Previously Microsoft said it was merely investigating the issue, and that to date there are no active exploits of the flaw. Spider.io, which discovered the vulnerability and reported its findings back in October, disagrees. The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month, Spider.io claims.
Microsoft doesn't disagree with that statement, saying that the current underlying issue has more to do with competing analytics companies than consumer safety or privacy.
"We are actively working to adjust this behavior in IE," said Dean Hachamovitch, Corporate Vice President of Internet Explorer. "There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers."
Hachamovitch explained that online advertisers have switched from a "served" impression method to a "viewable" impression method. Thus many analytics companies have stepped in to compete in this space, some of which has resulted in lawsuits in which Spider.io is a part of. He pointed out that Spider.io is an analytics company – not a security firm – who recently said, "There are two ways to measure ad viewability. There is only one right way."
Spider.io makes its point of view very clear, he said.
"From investigating the specific behavior when mouse position data is visible outside the browser window, sites can view only the mouse state; they cannot view the actual content that the user is interacting with, he said. "From our conversations with security researchers across the industry, we see very little risk to consumers at this time. As we have stated previously, there are no reported cases of any consumer having their information compromised."
Naturally Spider.io responded to his response, complaining that it does not feel comfortable having a public debate.
"From the very beginning we have sought to work with all the respective parties to remedy this out of the public eye," the company said. "We privately disclosed the vulnerability and its use both to Microsoft and to the largest of the ad analytics companies currently exploiting the vulnerability—respectively on 1 October and 27 September. We made clear our belief that the Internet Explorer vulnerability was both significant and that its exploitation by an analytics company would suggest a disregard for user privacy and for the security efforts of browser vendors. Our suggestions were ignored by all the relevant parties as not being important."
Spider.io goes on to state that other browsers do not leak mouse-cursor position outside of the browser window in the way that Internet Explorer does. The company also argues Hachamovitch's claims that exploitation of the vulnerability to compromise login details and other confidential information is "theoretical", "hard to imagine" and would require "serving an ad to a site that asks for a logon."
"This is not the case," Spider.io said. "Ads do not need to be served to sites requiring login details. Ads need only to be served to some page which is open in Internet Explorer. The page with an embedded ad may be in a background tab. The page may be minimised. You may be using an entirely different application – potentially a different browser or some other desktop application – to log in."
To read the full response from Microsoft, head here. To read the feedback from Spider.io, head here. To skip all the mouse tracking on the Internet, simply shut down your PC and read from a tablet or smartphone. Or go read a book. Seriously, it's getting insane out here on the World Wide Web.
