Update: Spider.io disappointed with Microsoft, says IE mouse tracking flaw is being exploited ‘at scale’
News broke on Wednesday of a new Internet Explorer vulnerability that allows an attacker to track your mouse cursor anywhere on the screen, even if the browser isn’t being actively used. On Thursday, Microsoft confirmed it is looking into the issue and denied reports that the flaw is already being exploited.
“We are currently investigating this issue, but to date there are no reports of active exploits or customers that have been adversely affected,” a Microsoft spokesperson told TNW. “We will provide additional information as it becomes available and will take the appropriate action to protect our customers.”
The security hole, first discovered by Spider.io a few months ago and disclosed to Microsoft on October 1, reported affects all supported versions of the browser: IE6, IE7, IE8, IE9, and IE10. The security firm claimed the Microsoft Security Research Center acknowledged the IE vulnerability but told the researchers it had “no immediate plans” to patch it in existing versions of the browser. With all the coverage yesterday, that may be changing.
The IE vulnerability compromises the security of virtual keyboards and virtual keypads, which can be used to reduce the chance of a keylogger recording every keystroke to learn your credit card numbers, passwords, and other sensitive information. This means your IE activity can be recorded even if you never install any malicious software.
An attacker can simply buy display advertising on a website you visit, and as long as that website is open, even if you’re not actively on it (IE is minimized, in the background, or you’re in another tab), your mouse movements can be tracked. Spider.io claimed the security hole is already being exploited by at least two display ad analytics companies, but Microsoft’s statement today suggests it has not found proof that users are being ‘adversely affected’ by the issue.
Update at 6:30PM EST: Microsoft did not respond with a statement. Instead, the company posted Update to Alleged Information and Security Issue with Mouse Position Behavior.
Here’s the crux of it:
From investigating the specific behavior when mouse position data is visible outside the browser window, sites can view only the mouse state; they cannot view the actual content that the user is interacting with. From our conversations with security researchers across the industry, we see very little risk to consumers at this time. As we have stated previously, there are no reported cases of any consumer having their information compromised.
In short, Microsoft says this issue has been blown out of proportion.
Image credit: Denise Yap