Alongside its batch of mandatory security patches released Tuesday, Microsoft also issued an optional update aimed at protecting Windows computers against an attack that could hijack wireless mice to execute malicious commands.
The attack, dubbed MouseJack, affects wireless mice and keyboards from many manufacturers, including Microsoft. It was discovered and presented earlier this year by security researchers from IoT security firm Bastille Networks.
MouseJack exploits several vulnerabilities in the communications protocols between the USB dongles plugged into computers and the wireless mice and keyboards that are paired with them. These flaws allow attackers to spoof a wireless mouse from up to 100 meters away and send rogue keystrokes instead of clicks to a computer.
The new KB3152550 update blocks this type of attack through a driver that filters input from affected Microsoft wireless mice to make sure that there are no QWERTY key frames that normally indicate keyboard traffic.
The update is available for Windows 7, 8.1 and 10, but not Windows Server. It only protects standalone wireless mice and not those that are bundled together with a keyboard as part of Microsoft’s desktop set products.
According to a Microsoft security advisory, the devices affected by this attack are: Sculpt Ergonomic mouse, Sculpt Mobile Mouse, Wireless Mobile Mouse 3000 v2.0, Wireless Mobile Mouse 3500, Wireless Mobile Mouse 4000, Wireless Mouse 1000, Wireless Mouse 2000, Wireless Mouse 5000 and Arc Touch Mouse.
Marc Newlin, one of the Bastille security researchers who developed the MouseJack attack, criticized the limits of Microsoft’s patch on Twitter.
“Windows users are still vulnerable to #MouseJack attacks via @microsoft mice after the 3152550 patch,” he said. “Injection still works against MS Sculpt Ergonomic Mouse and non-MS mice.”
Either way, Microsoft mouse owners are better off installing the update. If Windows automatic updates are enabled, the patch will be downloaded and installed automatically. Users who have their OS configured for manual updates can install the fix by following instructions provided by Microsoft in a knowledge base article.