Skip to main content

Microsoft Responds to IE Mouse Claims, Spider.io Retaliates

Microsoft has finally provided a more lengthy response to allegations that a vulnerability in Internet Explorer allows third-parties to see on-screen mouse movement even when the browser is minimized.

Previously Microsoft said it was merely investigating the issue, and that to date there are no active exploits of the flaw. Spider.io, which discovered the vulnerability and reported its findings back in October, disagrees. The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month, Spider.io claims.

Microsoft doesn't disagree with that statement, saying that the current underlying issue has more to do with competing analytics companies than consumer safety or privacy.

"We are actively working to adjust this behavior in IE," said Dean Hachamovitch, Corporate Vice President of Internet Explorer. "There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers."

Hachamovitch explained that online advertisers have switched from a "served" impression method to a "viewable" impression method. Thus many analytics companies have stepped in to compete in this space, some of which has resulted in lawsuits in which Spider.io is a part of. He pointed out that Spider.io is an analytics company – not a security firm – who recently said, "There are two ways to measure ad viewability. There is only one right way."

Spider.io makes its point of view very clear, he said.

"From investigating the specific behavior when mouse position data is visible outside the browser window, sites can view only the mouse state; they cannot view the actual content that the user is interacting with, he said. "From our conversations with security researchers across the industry, we see very little risk to consumers at this time. As we have stated previously, there are no reported cases of any consumer having their information compromised."

Naturally Spider.io responded to his response, complaining that it does not feel comfortable having a public debate.

"From the very beginning we have sought to work with all the respective parties to remedy this out of the public eye," the company said. "We privately disclosed the vulnerability and its use both to Microsoft and to the largest of the ad analytics companies currently exploiting the vulnerability—respectively on 1 October and 27 September. We made clear our belief that the Internet Explorer vulnerability was both significant and that its exploitation by an analytics company would suggest a disregard for user privacy and for the security efforts of browser vendors. Our suggestions were ignored by all the relevant parties as not being important."

Spider.io goes on to state that other browsers do not leak mouse-cursor position outside of the browser window in the way that Internet Explorer does. The company also argues Hachamovitch's claims that exploitation of the vulnerability to compromise login details and other confidential information is "theoretical", "hard to imagine" and would require "serving an ad to a site that asks for a logon."

"This is not the case," Spider.io said. "Ads do not need to be served to sites requiring login details. Ads need only to be served to some page which is open in Internet Explorer. The page with an embedded ad may be in a background tab. The page may be minimised. You may be using an entirely different application – potentially a different browser or some other desktop application – to log in."

To read the full response from Microsoft, head here. To read the feedback from Spider.io, head here. To skip all the mouse tracking on the Internet, simply shut down your PC and read from a tablet or smartphone. Or go read a book. Seriously, it's getting insane out here on the World Wide Web.

Contact Us for News Tips, Corrections and Feedback

  • kellybean
    MS ties their IE directly at the kernel level on purpose since they made their back-room deal with the FEDS to give them back doors into their OS.
    Reply
  • myromance123
    I don't see why I'd need to shut down my computer. Just DON'T use IE. I thought everyone would have honestly learned this lesson already by now. I gave IE9 my last try, and gave up when it caused my entire system to BSOD 3 times after fresh installs. No more IE, no matter how great people say it's become. It's main purpose is to help Microsoft maintain a monopoly, simple.
    Reply
  • freggo
    There is all sorts of info that goes along with a standard HTTP request.
    From OS version to screen size to # of colors etc.
    Cursor location can be called from java scripts etc. (and are needed to make image maps work.
    I don't see a serious security issue in anyone knowing where on the screen my cursor is.

    but I am open to suggestions :)
    Reply
  • Onus
    I'd like to see all these ad-serving companies brought to heel. Which analytics company was using this exploit? It sounds like at least one senior executive (i.e. a decision-maker, not a peon) should be put down. Where your mouse is when it is outside of their content is obviously none of their business. So there was a "bug" in IE? That's like saying that accidentally leaving your door unlocked gives permission for anyone to come in and take what they want.
    Reply
  • jn77
    Just go and buy a domain name, put up a simple website, and install google analytics to it, you would be amazed what you can report on, and I am sure there are things that can be reported on that google does not make public that the feds use..........
    Reply
  • dextermat
    I can't wait to see IE10.... noooootttttt!!!!
    Reply
  • theconsolegamer
    Let the dinosaur known as Microsoft to go down and die. Let Linux to paved the way into a new era of computing.
    Reply
  • AndrewMD
    It funny how many people have issues with IE but are totally obvious of the major issues that are found in competing browsers... If you want absolute security, disconnect yourself from the Internet.
    Reply
  • guardianangel42
    myromance123I don't see why I'd need to shut down my computer. Just DON'T use IE. I thought everyone would have honestly learned this lesson already by now. I gave IE9 my last try, and gave up when it caused my entire system to BSOD 3 times after fresh installs. No more IE, no matter how great people say it's become. It's main purpose is to help Microsoft maintain a monopoly, simple.
    3 BSODs caused by IE9? I find that extraordinarily hard to believe. Anecdotally, I've installed it on over a dozen systems and not one of them BSOD'd. Obviously anecdotal evidence is almost worthless, however the vast majority of problems such as yours tend to be caused by third party programs.

    A quick google search reveals that, on launch, BSOD's could be caused by Adobe's Reader X plugin. Further searching reveals that a myriad of addons can cause this behavior.

    If you knew what you were doing, which you may or may not have, then addons would never have been a problem. Most addons developed for IE were toolbars that tended to install themselves when you installed free software (still do in fact) but these can almost always be opted out of.

    I will admit that Adobe Reader is a fairly universal program. However, unless you're doing a ton of PDF editing (which admittedly you might be) there are much better programs out there. Beyond that there's very little reason to have the PDF plugin installed. It does nothing but bog down browsing speed while producing a product that barely passable.
    Reply
  • A Bad Day
    theconsolegamerLet the dinosaur known as Microsoft to go down and die. Let Linux to paved the way into a new era of computing.
    Error: Vast majority of games and business/education software are not compatible with Linux. Please install an unstable, resource-consuming emulator.
    AndrewMDIt funny how many people have issues with IE but are totally obvious of the major issues that are found in competing browsers... If you want absolute security, disconnect yourself from the Internet.
    No, an absolute security is to encase your computer in a 10-meter thick tungsten carbide and fire it into the outer space.

    Why?

    Because no one can break into your computer and use a cold-boot attack.
    Reply