Update on December 13: Microsoft is investigating IE’s mouse tracking flaw, says users have not been ‘adversely affected’

A new Internet Explorer vulnerability has been discovered that allows an attacker to track your mouse cursor anywhere on the screen, even if the browser isn’t being actively used. All supported versions of Microsoft’s browser are reportedly affected: IE6, IE7, IE8, IE9, and IE10.

The flaw was first discovered by Spider.io a few months ago, and disclosed to Microsoft by the security firm on October 1. Spider.io says the Microsoft Security Research Center acknowledged the IE vulnerability, but told the researchers it had “no immediate plans” to patch it in existing versions of the browser.

The IE vulnerability compromises the security of virtual keyboards and virtual keypads, which can be used to reduce the chance of a keylogger recording every keystroke to learn your credit card numbers, passwords, and other sensitive information. You can try it out yourself over at iedataleak.spider.io/demo.

If you don’t use IE, here’s a video demonstration of the vulnerability in action:

This means your IE activity can be recorded even if you never install any malicious software. An attacker can simply buy display advertising on a website you visit, and as long as that website is open, even if you’re not actively on it (IE is minimized, in the background, or you’re in another tab), your mouse movements can be tracked.

In fact, Spider.io revealed the security hole is already being used by advertisers. Though it didn’t name them, the security firm said the vulnerability is currently being exploited by at least two display ad analytics companies “across billions of page impressions per month.”

As a result, the security firm went public with the flaw last night, saying it is “important for users of IE to be made aware of this vulnerability and its implications.” Details of the issue were posted on the Bugtraq mailing list.

For the data to be useful, the attacker would have to know what website you are currently using. Given that it’s already being used by advertisers, however, this can’t be particularly hard to achieve. They can take note of where they place their malicious ads, and an attacker would of course know the layout of the malicious page they design, or the legitimate one they hijack for such a scheme.

To put this into perspective for you, here’s an excerpt of the Bugtraq entry:

As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software. An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit. This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector.

We have contacted Microsoft about the disclosure. We will update this article if we hear back.

Update on December 13: Microsoft is investigating IE’s mouse tracking flaw, says users have not been ‘adversely affected’

Image credit: Julian Raduenz