Amongst the patches released yesterday for patch Tuesday there was an optional updated which deals with a very specific flaw in wireless mice. As Lucian Constantin writes for IDG News Service (via CIO.com), the exploit was revealed earlier this year by IoT security firm Bastille Networks.
Dubbed MouseJack, they found vulnerabilities in the protocols wireless mice and keyboards use to speak with their little USB dongle receivers. This vulnerability allows an attacker transmit rogue keystrokes from up to 100 meters away by pretending to be a wireless mouse. MouseJack effects wireless mice and keyboards from multiple manufacturers, including Microsoft.
To counter MouseJack, Microsoft released the optional security update KB3152550. This update introduces a filter which makes sure any rogue keystrokes do not sneak into the system disguised as wireless mouse clicks. KB3152550 is available for Windows 7, 8.1, and 10.
In their security advisory, Microsoft details that the following Microsoft wireless mice are affected.
- Sculpt Ergonomic mouse
- Wireless Mobile Mouse 3000 v2.0
- Wireless Mobile Mouse 3500
- Wireless Mobile Mouse 4000
- Wireless Mouse 1000
- Wireless Mouse 2000
- Wireless Mouse 5000
- Arc Touch Mouse
In a twist since the update was released, one of the original security researchers who discovered the MouseJack vulnerability tweeted that KB3152550 fails to completely resolve the issue.
— Marc Newlin (@marcnewlin) April 13, 2016
If you use a wireless mouse and want to install the update you can learn more about how to perform a manual installation on Microsoft security advisory page for KB3152550.