Sign in with
Sign up | Sign in

Microsoft Responds to IE Mouse Claims, Spider.io Retaliates

By - Source: Microsoft | B 22 comments

Microsoft responded to Spider.io's public disclosure of an Internet Explorer flaw.

Microsoft has finally provided a more lengthy response to allegations that a vulnerability in Internet Explorer allows third-parties to see on-screen mouse movement even when the browser is minimized.

Previously Microsoft said it was merely investigating the issue, and that to date there are no active exploits of the flaw. Spider.io, which discovered the vulnerability and reported its findings back in October, disagrees. The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month, Spider.io claims.

Microsoft doesn't disagree with that statement, saying that the current underlying issue has more to do with competing analytics companies than consumer safety or privacy.

"We are actively working to adjust this behavior in IE," said Dean Hachamovitch, Corporate Vice President of Internet Explorer. "There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers."

Hachamovitch explained that online advertisers have switched from a "served" impression method to a "viewable" impression method. Thus many analytics companies have stepped in to compete in this space, some of which has resulted in lawsuits in which Spider.io is a part of. He pointed out that Spider.io is an analytics company – not a security firm – who recently said, "There are two ways to measure ad viewability. There is only one right way."

Spider.io makes its point of view very clear, he said.

"From investigating the specific behavior when mouse position data is visible outside the browser window, sites can view only the mouse state; they cannot view the actual content that the user is interacting with, he said. "From our conversations with security researchers across the industry, we see very little risk to consumers at this time. As we have stated previously, there are no reported cases of any consumer having their information compromised."

Naturally Spider.io responded to his response, complaining that it does not feel comfortable having a public debate.

"From the very beginning we have sought to work with all the respective parties to remedy this out of the public eye," the company said. "We privately disclosed the vulnerability and its use both to Microsoft and to the largest of the ad analytics companies currently exploiting the vulnerability—respectively on 1 October and 27 September. We made clear our belief that the Internet Explorer vulnerability was both significant and that its exploitation by an analytics company would suggest a disregard for user privacy and for the security efforts of browser vendors. Our suggestions were ignored by all the relevant parties as not being important."

Spider.io goes on to state that other browsers do not leak mouse-cursor position outside of the browser window in the way that Internet Explorer does. The company also argues Hachamovitch's claims that exploitation of the vulnerability to compromise login details and other confidential information is "theoretical", "hard to imagine" and would require "serving an ad to a site that asks for a logon."

"This is not the case," Spider.io said. "Ads do not need to be served to sites requiring login details. Ads need only to be served to some page which is open in Internet Explorer. The page with an embedded ad may be in a background tab. The page may be minimised. You may be using an entirely different application – potentially a different browser or some other desktop application – to log in."

To read the full response from Microsoft, head here. To read the feedback from Spider.io, head here. To skip all the mouse tracking on the Internet, simply shut down your PC and read from a tablet or smartphone. Or go read a book. Seriously, it's getting insane out here on the World Wide Web.

 

Contact Us for News Tips, Corrections and Feedback

Display 22 Comments.
This thread is closed for comments
  • -3 Hide
    kellybean , December 14, 2012 5:03 PM
    MS ties their IE directly at the kernel level on purpose since they made their back-room deal with the FEDS to give them back doors into their OS.
  • -3 Hide
    myromance123 , December 14, 2012 6:04 PM
    I don't see why I'd need to shut down my computer. Just DON'T use IE. I thought everyone would have honestly learned this lesson already by now. I gave IE9 my last try, and gave up when it caused my entire system to BSOD 3 times after fresh installs. No more IE, no matter how great people say it's become. It's main purpose is to help Microsoft maintain a monopoly, simple.
  • 9 Hide
    freggo , December 14, 2012 6:14 PM
    There is all sorts of info that goes along with a standard HTTP request.
    From OS version to screen size to # of colors etc.
    Cursor location can be called from java scripts etc. (and are needed to make image maps work.
    I don't see a serious security issue in anyone knowing where on the screen my cursor is.

    but I am open to suggestions :) 
  • 8 Hide
    Onus , December 14, 2012 6:17 PM
    I'd like to see all these ad-serving companies brought to heel. Which analytics company was using this exploit? It sounds like at least one senior executive (i.e. a decision-maker, not a peon) should be put down. Where your mouse is when it is outside of their content is obviously none of their business. So there was a "bug" in IE? That's like saying that accidentally leaving your door unlocked gives permission for anyone to come in and take what they want.
  • 3 Hide
    jn77 , December 14, 2012 6:26 PM
    Just go and buy a domain name, put up a simple website, and install google analytics to it, you would be amazed what you can report on, and I am sure there are things that can be reported on that google does not make public that the feds use..........
  • -5 Hide
    dextermat , December 14, 2012 7:34 PM
    I can't wait to see IE10.... noooootttttt!!!!
  • -4 Hide
    theconsolegamer , December 14, 2012 9:32 PM
    Let the dinosaur known as Microsoft to go down and die. Let Linux to paved the way into a new era of computing.
  • 9 Hide
    AndrewMD , December 14, 2012 9:35 PM
    It funny how many people have issues with IE but are totally obvious of the major issues that are found in competing browsers... If you want absolute security, disconnect yourself from the Internet.
  • 1 Hide
    guardianangel42 , December 14, 2012 9:44 PM
    myromance123I don't see why I'd need to shut down my computer. Just DON'T use IE. I thought everyone would have honestly learned this lesson already by now. I gave IE9 my last try, and gave up when it caused my entire system to BSOD 3 times after fresh installs. No more IE, no matter how great people say it's become. It's main purpose is to help Microsoft maintain a monopoly, simple.


