Friday, December 14th 2018
"Logitech Options" Software Vulnerability Disclosed, Users Should Uninstall Until Fix is Available
(Update 1: It seems that Logitech has launched an updated version of their Options software with a fix for the vulnerabiity - but this only happened after the vulnerabiiity became public. You can go on over Logitech's own webpage to download the updated version, which includes the fix in its changelogs, from here. Safe browsing.)
Adding to the critical vulnerability galore that's been coming out of Google's Project Zero, a researcher has demonstrated how an inherent bug in the "Logitech Options" software renders users vulnerable when visiting web pages. Tavis Ormandy, with Google Project Zero, found that Logitech Options opens a local Websocket port that doesn't require authentication for external commands. Attackers could exploit this issue by sending simulated keystrokes from any website - and thus execute pretty much anything on affected systems.
Ormandy reported the issues to Logitech developers in September this year, and although Logitech recognized the problem, it still wasn't fixed in the last software release put out by the company. As part of Google Project Zero's responsible disclosure policy, Logitech was given a 90-day deadline to fix the issue - which they didn't, and hence, the vulnerability has been publicly disclosed. And as such, there's a whole world of potentially malicious hackers with the knowledge to execute this attack in the wild now - just uninstall the software until a fix is available, for your security. It's sure nice to have Options, but those shouldn't be given to hackers.
Sources:
Project Zero, Myce.com
Adding to the critical vulnerability galore that's been coming out of Google's Project Zero, a researcher has demonstrated how an inherent bug in the "Logitech Options" software renders users vulnerable when visiting web pages. Tavis Ormandy, with Google Project Zero, found that Logitech Options opens a local Websocket port that doesn't require authentication for external commands. Attackers could exploit this issue by sending simulated keystrokes from any website - and thus execute pretty much anything on affected systems.
12 Comments on "Logitech Options" Software Vulnerability Disclosed, Users Should Uninstall Until Fix is Available
32 devices out of their whole range, and most of them non-gamer stuff
Currently manually downloading & installing. EDIT: Done fixed.
And the initial vulnerability report only exists because the person actually uses the Logitech Options software, so it isn't likely anyone has even bothered to test LGS.
Edit: Also, as to the update in the original post about the issue being fixed in the latest version. According to the comments on the Google Project Zero vulnerability page, that isn't true. The original person that found the bug says they are going to test the latest version, but hasn't posted back on if the issue still exists. And one user posted saying the vulnerability is still in the latest version of Logitech Options. So there has been no solid confirmation that the latest version fixes the vulnerability. So, I'd still be hesitant about installing Logitech Options.
I saw it requesting a software update this morning as I had to go into the office for a network issue.
Updated it.
Will have to run a report to see how many people have this software installed on Monday.