Security researchers have uncovered a new vulnerability in Internet Explorer, allowing attackers to monitor mouse cursor movements - even when the mouse cursor is nowhere near the IE window.
Affecting Internet Explorer versions 6 through 10 inclusive, the flaw allows attackers to follow the mouse cursor regardless of where it is on the screen - even if it's not positioned over the IE window. Worse still, the cursor can be tracked even when Internet Explorer is minimised, so long as the application is still running in the background. The system also tracks the status of the shift, control and alt keys.
Currently, the company that discovered the flaw in Internet Explorer's event model, Spider.io
, has found that the flaw is only being exploited by advertising analytic companies for shady user tracking and not by those with more malicious endeavours in mind - but the vulnerability could be used to monitor the use of on-screen keypads and selection boxes to enter security codes, a common feature of internet banking systems.
'As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software,
' Spider.io warns. 'An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit. This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month. As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimise Internet Explorer—your mouse cursor can be tracked across your entire display.
Microsoft is reportedly aware of the flaw, but has stated that it has no plans to patch the vulnerability any time soon - leaving users of all its browser versions, including the much-improved Internet Explorer 10 found in Windows 8, vulnerable to attack.
A short game demonstrating how the vulnerability could be used to compromise the security of virtual keypads is provided at iedataleak.spider.io
- although, obviously, it won't work in anything except Internet Explorer.
Microsoft's Dean Hachamovitch, corporate vice president in charge of Internet Explorer, has issued a statement on the matter
. 'We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers,
' Hachamovitch claimed, while downplaying the severity of the bug and accusing Spider.io of blowing the issue out of proportion in order to make rival analytic companies look bad. 'From what we know now, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy. The only reported active use of this behavior involves competitors to Spider.io providing analytics.
No timescale for a patch has yet been provided by the company.