Friday, December 14th 2018

"Logitech Options" Software Vulnerability Disclosed, Users Should Uninstall Until Fix is Available

(Update 1: It seems that Logitech has launched an updated version of their Options software with a fix for the vulnerabiity - but this only happened after the vulnerabiiity became public. You can go on over Logitech's own webpage to download the updated version, which includes the fix in its changelogs, from here. Safe browsing.)

Adding to the critical vulnerability galore that's been coming out of Google's Project Zero, a researcher has demonstrated how an inherent bug in the "Logitech Options" software renders users vulnerable when visiting web pages. Tavis Ormandy, with Google Project Zero, found that Logitech Options opens a local Websocket port that doesn't require authentication for external commands. Attackers could exploit this issue by sending simulated keystrokes from any website - and thus execute pretty much anything on affected systems.

Ormandy reported the issues to Logitech developers in September this year, and although Logitech recognized the problem, it still wasn't fixed in the last software release put out by the company. As part of Google Project Zero's responsible disclosure policy, Logitech was given a 90-day deadline to fix the issue - which they didn't, and hence, the vulnerability has been publicly disclosed. And as such, there's a whole world of potentially malicious hackers with the knowledge to execute this attack in the wild now - just uninstall the software until a fix is available, for your security. It's sure nice to have Options, but those shouldn't be given to hackers. Sources: Project Zero, Myce.com
Add your own comment

12 Comments on "Logitech Options" Software Vulnerability Disclosed, Users Should Uninstall Until Fix is Available

#3
Mussels
Moderprator
I've never heard of this software before, despite owning several logitech products :/
Posted on Reply
#4
TheDeeGee
Mussels said:
I've never heard of this software before, despite owning several logitech products :/
I think this is what SetPoint used to be?
Posted on Reply
#5
Mussels
Moderprator
theres a pretty short list of supported products on the website

32 devices out of their whole range, and most of them non-gamer stuff
Posted on Reply
#6
newtekie1
Semi-Retired Folder
I wonder if this bug also affects the Logitech Gaming Software, which seems very similar but geared towards most of their "gaming" products...
Posted on Reply
#7
delshay
That's odd. I have the MX Master & I just checked my software & it's the old version. I just click on update & it fail to see the new version.

Currently manually downloading & installing. EDIT: Done fixed.
Posted on Reply
#8
Assimilator
Mussels said:
I've never heard of this software before, despite owning several logitech products :/
Ditto. Seems that Logitech Gaming Software aka LGS, formerly known as SetPoint, is for their gaming gear and this "Options" is for... everything else?

newtekie1 said:
I wonder if this bug also affects the Logitech Gaming Software, which seems very similar but geared towards most of their "gaming" products...
I would expect so, I mean a lot of the underlying functionality must be identical regardless. That said there's no update for LGS, so maybe not.
Posted on Reply
#9
newtekie1
Semi-Retired Folder
Assimilator said:
I would expect so, I mean a lot of the underlying functionality must be identical regardless. That said there's no update for LGS, so maybe not.
Of they just haven't gotten around to releasing an update for it, or they don't plan to until a 3rd party confirms the vulnerability exists in LGS too. Heck, it sounds like they weren't planning on even updating Logitech Options but only did so because the vulnerability hit the press...

And the initial vulnerability report only exists because the person actually uses the Logitech Options software, so it isn't likely anyone has even bothered to test LGS.

Edit: Also, as to the update in the original post about the issue being fixed in the latest version. According to the comments on the Google Project Zero vulnerability page, that isn't true. The original person that found the bug says they are going to test the latest version, but hasn't posted back on if the issue still exists. And one user posted saying the vulnerability is still in the latest version of Logitech Options. So there has been no solid confirmation that the latest version fixes the vulnerability. So, I'd still be hesitant about installing Logitech Options.
Posted on Reply
#10
Makaveli
I use an MX Master as my work mouse.

I saw it requesting a software update this morning as I had to go into the office for a network issue.

Updated it.

Will have to run a report to see how many people have this software installed on Monday.
Posted on Reply
#11
gdallsk
Does this apply to the G Hub as well?
Posted on Reply
#12
eidairaman1
The Exiled Airman
Did they steal this from uberoptions?
Posted on Reply
Add your own comment