Logitech Rushes to Patch a Serious Three-Month Old Bug on their Options AppFigure 1 Image Courtesy of Logitech Logitech Options allowed Rubber Ducky attacks for more than three months, while Logitech knew that it had been identified privately by a Google researcher and was assured that a patch would soon be released in September. According to his findings, the mouse options and the keyboard configuration suite followed a series of bad practices in their service that could trigger keystroke injection attacks. Once an attacker does this, the next move might be to customize the “crown” to allow arbitrary keystrokes or “Rubber Ducky attacks.” This type of attacks have been used frequently by malicious hackers in the past, and they include a Usb device that mimics the operation of a keyboard or mouse style keyboard shortcuts and commands as part of its spiteful code. This is a situation that scares the consumer because the system looks like it’s gone rogue doing its own thing without having a lot of time to respond. In the same bug report, Ormandy mentions that on September he had a meeting with Logitech engineers and they told him they understood the problems and intended to introduce type testing and origin checking for Options. To the disappointment of Ormandy, however, the release of October did not solve any of the issues, so he announced the bug and publicly suggested that the suite be disabled until a fixing update is usable. Only on December 11 did this happen, a date that Ormandy defines as way past an appropriate deadline to fix this problem. Negative advertising gained momentum on Twitter with people wondering how and why Logitech overlooked such a serious bug for more than three months, choosing to leave them vulnerable even though they knew it for so long. As a result, Logitech has rushed an update (vn 7.00.564) that supposedly fixes identified security issues, but Ormandy still has to confirm this.