With Windows 8, Microsoft promises that Internet Explorer is good again. The latest release, IE10, is being promoted through a self-deprecating ad campaign that encourages good will through humor. It’s looking like Microsoft is starting to take its browser seriously, but a recent exploit shows that that might not be the case.
Spider.io, a Web analytics platform, reports that they found an exploit in Internet Explorer 6-10 that allowed hackers to track a user’s mouse movement. This exploit was reported to Microsoft at the beginning of October, but no action was taken beyond admitting that the exploit existed. In an attempt to get Microsoft moving towards a fix, the company has gone public with its original report.
So, why is it so bad for hackers to track your mouse movements? The team at Spider.io explains the security risks in its original letter to Microsoft:
A security vulnerability in Internet Explorer, versions 6–10, allows your mouse cursor to be tracked anywhere on the screen, even if the Internet Explorer window is inactive, unfocused or minimised. The vulnerability is notable because it compromises the security of virtual keyboards and virtual keypads.
As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software. An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit. This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month. As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimise Internet Explorer—your mouse cursor can be tracked across your entire display.
For those who prefer a visual example, here’s a video of the exploit in action:
The real danger here is that the virtual keypad was created to combat the already widely in use keylogger that hackers use to steal passwords and other information entered via keyboard. Now with this hack, no password is safe until Microsoft patches it up. Unfortunately, it’s looking like Microsoft has no plans to do so.
It’s ridiculous that a company that so adamantly supported Do Not Track is blatantly allowing ad companies to track IE users with an exploit. It’s also reminiscent of a major security flaw found in Java that Oracle refused to patch until its next scheduled patch Tuesday. In the end, the company patched the exploit after enough people raised a stink. By going public, it’s obvious that Spider.io wants people to complain and push Microsoft into fixing this potentially dangerous exploit.
Until Microsoft fixes the exploit, I’d suggest using any one of the other browsers available, especially if you use virtual keypads. Who knows? You might even like it enough to stay. It’s obvious that Microsoft doesn’t care about its users if it doesn’t fix an exploit this dangerous.
[h/t: Wired UK]