I disclosed this flaw to Kensington on, when I said that I would wait for 90 days before publishing details of the vulnerability to give them time to fix it. The result of said shovelwork was a vulnerability that allows an attacker to remotely execute arbitrary code on a victim’s computer. My dad owns several Kensington devices, and if you mess with my dad then, well, I’d prefer if you didn’t. It shouldn’t need to receive any network connections in order to manage its users’ mice. There’s nothing necessarily wrong with this, but it was still a strange thing for KensingtonWorks to do. In their message they noted that KensingtonWorks was listening on a TCP network port, allowing other programs on the user’s computer to connect to it.
They had noticed some odd behavior by KensingtonWorks, a piece of software that allows its users to add power functionality to mice made by Kensington, a popular brand of peripherals. Back in February, a Twitter user who has asked to remain anonymous sent me a tipoff.
0 kommentar(er)
