| IE vulnerability tracks your mouse movements ArsTechnica
quote:
...the following security vulnerability in Internet Explorer, versions 6–10, which allows your mouse cursor to be tracked anywhere on the screen—even if the Internet Explorer window is minimised.
Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser.
|
|
 BlackbirdBuilt for SpeedPremium
join:2005-01-14
Fort Wayne, IN
kudos:3
 ·Frontier Communi..
| Our habits matter. From Mosaic days onward, I've always considered a web browser to be a doorway to the outside world. A doorway that, no matter how hard I personally may try to guard, can potentially allow somebody outside to come in or at least peek in to monitor whatever it is I'm doing on the system. As a result, on a net-facing system that I need to do work with personally-sensitive applications and files, I always turn off all browsers before opening or manipulating sensitive files... simply to close that particular potential door to the outside world. To reinforce that practice, I log out of the browsing user account and re-login to an applications user account that has no local access to any browser. To me, this has become a natural part of my safe-hex regime, along with working to keep the system malware-free via other practices, settings, and layered security.
To cope with sensitive information while browsing, I keep my use of such sites to a bare minimum, almost exclusively dealing only with those requiring at least two-part authentication and no forms of on-screen keyboarding. At such sites, I keep all other tabs closed out, and I clear private data and exit the browser immediately before and following each such site contact. Inconvenient perhaps, but it inherently protects against a lot of attack vectors, current and future... whatever the browser.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville |
|
 jaykaykay4 Ever YoungPremium,MVM
join:2000-04-13
Scottsdale, AZ
kudos:22 | +1 Once computers became tools for the world, Pandora was let out of the box, and the only way to hope that we can protect ourselves from others tracking our movements is by trying to maintain full caution/knowledge about the possibilities in the first place. We can never go back and put Pandora back, so we must do whatever we can to deal with her ill will. |
|
|
|
OZOPremium
join:2003-01-17
kudos:2 | reply to NotMe
Wow! You don't have to install any software to make this happen...
Why m$ has developed this "feature", put it into IE v6 and kept it in all new version of the browser?
--
Keep it simple, it'll become complex by itself... |
|
 siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17
·Bell Sympatico
| reply to NotMe
Also spotted:
• Internet Explorer can track your mouse anywhere on the screen and Microsoft won’t fix it
• Internet Explorer tracks cursor even when minimised |
|
 airwavzAlways the green wire
join:2011-09-11
Mount Juliet, TN
kudos:1 | reply to NotMe
Simple reinforcement of the concepts of:
a. Use a browser other than IE, especially for sensitive info
b. ALWAYS close your browser when not in use
With the proliferation of sites using Ajax / other interactive technology, leaving a browser open when not needed is the digital equivalent of a blinking neon sign saying "Door's Open - Come On In"
(My wife keeps Facebook open / minimized ALL THE TIME - and she wonders why I keep her computer on an isolated subnet...) |
|
 BlitzenZeusBurnt Out CynicPremium
join:2000-01-13
kudos:2 | reply to NotMe
As Microsoft would say "Working as intended" |
|
 Dude111An Awesome DudePremium
join:2003-08-04
USA
kudos:11
3 edits | reply to OZO
Because they assume everyone HAS SCRIPTS ENABLED!!!!
This doesnt work if you have them disabled (Which i usually always do)
I enabled them and went to the test page and saw just what it did....
»iedataleak.spider.io/demo
After the test i disabled them again....... |
|
OZOPremium
join:2003-01-17
kudos:2 | Yes, indeed. Script should be enabled to make it work. If you disable the script - it stops.
It's interesting to watch that not only mouse movements could be tracked. It also shows the position of the IE browser window and if you press Shft, Alt and Ctrl keys...
Why did they (m$) develop that? For what purpose?
--
Keep it simple, it'll become complex by itself... |
|
Reviews:
·WestNet Broadband
| reply to NotMe
Re: IE vulnerability tracks your mouse movements
I'm over these exploits and vulnerabilities.
We all know they are out there, the problem is pushing new software to avoid fixing bugs. If an A/V company did this they would be hamstrung.....but if the O/S company does it, it's fine.
Don't tell me this has only just been found. 3 letter agencies the world over has known of all sorts of fun toys for years....big brother has nothing on those that really concentrate on working the systems we make.
/Troll
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
Reviews:
·WestNet Broadband
1 edit | reply to Blackbird
said by Blackbird:Our habits matter. From Mosaic days onward, I've always considered a web browser to be a doorway to the outside world. A doorway that, no matter how hard I personally may try to guard, can potentially allow somebody outside to come in or at least peek in to monitor whatever it is I'm doing on the system.
It's a pity no one else seriously discussed this of late.
When was the last serious debate on browsers specifically discussed here? Blame plug-ins was the last chat from memory.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
| reply to NotMe
Information disclosure (mouse tracking) vulnerability in Microsoft Internet Explorer versions 6-10
»seclists.org/bugtraq/2012/Dec/81 |
|
 Sindows 7
join:2006-09-13
Chilliwack, BC
kudos:2
·TekSavvy DSL
 ·Shaw
·TELUS
| reply to NotMe
said by Unknown :Heatmaps have been used by web developers for a few years now to tweak usability on websites. They can already, easily, record everything your mouse does on that website.
This is the same principle - They know which site you're on and what you did. You can see it all clearly and visibly.
|
|
siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17 | reply to Dude111
Re: The POC is there, there is no current fix  |
|
siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17 Reviews:
·Bell Sympatico
| reply to NotMe
Re: IE vulnerability tracks your mouse movements Microsoft: We’re investigating the Internet Explorer mouse-tracking vulnerability
quote:
Microsoft is investigating vulnerabilities in Internet Explorer that could enable hackers to potentially gain access to any private information you enter onscreen.
Full Article |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | From the article you linked to:
"If you’re using Internet Explorer, a simple way to protect yourself online is to simply enter nothing at all in a virtual, onscreen keyboard. At least until Microsoft issues a fix or determines that this is not actually a security problem."
I thought this was about a MOUSE vulnerability? What does onscreen keyboard have to do with this?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
OZOPremium
join:2003-01-17
kudos:2 | People are using onscreen keyboards to protect themselves from key loggers, when they have to enter important private data (passeords, CC#'s, SSN, etc). Now we discover, that IE allows hackers to see and log that data too. Thanks to m$ 
--
Keep it simple, it'll become complex by itself... |
|
Dude111An Awesome DudePremium
join:2003-08-04
USA
kudos:11 | But i dont think it works IF SCRIPTS ARE DISABLED... (It doesnt show LOCALLY anyway and i dunno if it even can W/O BEING ABLE TO ACTIVATE A SCRIPT)
Is there any SURE FIRE way to find out one way or another if it works W/O SCRIPTS?? |
|
OZOPremium
join:2003-01-17
kudos:2 | I've mentioned it earlier:
said by OZO:Yes, indeed. Script should be enabled to make it work. If you disable the script - it stops.
--
Keep it simple, it'll become complex by itself... |
|
siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17 Reviews:
·Bell Sympatico
| reply to NotMe
Re: IE vulnerability tracks your mouse movements quote:
Over the last few days we’ve seen reports alleging abuse of a browser behavior regarding mouse position. Microsoft is working closely with other companies to address the concern of mouse position movement. From what we know now, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy.
We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers. We will update this blog with more information as it is available.
MS IE Blog Entry |
|