    3 BSODs caused by IE9? I find that extraordinarily hard to believe. Anecdotally, I've installed it on over a dozen systems and not one of them BSOD'd. Obviously anecdotal evidence is almost worthless, however the vast majority of problems such as yours tend to be caused by third party programs.

    A quick google search reveals that, on launch, BSOD's could be caused by Adobe's Reader X plugin. Further searching reveals that a myriad of addons can cause this behavior.

    If you knew what you were doing, which you may or may not have, then addons would never have been a problem. Most addons developed for IE were toolbars that tended to install themselves when you installed free software (still do in fact) but these can almost always be opted out of.

    I will admit that Adobe Reader is a fairly universal program. However, unless you're doing a ton of PDF editing (which admittedly you might be) there are much better programs out there. Beyond that there's very little reason to have the PDF plugin installed. It does nothing but bog down browsing speed while producing a product that barely passable.
  • 9 Hide
    A Bad Day , December 14, 2012 9:52 PM
    theconsolegamerLet the dinosaur known as Microsoft to go down and die. Let Linux to paved the way into a new era of computing.


    Error: Vast majority of games and business/education software are not compatible with Linux. Please install an unstable, resource-consuming emulator.

    AndrewMDIt funny how many people have issues with IE but are totally obvious of the major issues that are found in competing browsers... If you want absolute security, disconnect yourself from the Internet.


    No, an absolute security is to encase your computer in a 10-meter thick tungsten carbide and fire it into the outer space.

    Why?

    Because no one can break into your computer and use a cold-boot attack.
  • 0 Hide
    ojas , December 14, 2012 11:50 PM
    Quote:
    To read the full response from Microsoft, head here. To read the feedback from Spider.io, head here. To skip all the mouse tracking on the Internet, simply shut down your PC and read from a tablet or smartphone. Or go read a book. Seriously, it's getting insane out here on the World Wide Web.

    As if analytics companies don't track mobile browsers...anyway, https everwhere+ghostery+ABP is all you need on a PC.
  • 1 Hide
    alextheblue , December 15, 2012 12:48 AM
    AndrewMDIt funny how many people have issues with IE but are totally obvious of the major issues that are found in competing browsers... If you want absolute security, disconnect yourself from the Internet.
    It's only natural - the internet is full of ignorant sheep and fanboys.
    myromance123I don't see why I'd need to shut down my computer. Just DON'T use IE. I thought everyone would have honestly learned this lesson already by now. I gave IE9 my last try, and gave up when it caused my entire system to BSOD 3 times after fresh installs. No more IE, no matter how great people say it's become. It's main purpose is to help Microsoft maintain a monopoly, simple.
    MS doesn't have a monopoly, especially in the browser market. Damn public education... the only true monopolies are government-sanctioned ones. You can buy a Mac, a Linux box, even a Chrome machine (if you like being Cloud-dependent).

    Anyway, I've never had any BSODs on IE9, though admittedly I only use it on one box. Most people don't have these kinds of problems, you've probably got driver issues or add-on problems (or both, like Flash plus uncooperative drivers). Not that I care what browser you use, it just makes me laugh. "This software crashed, clearly it wasn't all the other shit that can go wrong because I r teh leet h4x!"
  • -1 Hide
    A Bad Day , December 15, 2012 1:03 AM
    My dad still blames Avast for killing a laptop's hard drive years ago.

    He never quite figured out that the hard drive simply failed. Unless if a virus somehow accessed the hard drive's controller chips and cooked them, it's very very unlikely.
  • -2 Hide
    thecolorblue , December 15, 2012 1:54 AM
    dear microsoft shills lurking in these threads... you guys are pathetic
  • 3 Hide
    gnodeb , December 15, 2012 7:20 AM
    if cursor position is THE flaw they found... I think we can say that IE is safe...
  • 2 Hide
    tranzz , December 15, 2012 1:38 PM
    Not a risk till you start using a virtual keyboard on a surface tablet then WOW you have a keylogger to the ad companies or anyone else who uses this vunerability
  • 0 Hide
    beayn , December 16, 2012 3:32 AM
    myromance123I don't see why I'd need to shut down my computer. Just DON'T use IE. I thought everyone would have honestly learned this lesson already by now. I gave IE9 my last try, and gave up when it caused my entire system to BSOD 3 times after fresh installs. No more IE, no matter how great people say it's become. It's main purpose is to help Microsoft maintain a monopoly, simple.
    BSODs are not generally caused by an internet browser, but by drivers, or hardware problems. You should get a memtest program for the computer that is bsoding. It shouldn't, and it's not Windows or IE causing it. Something is broken.

    tranzzNot a risk till you start using a virtual keyboard on a surface tablet then WOW you have a keylogger to the ad companies or anyone else who uses this vunerability

    That's a good point. Everyone has been wondering what sort of security risk this is, and a virtual keyboard is pretty much the only way it could exploit anything that I can think of.
  • 2 Hide
    merandos , December 16, 2012 6:51 PM
    Who even uses IE ?
  • 0 Hide
    beayn , December 16, 2012 8:29 PM
    merandosWho even uses IE ?
    Something like 20-25% of users. Most people don't know, or don't care about what they use to browse the net.
  • 0 Hide
    f-14 , December 17, 2012 6:04 PM
    Mr. Parrish commits biased ad failure for promoting windows 8 touch.
    Quote:
    To skip all the mouse tracking on the Internet, simply shut down your PC and read from a tablet or smartphone. Or go read a book.


    oh that's right Mr.Parrish is an apple fanboi, no promotion for you microsoft!
Display more comments