Update only addresses its own wireless devices. Along with its regular monthly security updates, Microsoft also released some optional updates, among which is one for a superstar vulnerability discovered this past February called MouseJack.
According to our previous article on MouseJack, security firm Bastille found flaws in the protocol used by wireless mice and keyboards to communicate with their USB dongles, usually plugged into a user’s laptop.
Researchers found out that they could spoof data from the wireless devices, being able to force trick the USB dongle to send fake instructions to the connected PC, with commands to execute or take malicious actions.
MouseJack attack works from 30 meters away
The MouseJack attack worked from a distance of up to 100 feet (30 meters) away from PC using wireless mice and keyboards manufactured by companies such as AmazonBasics, Dell, Gigabyte, HP, Lenovo, Logitech, and Microsoft.
While some manufacturers took steps to address these issues, some companies weren’t ready to put out new firmware just yet. After being notified by Bastille researchers a few weeks back, Microsoft took the first steps in addressing this issue by providing an optional update for all Windows users using MouseJack-affected devices.
The optional KB3152550 update provides a temporary, software-based fix for MouseJack attacks. The update targets computers running Windows 7, 8.1, and 10, but not any Windows Server versions.
Microsoft says in its advisory that this update will prevent MouseJack attacks on the following devices: Sculpt Ergonomic Mouse, Sculpt Mobile Mouse, Wireless Mobile Mouse 3000 v2.0, Wireless Mobile Mouse 3500, Wireless Mobile Mouse 4000, Wireless Mouse 1000, Wireless Mouse 2000, Wireless Mouse 5000, and Arc Touch Mouse.
The company also says that the update will prevent attacks only on standalone wireless mouse devices, but not those belonging to Microsoft desktop kits.
MouseJack researcher says the fix is incomplete
While the MouseJack attack is considered severe by most security experts, the security update was provided as optional since not all users are affected by this attack vector, and there’s no reason for all users to install it.
Below are tweets from Marc Newlin, security researcher at Bastille, who says Microsoft’s patch is incomplete. The researcher says that MouseJack attacks still work on Microsoft Sculpt Ergonomic Mouse models.
The researcher also shows his dissatisfaction with the fact that Microsoft didn’t use its control over Windows to enforce a universal patch for non-Microsoft devices.