Microsoft downplays IE flaw that allows mouse tracking

Microsoft says it is investigating reports of a vulnerability in multiple versions of Internet Explorer

Microsoft says it is investigating a possible bug in Internet Explorer that allows others to follow the position of your mouse cursor on screen, even if IE is minimized.

Researchers at Spider.io, an advertising analytics firm, discovered the function and reported it to Microsoft in early October. They identified a vulnerability in Internet Explorer, found in versions 6 through 10, that enables people to track the mouse cursor anywhere on a display, which could compromise the security of virtual keyboards and virtual keypads.

Heres a video demo of the exploit:

Microsoft acknowledged the issue, but did not address it in the latest patch update for the browser. So far, Microsoft claims its evidence indicates that sites can view only the mouse state, but not the actual content that the user is interacting with.

The company now says it is working closely with other companies to address the vulnerability.

From what we know now, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy, said Dean Hachamovitch, a Microsoft vice president who oversees IE, in a blog post.

We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers, Hachamovitch added. The only reported active use of this behavior involves competitors to Spider.io providing analytics. The theoretical use of this behavior to compromise the safety or privacy of consumers is something Microsofts security team has discussed with researchers across the industry.

Hachamovitch says that getting all the right pieces in order to exploit this vulnerability is hard to imagine, and that there is very little risk to consumers at this time.

Tags: security, Microsoft, Web & communication software, Internet Explorer, privacy

BlackBerry Hints at Complete End Point Security

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

SECURE Web Gateway

Balancing the requirement for strong network security with the need to harness collaborative web technologies is essential for business growth.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.