Spider.io Responds To Microsoft’s Response On IE Mouse Tracking Flaw

5

Few days back Microsoft responded to the vulnerability that will allow your browsing activity on IE be recorded even if you are not on the particular website saying that they are investigating the issue. They also told that there are no reports of active exploits or customers that have been adversely affected.

Spider.io has responded to Microsoft’s response as follows,

Two clarifications

There are two other points in Microsoft’s post which we believe are important to clarify.

Firstly, the post includes an ambiguous sentence: “There are similar capabilities available in other browsers.” It is important to clarify that other browsers do not leak mouse-cursor position outside of the browser window in the way that Internet Explorer does.

Secondly, it has been suggested that exploitation of the vulnerability to compromise login details and other confidential information is “theoretical”, “hard to imagine” and would require “serving an ad to a site that asks for a logon.” This is not the case. Ads do not need to be served to sites requiring login details. Ads need only to be served to some page which is open in Internet Explorer. The page with an embedded ad may be in a background tab. The page may be minimized. You may be using an entirely different application—potentially a different browser or some other desktop application—to log in. As has already been noted on Hacker News, if you were to log in at this banking website using any browser (perhaps using your Chrome browser, for the sake of argument), then you would be vulnerable to attack if you had another page open in Internet Explorer, even if Internet Explorer was minimized. There are many similarly vulnerable sites and applications. If there is any uncertainty about whether it would be possible to decipher mouse traces to determine confidential details typed in with a virtual keyboard, we suggest readers of this post try this deciphering challenge.

Source: Spider.io via: Neowin



About Author

Pradeep, a Computer Science & Engineering graduate.

  • James

    im in room number 5 in my house.. Now snipe me.

  • Jessica

    that was their response to the response? Good grief.

  • http://www.facebook.com/iain.simpson.127 Iain Simpson

    These guys are just morons looking for attention.

  • Arag0n

    how can tracking my mouse know the application/website I’m visiting and know my username/pass typed via keyboard?

  • pwli

    Check out the demo

    iedataleak.spider.io/demo