bit-tech.net

Internet Explorer bug tracks your mouse cursor

Internet Explorer bug tracks your mouse cursor

Spider.io's sample game demonstrates how the flaw in Internet Explorer can be used to capture security data entered into on-screen keypads.

Security researchers have uncovered a new vulnerability in Internet Explorer, allowing attackers to monitor mouse cursor movements - even when the mouse cursor is nowhere near the IE window.

Affecting Internet Explorer versions 6 through 10 inclusive, the flaw allows attackers to follow the mouse cursor regardless of where it is on the screen - even if it's not positioned over the IE window. Worse still, the cursor can be tracked even when Internet Explorer is minimised, so long as the application is still running in the background. The system also tracks the status of the shift, control and alt keys.

Currently, the company that discovered the flaw in Internet Explorer's event model, Spider.io, has found that the flaw is only being exploited by advertising analytic companies for shady user tracking and not by those with more malicious endeavours in mind - but the vulnerability could be used to monitor the use of on-screen keypads and selection boxes to enter security codes, a common feature of internet banking systems.

'As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software,' Spider.io warns. 'An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit. This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month. As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimise Internet Explorer—your mouse cursor can be tracked across your entire display.'

Microsoft is reportedly aware of the flaw, but has stated that it has no plans to patch the vulnerability any time soon - leaving users of all its browser versions, including the much-improved Internet Explorer 10 found in Windows 8, vulnerable to attack.

A short game demonstrating how the vulnerability could be used to compromise the security of virtual keypads is provided at iedataleak.spider.io - although, obviously, it won't work in anything except Internet Explorer.

UPDATE 2012-12-14
Microsoft's Dean Hachamovitch, corporate vice president in charge of Internet Explorer, has issued a statement on the matter. 'We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers,' Hachamovitch claimed, while downplaying the severity of the bug and accusing Spider.io of blowing the issue out of proportion in order to make rival analytic companies look bad. 'From what we know now, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy. The only reported active use of this behavior involves competitors to Spider.io providing analytics.'

No timescale for a patch has yet been provided by the company.

26 Comments

Discuss in the forums Reply
will_123 13th December 2012, 12:58 Quote
Dont use it. Chrome or Firefox for me, but its worrying that they dont intend to patch it.
ShinyAli 13th December 2012, 13:01 Quote
Before I and probably some others go off on an anti IE rant has anyone tested other browsers for this exploit
Gareth Halfacree 13th December 2012, 13:03 Quote
Quote:
Originally Posted by ShinyAli
Before I and probably some others go off on an anti IE rant has anyone tested other browsers for this exploit
Yes, and they're not affected: it's specific to IE, as the article explains.
Bede 13th December 2012, 13:50 Quote
I'm confused as to why Microsoft don't want to patch it. Is it a common occurrence to leave security holes open in software?
Anfield 13th December 2012, 13:52 Quote
Microsoft says they have no plan to patch it soon? kind of funny considering what they recently tried against android on twitter.
general22 13th December 2012, 14:03 Quote
This is pretty much useless without some way to see what the user is looking at onscreen. MS are generally good with security updates and patching this probably isn't worth it.
steveo_mcg 13th December 2012, 14:18 Quote
You sufer from a lack of imagination my friend. With a 6x6+1 on-screen keypad it would be fairly trivial to see a code Advertisers would love to see exactly where people are placing their mouse as then they can stick ads right under your nose. And those are just the two examples in the article the more imaginative will probably have even better ideas.

Besides all that if there is a security hole of any shape it should be patched soon after its discovered, it might be a "useless" thing to day but who knows how it will morph. Fit the lock before the horse even realises there is a door.
Snips 13th December 2012, 14:22 Quote
Well the biggest and best do tend to get a few knocks every now and then. I don't foresee a problem here.
Corky42 13th December 2012, 14:26 Quote
Quote:
Originally Posted by Bede
I'm confused as to why Microsoft don't want to patch it. Is it a common occurrence to leave security holes open in software?

Maybe because they cant, maybe fixing it will mean disabling some important feature.

Its not good to say your not going to fix a security related bug as that is all most people will take away from it, that M$ isn't worried about peoples security.
Snips 13th December 2012, 15:14 Quote
I'd take it with a pinch of salt as this is not an official Microsoft statement. When they come out and state "they aren't doing anything about it" maybe then believe it but at the moment it's one companies word or a small company trying to gain some exposure?
fdbh96 13th December 2012, 17:13 Quote
I can just imagine an advert following the cursor around the screen. That would be very annoying, and I too wonder why Microsoft isn't going to patch it?
Snips 13th December 2012, 23:03 Quote
Where did it say above that Microsoft said they weren't going to patch it? I didn't see any statement from Microsoft above or anywhere else.
Gradius 14th December 2012, 01:12 Quote
I don't use IE since 2007.
Corky42 14th December 2012, 01:16 Quote
Quote:
Originally Posted by Snips
Where did it say above that Microsoft said they weren't going to patch it? I didn't see any statement from Microsoft above or anywhere else.

