Microsoft downplays IE flaw that allows mouse tracking

Microsoft says it is investigating reports of a vulnerability in multiple versions of Internet Explorer

Microsoft says it is investigating a possible bug in Internet Explorer that allows others to follow the position of your mouse cursor on screen, even if IE is minimized.

Researchers at Spider.io, an advertising analytics firm, discovered the function and reported it to Microsoft in early October. They identified a vulnerability in Internet Explorer, found in versions 6 through 10, that enables people to track the mouse cursor anywhere on a display, which could compromise the security of virtual keyboards and virtual keypads.

Heres a video demo of the exploit:

Microsoft acknowledged the issue, but did not address it in the latest patch update for the browser. So far, Microsoft claims its evidence indicates that sites can view only the mouse state, but not the actual content that the user is interacting with.

The company now says it is working closely with other companies to address the vulnerability.

From what we know now, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy, said Dean Hachamovitch, a Microsoft vice president who oversees IE, in a blog post.

We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers, Hachamovitch added. The only reported active use of this behavior involves competitors to Spider.io providing analytics. The theoretical use of this behavior to compromise the safety or privacy of consumers is something Microsofts security team has discussed with researchers across the industry.

Hachamovitch says that getting all the right pieces in order to exploit this vulnerability is hard to imagine, and that there is very little risk to consumers at this time.

Tags securityMicrosoftWeb & communication softwareInternet Explorerprivacy

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Authentication

RSA offers a wide range of strong two-factor authentication solutions to help organizations assure user identities and meet compliance requirements.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.