Another Nasty Internet Explorer Problem!

A friend of mine says IE is the “safest browser on the Internet”… yeah, right! No matter how much lipstick you put on a pig, it is still a pig! Move to Chrome, or Firefox. Just sayin’!

IE flaw allows attackers, advertisers to track cursor movement

“A software engineer from online analytics company Spider.io is claiming that a security flaw in Internet Explorer 6-10 could allow attackers or advertisers to track user’s mouse movements, potentially compromising data entered via virtual keyboards.

Nick Johnson, who previously worked for Google before joining Spider.io, posted details of the flaw on the Bugtraq mailing list this morning.

‘Internet Explorer’s event model populates the global Event object with some attributes relating to mouse events, even in situations where it should not. Combined with the ability to trigger events manually using the fireEvent() method, this allows JavaScript in any web page (or in any iframe within any web page) to poll for the position of the mouse cursor anywhere on the screen and at any time — even when the tab containing the page is not active, or when the Internet Explorer window is unfocused or minimized.’

Knowing the position of the cursor has significant ramifications for authentication systems that use a virtual keyboard as a means to circumvent keyloggers. Virtual keyboards that randomize key placement would likely be unaffected.

Johnson also believes that it would be relatively trivial for an attacker to use the flaw on high-traffic and generally trusted sites by purchasing advertising space on popular sites.

“Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of web page impressions each month.”

The nature of the flaw means that the tracking of cursor movements is not simply restricted to Internet Explorer either. According to Johnson, so long as the page remains open, even if it has been placed in a background tab or the entire Internet Explorer application is minimized, it will continue to log movements.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.