Microsoft Investigating Mouse Tracking Flaw in Internet Explorer

On Thursday Microsoft said that it is looking into claims that a vulnerability in Internet Explorer allows hackers to track mouse activity on a screen even when the browser is not being actively used. News of the vulnerability surfaced on Wednesday, reporting that the problem resides in Internet Explorer versions 6, 7, 8, 9 and 10.

The browser flaw was originally spotted by Spider.io months ago, and then reported to Microsoft on October 1. The security analytics firm said that the Microsoft Security Research Center acknowledged the IE vulnerability, but the Redmond company stated that there were no immediate plans to patch this vulnerability in existing versions of the browser.

The IE vulnerability reportedly compromises the security of virtual keyboards and virtual keypads. Malware doesn't need to be installed. Instead, an attacker can simply buy display advertising on a site and insert non-malicious code into the ad itself. Thus when a user visits a website with the ad on display, the hacker can track their cursor movement while the page remains open.

Even more, cursor movement is recorded even if the web surfer is on another tab or out on the desktop with the browser minimized. Thus, as long as the web page remains open in Internet Explorer, the attacker can record everything the end-user's mouse does on-screen including making Skype calls and more.

"Internet Explorer’s event model populates the global Event object with some attributes relating to mouse events, even in situations where it should not," the security analytics firm said. "Combined with the ability to trigger events manually using the fireEvent() method, this allows JavaScript in any webpage (or in any iframe within any webpage) to poll for the position of the mouse cursor anywhere on the screen and at any time—even when the tab containing the page is not active, or when the Internet Explorer window is unfocused or minimized. The fireEvent() method also exposes the status of the control, shift and alt keys."

Microsoft told The Next Web on Thursday that it's currently investigating the reported issue, but to date there are no active exploits or customers that have been adversely affected. "We will provide additional information as it becomes available and will take the appropriate action to protect our customers," Microsoft added.

Spider.io states that the vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.

Contact Us for News Tips, Corrections and Feedback

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
16 comments
Comment from the forums
    Your comment
  • chicofehr
    I'm sure Microsoft is using this themselves which is why they don't seem bothered to fix it. Google probably wants this flaw to remain as well.
  • spartanmk2
    When has internet explorer ever not had a vulnerability...
  • A Bad Day
    Quote:
    Internet Explorer versions 6, 7, 8, 9 and 10.


    I wonder if MS is going to patch one of those two browsers IF they get around to the exploit, or at least IE7?...

    Anyways, I already installed IE10, but I suppose I'll have wait for a while considering the fact that how easy it is to upload malware-loaded advertisements.