Microsoft Responds to IE Mouse Claims, Spider.io Retaliates

Microsoft has finally provided a more lengthy response to allegations that a vulnerability in Internet Explorer allows third-parties to see on-screen mouse movement even when the browser is minimized.

Previously Microsoft said it was merely investigating the issue, and that to date there are no active exploits of the flaw. Spider.io, which discovered the vulnerability and reported its findings back in October, disagrees. The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month, Spider.io claims.

Microsoft doesn't disagree with that statement, saying that the current underlying issue has more to do with competing analytics companies than consumer safety or privacy.

"We are actively working to adjust this behavior in IE," said Dean Hachamovitch, Corporate Vice President of Internet Explorer. "There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers."

Hachamovitch explained that online advertisers have switched from a "served" impression method to a "viewable" impression method. Thus many analytics companies have stepped in to compete in this space, some of which has resulted in lawsuits in which Spider.io is a part of. He pointed out that Spider.io is an analytics company – not a security firm – who recently said, "There are two ways to measure ad viewability. There is only one right way."

Spider.io makes its point of view very clear, he said.

"From investigating the specific behavior when mouse position data is visible outside the browser window, sites can view only the mouse state; they cannot view the actual content that the user is interacting with, he said. "From our conversations with security researchers across the industry, we see very little risk to consumers at this time. As we have stated previously, there are no reported cases of any consumer having their information compromised."

Naturally Spider.io responded to his response, complaining that it does not feel comfortable having a public debate.

"From the very beginning we have sought to work with all the respective parties to remedy this out of the public eye," the company said. "We privately disclosed the vulnerability and its use both to Microsoft and to the largest of the ad analytics companies currently exploiting the vulnerability—respectively on 1 October and 27 September. We made clear our belief that the Internet Explorer vulnerability was both significant and that its exploitation by an analytics company would suggest a disregard for user privacy and for the security efforts of browser vendors. Our suggestions were ignored by all the relevant parties as not being important."

Spider.io goes on to state that other browsers do not leak mouse-cursor position outside of the browser window in the way that Internet Explorer does. The company also argues Hachamovitch's claims that exploitation of the vulnerability to compromise login details and other confidential information is "theoretical", "hard to imagine" and would require "serving an ad to a site that asks for a logon."

"This is not the case," Spider.io said. "Ads do not need to be served to sites requiring login details. Ads need only to be served to some page which is open in Internet Explorer. The page with an embedded ad may be in a background tab. The page may be minimised. You may be using an entirely different application – potentially a different browser or some other desktop application – to log in."

To read the full response from Microsoft, head here. To read the feedback from Spider.io, head here. To skip all the mouse tracking on the Internet, simply shut down your PC and read from a tablet or smartphone. Or go read a book. Seriously, it's getting insane out here on the World Wide Web.

 

Contact Us for News Tips, Corrections and Feedback

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
22 comments
Comment from the forums
    Your comment
  • kellybean
    MS ties their IE directly at the kernel level on purpose since they made their back-room deal with the FEDS to give them back doors into their OS.
    -3
  • myromance123
    I don't see why I'd need to shut down my computer. Just DON'T use IE. I thought everyone would have honestly learned this lesson already by now. I gave IE9 my last try, and gave up when it caused my entire system to BSOD 3 times after fresh installs. No more IE, no matter how great people say it's become. It's main purpose is to help Microsoft maintain a monopoly, simple.
    -3
  • freggo
    There is all sorts of info that goes along with a standard HTTP request.
    From OS version to screen size to # of colors etc.
    Cursor location can be called from java scripts etc. (and are needed to make image maps work.
    I don't see a serious security issue in anyone knowing where on the screen my cursor is.

    but I am open to suggestions :)
    9