Sign in with
Sign up | Sign in

Microsoft Investigating Mouse Tracking Flaw in Internet Explorer

By - Source: The Next Web | B 16 comments

Microsoft is looking into a vulnerability in Internet Explorer that allows hackers to track cursor movement even when the browser is minimized.

On Thursday Microsoft said that it is looking into claims that a vulnerability in Internet Explorer allows hackers to track mouse activity on a screen even when the browser is not being actively used. News of the vulnerability surfaced on Wednesday, reporting that the problem resides in Internet Explorer versions 6, 7, 8, 9 and 10.

The browser flaw was originally spotted by Spider.io months ago, and then reported to Microsoft on October 1. The security analytics firm said that the Microsoft Security Research Center acknowledged the IE vulnerability, but the Redmond company stated that there were no immediate plans to patch this vulnerability in existing versions of the browser.

The IE vulnerability reportedly compromises the security of virtual keyboards and virtual keypads. Malware doesn't need to be installed. Instead, an attacker can simply buy display advertising on a site and insert non-malicious code into the ad itself. Thus when a user visits a website with the ad on display, the hacker can track their cursor movement while the page remains open.

Even more, cursor movement is recorded even if the web surfer is on another tab or out on the desktop with the browser minimized. Thus, as long as the web page remains open in Internet Explorer, the attacker can record everything the end-user's mouse does on-screen including making Skype calls and more.

"Internet Explorer’s event model populates the global Event object with some attributes relating to mouse events, even in situations where it should not," the security analytics firm said. "Combined with the ability to trigger events manually using the fireEvent() method, this allows JavaScript in any webpage (or in any iframe within any webpage) to poll for the position of the mouse cursor anywhere on the screen and at any time—even when the tab containing the page is not active, or when the Internet Explorer window is unfocused or minimized. The fireEvent() method also exposes the status of the control, shift and alt keys."

Microsoft told The Next Web on Thursday that it's currently investigating the reported issue, but to date there are no active exploits or customers that have been adversely affected. "We will provide additional information as it becomes available and will take the appropriate action to protect our customers," Microsoft added.

Spider.io states that the vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.

Contact Us for News Tips, Corrections and Feedback

Discuss
Ask a Category Expert

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 4 Hide
    chicofehr , December 13, 2012 9:57 PM
    I'm sure Microsoft is using this themselves which is why they don't seem bothered to fix it. Google probably wants this flaw to remain as well.
  • -5 Hide
    spartanmk2 , December 13, 2012 10:20 PM
    When has internet explorer ever not had a vulnerability...
  • -4 Hide
    A Bad Day , December 13, 2012 10:22 PM
    Quote:
    Internet Explorer versions 6, 7, 8, 9 and 10.


    I wonder if MS is going to patch one of those two browsers IF they get around to the exploit, or at least IE7?...

    Anyways, I already installed IE10, but I suppose I'll have wait for a while considering the fact that how easy it is to upload malware-loaded advertisements.
  • Display all 16 comments.
  • 8 Hide
    A Bad Day , December 13, 2012 10:26 PM
    Spartanmk2When has internet explorer ever not had a vulnerability...


    When was there a software that was invulnerable except for ones completely inaccessible by humans (or not created by a human, because a jerk can set a critical embedded software to delete itself at 2012 Dec 21st before loading it to the devices).
  • 7 Hide
    joytech22 , December 13, 2012 10:36 PM
    Tracking cursor movement is about as useful as being blindfolded and trying to hit a pinata from 1000km away.
  • 9 Hide
    beayn , December 14, 2012 12:14 AM
    What purpose would tracking cursor movement have? It's not like it's stealing passwords.
  • 2 Hide
    alextheblue , December 14, 2012 12:27 AM
    joytech22Tracking cursor movement is about as useful as being blindfolded and trying to hit a pinata from 1000km away.
    That's kind of what I was thinking. If it doesn't send information other than cursor location and ctrl, shift, alt key status, it's not much of a vulnerability.
  • 2 Hide
    Anonymous , December 14, 2012 1:03 AM
    As far as tracking the relative positions of a 10 key key pad that some banking websites use to defeat key loggers, I guess some banks can randomize the layout of the 10 key pad to defeat that vulnerability!
  • 0 Hide
    arson94 , December 14, 2012 1:14 AM
    Well.... If I were to write messages to these "hackers" using my mouse cursor, like I moved my cursor around my desktop to write "Lick balls, bitch" would they receive my message? If not, then I guess I wouldn't call it much of a hack. They would probably think that my computer was infected with real malware that sporadically moved my mouse cursor around uncontrollably.
  • 0 Hide
    SteelCity1981 , December 14, 2012 2:04 AM
    how about more ie version updates instead of coming out with a new version every two years. IE should be at least v15 right now.
  • 4 Hide
    A Bad Day , December 14, 2012 2:26 AM
    joytech22Tracking cursor movement is about as useful as being blindfolded and trying to hit a pinata from 1000km away.


    If you can somehow get hold of what pages the person visited, and synced the cursor movements with the page histories...
  • 0 Hide
    PreferLinux , December 14, 2012 2:43 AM
    A Bad DayIf you can somehow get hold of what pages the person visited, and synced the cursor movements with the page histories...

    Exactly. On its own, it isn't much. But put it with something else, and you could find it rather ... dreadful.
  • 2 Hide
    IzzyCraft , December 14, 2012 10:20 AM
    SteelCity1981how about more ie version updates instead of coming out with a new version every two years. IE should be at least v15 right now.

    Because MS IE team saves version numbers to real changes to the browser, it's people like you why FF changed their version numbering to increase their version number(rapid release plan) because idiots like you see larger numbers and think better. IE updates versions all the time with windows update, but they save updates mostly to bug fixes, security updates. Major performance and feature set are saved for full version numbers very similar to Firefox's older release plan. But ever since google shitted up things by having full version numbers for little reasons monzilla and opera both changed their update polices.
  • 0 Hide
    ojas , December 14, 2012 10:44 AM
    A Bad DayIf you can somehow get hold of what pages the person visited, and synced the cursor movements with the page histories...

    Yeah, if you know the page layout then maybe you'd be on to something, but if i'm not wrong, virtual keyboards on banking sites are randomized independently of the page so i doubt it'll matter there.
  • 0 Hide
    jeffunit , December 14, 2012 10:50 AM
    it can get data from a virtual keyboard (like a number pad), which is often used for authentication while logging in to banking sites.
  • 0 Hide
    IzzyCraft , December 14, 2012 3:36 PM
    Quote:
    it can get data from a virtual keyboard (like a number pad), which is often used for authentication while logging in to banking sites.
    It would be hard, all you have is the mouse state data nothing else you can't tell what the user is doing easily. Also when using a touch keyboard the mouse doesn't move, meaning the only way this would work if for some reason the person uses a mouse to use the win8 touch keyboard instead of a touch screen plus you'd also need to know what website they are using at the time of recording. It's an incredibly difficult thing to exploit maliciously.

    When you read more about the exploit you get a sense of how hard it would be to exploit it, also it's been around for a long time you can easily port this "exploit" over to firefox, opera and chrome, because it's a feature for ad servers dat click data.