Microsoft released several security updates this month as part of its regular Patch Tuesday update, including the overhyped Badlock flaw. One patch that went largely unnoticed, however, was an optional update meant to resolve Mousejack, a security bug that could allow an attacker to hijack the users’ wireless mice to execute malicious commands on the affected computer.
The issue was disclosed in February by researchers at IoT security company Bastille, who revealed that a $15 USB dongle can be used to run arbitrary commands into a victim’s computer from up to 100 meters (328 feet) away. Having the dongle connected to his/her laptop, an attacker can download malware, steal files, and perform other activities that require access to the computer’s keyboard.
At the time, researchers said that the vulnerability affects wireless mice and keyboards from Dell, Logitech, Microsoft, HP, Amazon, Gigabyte, and Lenovo, but that devices from other vendors could also be affected. The flaw affects USB dongles shipped with wireless keyboards and mice and can be exploited to attack any PC, Mac or Linux computer.
As part of its latest Tuesday patches, Microsoft released an optional update to improve input filtering for certain Microsoft wireless mouse devices. As the company explains in the update’s security advisory, the patch resolves a vulnerability where keyboard HID packets can be injected into Microsoft wireless mouse devices through USB dongles.
To block this type of attack, the company has released a filter driver as part of the optional update, so that input from affected Microsoft wireless mice is monitored, ensuring that no QWERTY key frames that normally indicate keyboard traffic go through.
According to Microsoft, affected devices include Sculpt Ergonomic mouse, Sculpt Mobile Mouse, Wireless Mobile Mouse 3000 v2.0, Wireless Mobile Mouse 3500, Wireless Mobile Mouse 4000, Wireless Mouse 1000, Wireless Mouse 2000, Wireless Mouse 5000, and Arc Touch Mouse. The update was released for Windows 7, Windows 8.1 and Windows 10 machines, the company also said.
The update was not released for Windows Server devices and does not resolve the issue in non-Microsoft wireless mice and keyboards, Marc Newlin, one of the researchers who discovered the flaw in the first place, says. The Microsoft Sculpt Ergonomic Mouse is still vulnerable to the attack, Newlin said.
MS security advisory 3152550 (#MouseJack patch) released today. Injection still works against MS Sculpt Ergonomic Mouse and non-MS mice.
— Marc Newlin (@marcnewlin) April 12, 2016
Owners of Microsoft wireless mice are advised to install the optional update, to minimize attack surface. The update can be applied either automatically, through Windows Update, or manually, by opening Windows Update from the Control Panel, checking for updates and finding and installing this specific patch from the list of optional updates.