Security flaw in Logitech app allowed for keystroke injection attacks

Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks
Security flaw in Logitech app allowed for keystroke injection attacks

After ignoring a bug report from Google's Project Zero security team, Logitech has finally released a security patch for one of its apps after waiting three months.

The vulnerability was discovered in the company's Options app that allows users to customise the functionality and behaviour of the buttons on their mice, keyboards and trackpads.

Google security researcher Tavis Ormandy first discovered that the app was opening a WebSocket server on user's machines back in September.

The server in question featured support for a number of intrusive commands and used a registry key to auto-start on each system boot.

Keystroke injection attacks

Ormandy offered further details on how the bug he discovered in Logitech's software could be used to take control of a user's system in a bug report, saying:

"The only 'authentication' is that you have to provide a PID [process ID] of a process owned by your user but you get unlimited guesses so you can bruteforce it in microseconds. After that, you can send commands and options, configure the 'crown' to send arbitrary keystrokes, etc, etc.,"

Ormandy informed Logitech about the issue in September and while the team acknowledged the bug report, it never released a patch to rectify the issue.

If a company has not issued a patch for a security issue after 90 days, Project Zero's policy is to publicly disclose the vulnerability which Ormandy did this week.

The bug report gained attention amongst security researchers on Twitter and Logitech has since released a new version of Options to address the issue.

Via ZDNet

• We've also highlighted the best mouse and best keyboards

from TechRadar - Software news https://ift.tt/2CcBjLc

via Blogger https://ift.tt/2RZBr6b
December 14, 2018 at 10:41PM
via Blogger https://ift.tt/2QurbWS
December 14, 2018 at 11:33PM
via Blogger https://ift.tt/2CcOcou
December 15, 2018 at 02:33AM
via Blogger https://ift.tt/2zTqiNh
December 15, 2018 at 05:33AM
via Blogger https://ift.tt/2Cg4tsV
December 15, 2018 at 08:33AM
via Blogger https://ift.tt/2zYxt6U
December 15, 2018 at 11:33AM
via Blogger https://ift.tt/2GfVHza
December 15, 2018 at 02:33PM
via Blogger https://ift.tt/2QZY2SG
December 15, 2018 at 05:33PM
via Blogger https://ift.tt/2CeZ30Z
December 15, 2018 at 08:33PM
via Blogger https://ift.tt/2PDa67O
December 15, 2018 at 11:33PM
via Blogger https://ift.tt/2Qyuht2
December 16, 2018 at 02:33AM
via Blogger https://ift.tt/2QAVFGE
December 16, 2018 at 05:33AM
via Blogger https://ift.tt/2QB47G0
December 16, 2018 at 08:33AM
via Blogger https://ift.tt/2QD3NXr
December 16, 2018 at 11:33AM
via Blogger https://ift.tt/2S9LwO8
December 16, 2018 at 02:33PM
via Blogger https://ift.tt/2PHjbfK
December 16, 2018 at 05:33PM
via Blogger https://ift.tt/2SUk4nt
December 16, 2018 at 08:35PM
via Blogger https://ift.tt/2UN69kF
December 16, 2018 at 11:33PM
via Blogger https://ift.tt/2ExMtfJ
December 17, 2018 at 02:33AM
via Blogger https://ift.tt/2SQ7x4d
December 17, 2018 at 05:33AM
via Blogger https://ift.tt/2PHdS07
December 17, 2018 at 08:33AM
via Blogger https://ift.tt/2GmFs34
December 17, 2018 at 11:33AM