Microsoft’s Mixed Reality (MR) headset is currently only available to developers, but it has already begun to see some remarkable uses, from helping air stewards keep passengers comfortable, to teaching children about the solar system and the entire Super Mario Bros. Level recreated for the HoloLens. Even though not many people have the hardware yet, the HoloLens can still be an attack vector for malicious coders.
According to The Register, researchers have discovered a major security flaw in the MR headset code. This flaw was listed in the logs released as part of Microsoft’s monthly patch cycle, commonly referred to as ‘Patch Tuesday’. 57 bugs were listed, all of which were patched with the latest Windows update.
19 of the bugs were marked as critical, and 24 were listed as possibly allowing for remote code execution, a serious problem that could allow hackers to wrest control of a user’s computer away from them, gaining access to personal information. In the case of development machines, this could also allow hackers to access information on projects that had not been publicly announced for corporate espionage.
One of the remote code execution bugs was CVE-2017-8584, a bug specifically related to the HoloLens and the handling of Wi-Fi data packets by its firmware. An attacker could potentially use this vulnerability to take control of the HoloLens, including such actions as installing programs, viewing, changing or deleting data and creating new accounts with high-level access rights.
The majority of the fixes applied by the patch relate to commonly exploited applications such as Internet Explorer, Edge and Windows Office. As always, Microsoft is recommending that users update to the latest patch as soon as possible in order to keep their data safe.
VRFocus will bring you further information on the HoloLens and vulnerabilities in VR hardware as it becomes available.