Skip to main content

Microsoft unleashes a MouseJack patch that may or may not actually work

Microsoft Sculpt Ergonomic Keyboard USB receiver
Image used with permission by copyright holder
Microsoft has released an optional update that addresses a hacking technique called “MouseJack.” The update patches a number of Microsoft-based wireless mice including the Sculpt Ergonomic mouse, the Arc Touch mouse, the Wireless Mouse 1000/2000/5000, and several others. This update does not address other mice manufactured by third-party suppliers.

“A vulnerability has been discovered that allows keyboard HID packets to be injected into Microsoft wireless mouse devices through USB dongles,” the company reports. “USB dongles will accept keyboard HID packets transmitted to the RF addresses of wireless mouse devices.”

Recommended Videos

According to Microsoft, the provided update actually filters out QWERTY key packets in keystroke communications issued from the receiving USB dongle to the wireless mouse device. The security issue currently resides in both 32-bit and 64-bit versions of Windows 7 Service Pack 1, Windows 8.1, Windows 10, and Windows 10 Version 1511.

Please enable Javascript to view this content

Ok, so what’s this MouseJack business all about? It’s a technique that focuses on non-Bluetooth wireless keyboards and mice. These peripherals are connected to a desktop or laptop thanks to a dongle inserted into the USB port, enabling wireless transmissions between the host computer and the peripheral. The problem is that because these signals are sent over the air, hackers can use a special device to send their own malicious signals to the host PC in the same manner.

Security firm Bastille Research actually has a website dedicated to MouseJack information, and reports that hackers can take over a PC from up to 328 feet away. They can perform “rapidly malicious activities” without being detected by the device owner simply by sending scripted commands. Hackers can even type in arbitrary text as if the victims actually entered the text themselves.

“The MouseJack exploit centers around injecting unencrypted keystrokes into a target computer,” the firm states. “Mouse movements are usually sent unencrypted, and keystrokes are often encrypted (to prevent eavesdropping what is being typed). However, the MouseJack vulnerability takes advantage of affected receiver dongles, and their associated software, allowing unencrypted keystrokes transmitted by an attacker to be passed on to the computer’s operating system as if the victim had legitimately typed them.”

There is a list of vulnerable devices located here, including products manufactured by AmazonBasics, Dell, Gigabyte, HP, Lenovo, Logitech, and Microsoft. Dell actually provided a statement on February 23, saying that it has been working with Bastille Research to address the problem related to the KM632 and the KM714 devices.

Although Microsoft has issued an update to fix the MouseJack problem with its mice, security researcher Marc Newlin says that Windows customers using Microsoft-based mice are still vulnerable to MouseJack despite the patch. Even more, he says that injection still works against the Sculpt Ergonomic mouse and all non-Microsoft mice. There’s also no Windows Server support in the patch.

For more information about the new patch and how to perform a manual install, check out the Microsoft Security Advisory 3152550 here. Otherwise, Microsoft customers using one of its listed wireless products might want to consider grabbing the update when it arrives via Windows Update.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
ChatGPT just dipped its toes into the world of AI agents
OpenAI's ChatGPT blog post is open on a computer monitor, taken from a high angle.

OpenAI appears to be just throwing spaghetti at this point, hoping it sticks to a profitable idea. The company announced on Tuesday that it is rolling out a new feature called ChatGPT Tasks to subscribers of its paid tier that will allow users to set individual and recurring reminders through the ChatGPT interface.

Tasks does exactly what it sounds like it does: It allows you to ask ChatGPT to do a specific action at some point in the future. That could be assembling a weekly news brief every Friday afternoon, telling you what the weather will be like in New York City tomorrow morning at 9 a.m., or reminding you to renew your passport before January 20. ChatGPT will also send a push notification with relevant details. To use it, you'll need to select "4o with scheduled tasks" from the model picker menu, then tell the AI what you want it to do and when.

Read more
Will a VPN work on the TikTok ban? Here’s everything you need to know
TikTok logo on an iPhone.

TikTok is one of the most popular apps on the planet, and unless you live under a rock, you've probably heard by now that it's likely going to get banned in the United States. For the roughly 170 million monthly TikTok users in the US, the potential ban is disappointing news, to say the least. We're happy to report that there's still hope, though. If you already have the app on your phone, you can actually bypass the ban somewhat quite easily. In fact, the main way to do it is through the use of a VPN, and given how common VPNs are these days, you may already have a paid VPN subscription that you could potentially utilize. It's also worth noting that while free VPN options exist, they may not work as well as paid VPNs, especially when it comes to country choices and speeds.

But let's backtrack a bit - you’ve probably heard of virtual private networks before, what exactly do they do? In short, a VPN helps you protect your privacy by disguising your location, allowing you to change your apparent location and view websites in other countries as if you were a resident.

Read more
Your personal info is being stolen with every click you make – but don’t worry, Incogni can help with that
Incogni remove personal information from identity thieves

You may already be using one of the best VPNs for online privacy, but you can still go one step further and take the fight to the companies holding your information hostage. With every signup and click around the web, there's a chance that malicious parties are picking up on your personal data, shopping patterns, and interests. And that's even if you're using one of the best antivirus packages out there. Luckily, Incogni is ready to take on the fight against these data brokers for you. And, even better, you can now get a year's worth of their service for 55% off the regular price. Just tap the button below and enter the code DIGITALDEAL upon checkout to lower an annual plan from around $180 to closer to $81. Alternatively, keep reading to learn more about the service and how it can help you combat these threats.

Why you should try Incogni
Between IP addresses, cookies, accounts, and other data, a complex narrative about you and your patterns can be made for advertisers. Even Incognito Mode isn't perfect at keeping your information totally safe. An April 2023 lawsuit showed just how sloppy big companies can be with your data — at that time, Facebook didn't have rules regarding the ways third parties could interact with user data. If you're clickin', your data is probably stickin'.

Read more