Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft: IE Mouse Tracking Exploit Poses “Little Risk”

Microsoft fired back at a report of an attack that allows people to track the position of a user’s mouse cursor.

The situation was publicized by web analytics company Spider.io, which revealed that – using a few lines of JavaScript – hackers can monitor the position of a target’s cursor when they are using Internet Explorer. Microsoft and others however have argued that the the firm is exaggerating the threat the situation poses.

Microsoft fired back at a report of an attack that allows people to track the position of a user’s mouse cursor.

The situation was publicized by web analytics company Spider.io, which revealed that – using a few lines of JavaScript – hackers can monitor the position of a target’s cursor when they are using Internet Explorer. Microsoft and others however have argued that the the firm is exaggerating the threat the situation poses.

According to Spider.io, the issue – which affects Internet Explorer (IE) versions 6-10 – is that IE’s event model populates the global Event object with attributes relating to mouse events.

“Combined with the ability to trigger events manually using the fireEvent() method, this allows JavaScript in any webpage (or in any iframe within any webpage) to poll for the position of the mouse cursor anywhere on the screen and at any time—even when the tab containing the page is not active, or when the Internet Explorer window is unfocused or minimized,” the company explained in an advisory. “The fireEvent() method also exposes the status of the control, shift and alt keys.”

Advertisement. Scroll to continue reading.

“Affected properties of the Event object are altKey, altLeft, clientX, clientY, ctrlKey, ctrlLeft, offsetX, offsetY, screenX, screenY, shiftKey, shiftLeft, x and y,” according to the advisory.

The situation is being exploited by at least two display ad analytics companies across billions of page impressions per month, the company noted, adding that the vulnerability is “particularly troubling” because it compromises the security of virtual keyboards and keypads.

Though Microsoft is working to adjust this behavior in IE, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy, argued Microsoft’s Dean Hachamovitch, corporate vice president, Internet Explorer, in a blog post.

“The only reported active use of this behavior involves competitors to Spider.io providing analytics,” he blogged, noting that different analytics companies use different means to gather consumer information across browsers and devices.

“Online advertisers started a shift “from a ‘served’ to a ‘viewable’ impression[s],” he blogged. “Many different analytics companies stepped up to compete in this space. That competition has had many public results, including lawsuits. One of the companies involved in this space is Spider.io, which recently reported an issue in IE involving mouse pointer information. Spider.io is an advertising analytics company. Their recent blog post, “There are two ways to measure ad viewability. There is only one right way,” makes their point of view very clear. Different analytics companies use different and equivalent methods to gather consumer information across different browsers on different devices.”

For the exploit Spider.io describes to be successful, “the browser stars all seem to need to be in alignment to be able to target an individual,” Paul Henry, security and forensic analyst at Lumension, said in a statement.

“A hacker would need to know the users’ exact screen resolution, the location of the virtual keyboard and the key layout being used,” he said. “Yes, in a lab environment, it can be made to look spectacular, but in the real world, I question just how much of a threat to users this really is.”

If a user changes any settings on their browser, this is no longer an issue, Henry added.

“For example, my bank uses a randomized keyboard on my banking application, so it wouldn’t be an issue there,” he said.

The theoretical use of this behavior to compromise consumer safety is something Microsoft’s security team has discussed with researchers across the industry, noted Hachamovitch.

“We take these risks very seriously,” he wrote. “Getting all the pieces to line up in order to take advantage of this behavior – serving an ad to a site that asks for a logon, the user using an on screen (or virtual) keyboard, knowing how that onscreen keyboard works – is hard to imagine. From investigating the specific behavior when mouse position data is visible outside the browser window, sites can view only the mouse state; they cannot view the actual content that the user is interacting with. From our conversations with security researchers across the industry, we see very little risk to consumers at this time.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.