Tavis Ormandy of Google's Project Zero discovered a serious authentication vulnerability in Logitech's Options application, but the peripheral device maker has yet to address the flaw.
The Logitech Options app, which configures the company's mice and keyboards in Windows, relies on an ineffective authentication mechanism that enables malicious webpages to execute code on a victim's machine.
Tavis Ormandy, vulnerability researcher with Google's Project Zero, found the flaw in the Logitech Options app when he tried to rebind a button on his Logitech mouse. He published details about the critical vulnerability when Logitech took more than 90 days to address the issue.
Ormandy contacted Logitech and met with Logitech engineers in September.
"They assured me they understood the issues and were planning to add origin checks and type checking," Ormandy wrote on the Project Zero bug tracker.
However, it seems the Logitech developers didn't resolve the issue: Ormandy tested the latest version, released on Oct. 1, and none of the issues he had reported were fixed.