Is Internet Explorer leaking sensitive information?

Security researchers at have uncovered some potentially concerning behavior in Microsoft's Internet Explorer Web browser.

Do you use Internet Explorer? If you do, hopefully you've already applied the updates from Patch Tuesday earlier this week. But, even if you did it seems your browser might still be vulnerable to a potentially serious issue., a company in the business of helping customers distinguish between actual human website visitors and automated bot activity, claims to have discovered a flaw that affects Internet Explorer the current flagship browser from Microsoft, versions 6 through 10. The vulnerability reportedly allows the mouse cursor position to be tracked wherever it is on the screen--even if IE is minimized. disclosed the vulnerability to Microsoft on October 1, 2012, but it was not addressed in the most recent security update for Internet Explorer. asserts that the flaw is being actively exploited, and claims the Microsoft Security Research Center (MSRC) has acknowledged the vulnerability, but has no immediate plan to patch it.

I asked Microsoft for its position on the alleged vulnerability. A spokesperson sent me this official response: "We are currently investigating this issue, but to date there are no reports of active exploits or customers that have been adversely affected. We will provide additional information as it becomes available and will take the appropriate action to protect our customers."

Jason Miller, manager of research and development for VMware questions whether the issue is a "bug" or a "feature". "One could question whether this is a vulnerability or a feature introduced into the browser to help establish metrics of usage. Regardless, the researchers have proven that this "issue" could be used maliciously."

I spoke with Qualys CTO Wolfgang Kandek. He expressed concerns over the implications such a vulnerability might have for online banking. Many banks have implemented on-screen virtual keyboards for entering account credentials as a means of avoiding traditional keylogger attacks.

Andrew Storms, director of security operations for nCircle, agrees. "This exploit renders that mitigation null and void -- it has the effect of a key logger on virtual keyboards. Attackers could potentially capture the clicks connected with banking credentials using this exploit and that isn't good news for the 63 million Americans that bank online."

Alex Horan, senior product manager at CORE Security, adds that supposedly "safe" websites may not be so safe. "It also reinforces that just because you are visiting YouTube or the New York Times doesn't mean all the content on that site is owned or managed by them--serving up malicious ads on trusted mainstream sites is a great way to expose your attack to a large volume of user."

Horan suggests abandoning IE until or unless the issue is patched by Microsoft.

Storms says, "If this vulnerability is confirmed, it has the potential to require an out-of-band patch and that's something everyone would like to avoid this holiday season."

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsMicrosoftsecuritybrowserssoftwareInternet Explorerbusiness security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place