I have never know Microsoft to publish details of a bug before they release the update to fix it, normally you get the update and they give details of what that update fixes.
SimonStern 14th December 2012, 08:30 Quote
I posted about this in software yesterday and nobody seemed to care lol

http://forums.bit-tech.net/showthread.php?t=253175
Gareth Halfacree 14th December 2012, 09:00 Quote
Article updated with official comment from Microsoft: apparently a patch, of sorts, is in the pipeline.
LordPyrinc 14th December 2012, 11:29 Quote
I use IE and have recently experienced a temporarily unresponsive mouse on more than one occasion, usually lasts between 3 to 5 seconds. Considering that the mouse is wireless, I first thought it was a battery issue, but after replacing the battery the problem has happened again. If I recall correctly, most of the incidents happened on a very popular news site, formerly known as MSNBC. The plethora of ads on the site and pop-ups that get blocked sometimes crashes the browser and requires IE to try to automatically recover as well.
Snips 14th December 2012, 22:18 Quote
'From what we know now, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy. The only reported active use of this behavior involves competitors to Spider.io providing analytics.'

What was it I said earlier? exactly that :)
ShinyAli 14th December 2012, 22:29 Quote
Quote:
Originally Posted by ShinyAli View Post
Before I and probably some others go off on an anti IE rant has anyone tested other browsers for this exploit
Quote:
Originally Posted by Gareth Halfacree
Yes, and they're not affected: it's specific to IE, as the article explains.

Maybe not,

UPDATE 2012-12-14
Microsoft's Dean Hachamovitch, corporate vice president in charge of Internet Explorer, has issued a statement on the matter. 'We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers,' Hachamovitch claimed.
general22 15th December 2012, 08:43 Quote
Quote:
Originally Posted by steveo_mcg
You sufer from a lack of imagination my friend. With a 6x6+1 on-screen keypad it would be fairly trivial to see a code Advertisers would love to see exactly where people are placing their mouse as then they can stick ads right under your nose. And those are just the two examples in the article the more imaginative will probably have even better ideas.

Besides all that if there is a security hole of any shape it should be patched soon after its discovered, it might be a "useless" thing to day but who knows how it will morph. Fit the lock before the horse even realises there is a door.

I am sure this would be useful for advertisers but you can already track a mouse position in JS. The only difference here is that it happens even outside of the IE window. It's a bug but I think its been overhyped.

Say for example you had a site open with this script loaded that tracked your mouse movements, how will it know what it is that you are moving your mouse over on the screen?

It should be patched but I think its not critical compared to exploits that allow executing malicious code and things like that
SirFur 17th December 2012, 17:47 Quote
Quote:
Originally Posted by ShinyAli
Maybe not,

UPDATE 2012-12-14
Microsoft's Dean Hachamovitch, corporate vice president in charge of Internet Explorer, has issued a statement on the matter. 'We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers,' Hachamovitch claimed.

That's an interesting statement. Any idea which browsers?
ShinyAli 17th December 2012, 18:05 Quote
Quote:
Originally Posted by SirFur
That's an interesting statement. Any idea which browsers?

No other browsers are mentioned by name I wonder if he is just stirring things up or scaremongering? If Mozilla, Google etc, deny it he might have to prove it or eat his words!
SirFur 18th December 2012, 05:15 Quote
Quote:
Originally Posted by ShinyAli
No other browsers are mentioned by name I wonder if he is just stirring things up or scaremongering? If Mozilla, Google etc, deny it he might have to prove it or eat his words!

Yeh, sounds a little fishy....if it isn't true then could be an interesting time ahead, but it may as some folks have said quite difficult to know exactly where the cursor is hovering or what its clicking....so it may have been considered a minimal risk exploit and folks have not bothered to patch as a general rule.....I wonder if there is an browser add-on or app that actually utilises such a feature as part of the browser design?
ShinyAli 18th December 2012, 13:39 Quote
Approaching this issue from a slightly different angle there is a Firefox add-on called "Ghostery".

"Ghostery sees the "invisible" web, detecting trackers, web bugs, pixels, and beacons placed on web pages by Facebook, Google Analytics, and over 1,000 other ad networks, behavioral data providers, web publishers - all companies interested in your activity".

I'm going to give it a try, probably quite daunting when you find out just how intensely your surfing is monitored and what these companies do is apparently not illegal but the opportunities for exploitation are obvious, even if a site is https which protects against Man-in-the-middle attacks if some kind of cursor tracker/keylogger has been hidden in the page just how safe are you when entering personal/card details
impar 19th December 2012, 21:30 Quote
Greetings!
Quote:
Originally Posted by ShinyAli
Approaching this issue from a slightly different angle there is a Firefox add-on called "Ghostery".
There is this one too: Collusion
The web it creates its interesting to look at.
Dude111 22nd December 2012, 05:33 Quote
This only works IF SCRIPTS ARE ENABLED!
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums