Microsoft Issues Optional Windows Update to Fix MouseJack Vulnerability

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Along with its regular monthly security updates, Microsoft also released some optional updates, among which is one for a superstar vulnerability discovered this past February called MouseJack.

According to our previous article on MouseJack, security firm Bastille found flaws in the protocol used by wireless mice and keyboards to communicate with their USB dongles, usually plugged into a user's laptop.

Researchers found out that they could spoof data from the wireless devices, being able to force trick the USB dongle to send fake instructions to the connected PC, with commands to execute or take malicious actions.

MouseJack attack works from 100 meters away
The MouseJack attack worked from a distance of up to 30 feet (100 meters) away from PC using wireless mice and keyboards manufactured by companies such as AmazonBasics, Dell, Gigabyte, HP, Lenovo, Logitech, and Microsoft.

While some manufacturers took steps to address these issues, some companies weren't ready to put out new firmware just yet. After being notified by Bastille researchers a few weeks back, Microsoft took the first steps in addressing this issue by providing an optional update for all Windows users using MouseJack-affected devices.
The optional KB3152550 update provides a temporary, software-based fix for MouseJack attacks. The update targets computers running Windows 7, 8.1, and 10, but not any Windows Server versions.

Microsoft says in its advisory that this update will prevent MouseJack attacks on the following devices: Sculpt Ergonomic Mouse, Sculpt Mobile Mouse, Wireless Mobile Mouse 3000 v2.0, Wireless Mobile Mouse 3500, Wireless Mobile Mouse 4000, Wireless Mouse 1000, Wireless Mouse 2000, Wireless Mouse 5000, and Arc Touch Mouse.

The company also says that the update will prevent attacks only on standalone wireless mouse devices, but not those belonging to Microsoft desktop kits.

MouseJack researcher says the fix is incomplete
While the MouseJack attack is considered severe by most security experts, the security update was provided as optional since not all users are affected by this attack vector, and there's no reason for all users to install it.

Below are tweets from Marc Newlin, security researcher at Bastille, who says Microsoft's patch is incomplete. The researcher says that MouseJack attacks still work on Microsoft Sculpt Ergonomic Mouse models.

The researcher also shows his dissatisfaction with the fact that Microsoft didn't use its control over Windows to enforce a universal patch for non-Microsoft devices.

Windows users are still vulnerable to #MouseJack attacks via @microsoft mice after the 3152550 patch. Where's the old MSRC?? — Marc Newlin (@marcnewlin) April 13, 2016 3152550 doesn't fix Microsoft mice from mouse/keyboard sets, and no Windows Server support. 3rd party mice tested today are still vulnerable — Marc Newlin (@marcnewlin) April 12, 2016 MS security advisory 3152550 (#MouseJack patch) released today. Injection still works against MS Sculpt Ergonomic Mouse and non-MS mice. — Marc Newlin (@marcnewlin) April 12, 2016
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top