Broadband Tech > Security > Security > IE vulnerability tracks your mouse movements

reply to NotMe

Re: IE vulnerability tracks your mouse movements

quote:

---

Responsible Disclosure
Following Microsoft’s official response to the vulnerability disclosure we put out on Wednesday, we have been urged by all and sundry to reply. We do not feel at all comfortable participating in this public debate.

Resolution in private
From the very beginning we have sought to work with all the respective parties to remedy this out of the public eye.

We privately disclosed the vulnerability and its use both to Microsoft and to the largest of the ad analytics companies currently exploiting the vulnerability - respectively on 1 October and 27 September.

We made clear our belief that the Internet Explorer vulnerability was both significant and that its exploitation by an analytics company would suggest a disregard for user privacy and for the security efforts of browser vendors.

Our suggestions were ignored by all the relevant parties as not being important. We then went through the standard channels for responsible public disclosure of security vulnerabilities. We put a disclosure notice up at Bugtraq and we also put a disclosure notice up on our blog. It isn't for spider.io to judge whether this security vulnerability in Internet Explorer is important enough to fix.

Equally, it isn't for Microsoft and the various companies currently exploiting the vulnerability to decree unilaterally that this vulnerability is not important enough to fix. According to existing privacy standards, it is not ok for a browser to leak your mouse co-ordinates outside of the particular browser window. Should Microsoft fix this bug? This is a matter for the public to decide - in particular, it's a matter for the privacy experts.

Two clarifications
There are two other points in Microsoft’s post which we believe are important to clarify.

Firstly, the post includes an ambiguous sentence: "There are similar capabilities available in other browsers."
It is important to clarify that other browsers do not leak mouse-cursor position outside of the browser window in the way that Internet Explorer does.

Secondly, it has been suggested that exploitation of the vulnerability to compromise login details and other confidential information is “theoretical”, “hard to imagine” and would require “serving an ad to a site that asks for a logon.” This is not the case. Ads do not need to be served to sites requiring login details. Ads need only to be served to some page which is open in Internet Explorer. The page with an embedded ad may be in a background tab. The page may be minimised. You may be using an entirely different application - potentially a different browser or some other desktop application - to log in. As has already been noted on Hacker News, if you were to log in at this banking website using any browser (perhaps using your Chrome browser, for the sake of argument), then you would be vulnerable to attack if you had another page open in Internet Explorer, even if Internet Explorer was minimised. There are many similarly vulnerable sites and applications. If there is any uncertainty about whether it would be possibile to decipher mouse traces to determine confidential details typed in with a virtual keyboard, we suggest readers of this post try this deciphering challenge.

---

reply to NotMe
At this point, it's heavily rumored that MS will issue a FixIt

reply to OZO
I've always considered it dangerous to assume that virtual keyboards in any way defeat keyloggers.

reply to Sindows 7
Apologies, I thought I had updated this thread.

• »dankaminsky.com/2012/12/14/mouse/
• »blog.lumension.com/6235/spider-i···t-legit/