS doesn’t always run with high privileges, but it does hook deeply into Windows accessibility APIs and sometimes injects into other processes to read UI elements. Installation requires administrative rights, and some advanced features may require higher elevation in order to function correctly. If you run JAWS as Administrator or if its services run with SYSTEM-level privileges, any exploit could have a bigger impact. To reduce risk, run JAWS as a standard user when possible and only elevate when necessary.
How Vulnerable Does This Make My System? JAWS has significant system access, so any exploit could escalate quickly if elevated. Windows 11 security features like ASLR, DEP, and Defender help, but they don’t eliminate vulnerabilities in old code. If JAWS interacts with web content, PDFs, or remote services, the risk increases because attackers can craft malicious input targeting outdated libraries.
Percentage of Risk? After reviewing the list, it would seem that about 30–35% of the unmodified software components present a potential security risk, mainly due to age and known vulnerabilities.
Which Components Are Most Concerning? Some of the riskiest components include libTiff (last updated in the 1990s), HTML Tidy (early 2000s), Xerces-C and Xqilla (XML parsers from the early 2000s), and VNC Free Edition (2002–2004). These have a history of serious vulnerabilities like buffer overflows and XML External Entity attacks. Others, like ICU, Zlib, LLVM, and json_spirit, are also outdated and could be exploited through crafted input. Lower-risk components include MathJAX, SQLite3pp, and Bitstream Vera, which are old but less likely to be attack vectors.
What Can You Do? Aside from the obvious regarding Keeping Windows 11 fully updated, Try running JAWS using a Windows Standard Account whenever possible.
Contact Vispero about possibly enabling exploit protection for JAWS.exe in Windows Security. Attempting to do this on your own may result in more headaches than it’s worth and technicians should know how best to do this, “If it’s even possible.”
Monitor Vispero advisories for patches or mitigations where security and general performance related updates are concerned. However, I’m not even sure that Vispero takes security into consideration. During my 26 years as a JAWS subscriber and user, I don’t ever recall there being a “Security” update for the screen reader. But they may want to rethink things now that JAWS 2026 requires an actual account be set up as one would for a service like Microsoft 365. Combine with the fact that I understand the registration is hosted on Amazon Web Services and JAWS for Windows is being used on Government computers, I think it’s time that Vespero become a bit more mindful about security and update their old code.
Important Note: This analysis is based on the credits and the assumption that “unmodified” means no internal updates were applied. If you rely on JAWS for critical tasks, you should research this information yourself or contact Vispero/Freedom Scientific directly to confirm which versions are in use and whether security patches have been applied. I doubt it but, “I could be wrong about that.”
Personally, I’m thinking that given Vispero’s clearly Woke attitude towards the blind community, as evidenced to me curtesy of a publicized letter they recently sent to the NFB, maybe it’s time to let my dependence on JAWS for Windows simply die out. Narrator is coming along nicely and if Microsoft can get Eloquence working with Narrator, or at least something comparable, I wouldn’t mind telling Vispero to jam it, which might happen anyway with the way things are going regarding pricing. It doesn’t take a marketing genius to figure out that “Charging exorbitant amounts of money for features that function questionably at best is bad for business.”
Wanting to use AI in JAWS is great. But they’ve been raping the blind community regarding the cost of this software for years as it is. I’m personally not going to pay a truck load of money to use AI in a specific application when I already have it as a part of my Microsoft 365 account and know the pitfalls of its functionality. I will not pay the already high cost for JAWS upgrades when I now strongly suspect that I’ve been paying for something that’s being created with questionable coding practices. “Maybe it’s time the Federal Trade Commission got involved?”
As it is, I found a Ted Henter interview on FS Podcast 256 to be rather disturbing. Some of the things he talked about doing to get JAWS for Windows going and positioned in the market as it is today struck me as being nothing short of disrespectful to customers and fraudulent at best. I shook my head after listening to him talk and wondered if maybe he just thought we were all stupid. “Hell will freeze over before I take business advice from someone like that!”
Freedom Scientific, Vispero, or whatever they want to call themselves these days probably won’t learn though until people start walking away from the company in mass. After all, there are other alternatives to their crap these days. But… “We shall see.”