Spider.io, the security company that recently found a new Internet Explorer flaw, is calling Microsoft out on its statement about the issue. Microsoft told TNW that “to date there are no reports of active exploits or customers that have been adversely affected” but Spider.io argues that “the vulnerability is being exploited currently and at scale.”
In case you’re just tuning in, Spider.io recently found the new IE vulnerability, which allows an attacker to track your mouse cursor anywhere on the screen even if the browser isn’t being actively used, and disclosed it on Wednesday. On Thursday (today), Microsoft issued the following statement to TNW:
We are currently investigating this issue, but to date there are no reports of active exploits or customers that have been adversely affected. We will provide additional information as it becomes available and will take the appropriate action to protect our customers.
F**k it, we'll do it live!
Spider.io spokesperson Douglas de Jager contacted TNW soon after we published our article, giving a timeline of events showing that his company disclosed the issue to Microsoft on October 1, including that the vulnerability was already being exploited in the wild. Microsoft confirmed the flaw to Spider.io on October 12.
On October 29, Spider.io got in touch with Microsoft again to note that the issue is “being exploited in the wild.” On October 30, Microsoft told Spider.io: “We have completed our analysis[…] This does not hit the bar for a security update, it hits the bar for a next version fix.”
Here’s where things get interesting. Spider.io claimed yesterday the security hole is already being exploited by at least two display ad analytics companies. De Jager says Microsoft did not appear to be aware of this part when the security company went public with the flaw yesterday as it told him: “Can you provide more details on the two ad analytics companies?” and “We were not aware that this was under active attack.”
As such, de Jager issue the following statement to TNW:
Whether or not the team at MSRC failed to read our repeated mention of the vulnerability being exploited before yesterday, Microsoft can surely not deny knowledge today. The vulnerability is being exploited currently and at scale. MSRC know about it.
If you actually read Microsoft’s original statement, however, you’ll note the company does not say the flaw isn’t being exploited in the wild. Microsoft simply says its users aren’t being “adversely affected” such as having their information stolen or PCs hijacked. On the other hand, Microsoft clearly says there are no reports of active exploits, yet Spider.io clearly specified that advertisers are indeed exploiting the vulnerability.
While subtle, these are all important distinctions to note. We are in touch with Microsoft and will update this article when we learn more from the company as the investigation progresses.
Update at 6:30PM EST: Microsoft did not respond with a statement. Instead, the company posted Update to Alleged Information and Security Issue with Mouse Position Behavior.
Here’s the crux of it:
From investigating the specific behavior when mouse position data is visible outside the browser window, sites can view only the mouse state; they cannot view the actual content that the user is interacting with. From our conversations with security researchers across the industry, we see very little risk to consumers at this time. As we have stated previously, there are no reported cases of any consumer having their information compromised.
In short, Microsoft says this issue has been blown out of proportion.
Image credit: Colin Adamson