IE Exploit Eyes Mouse Cursor

Friday, December 14, 2012 @ 01:12 PM gHale


A vulnerability affecting Internet Explorer versions 6 through 10 could make it possible for a hacker to monitor the movements of your mouse, even with a minimized browser window.

This means an attacker could learn passwords and PINs if they end up typed on a virtual (on-screen) keyboard, said researchers at UK-based web analytics firm Spider.io. Two display advertising networks are already exploiting it, the company said. It refused to name them in its statement.

RELATED STORIES
Chrome Wards Off BlackHole
BlackHole Exploit Kit Details
Password Stealing Malware Incognito
Europe Domains Host BlackHole

“As long as the page with the exploitative advertiser’s ad stays open — even if you push the page to a background tab or, indeed, even if you minimize Internet Explorer — your mouse cursor can be tracked across your entire display,” Spider.io researchers said.

The company added, while the problem has been acknowledged by the Microsoft Security Research Center, there are apparently no immediate plans for a patch.

Microsoft published an official blog post on the issue, saying the risk to consumer privacy is almost entirely theoretical, and “the underlying issue has more to do with competition between analytics companies than consumer safety or privacy.”

Spider.io also published the technical details of the exploit, which involves the browser’s global Event object, as well as a game demonstrating how it could monitor user input to a virtual keyboard.

“Internet Explorer’s event model populates the global Event object with some attributes relating to mouse events, even in situations where it should not. Combined with the ability to trigger events manually using the fireEvent() method, this allows JavaScript in any webpage (or in any iframe within any webpage) to poll for the position of the mouse cursor anywhere on the screen and at any time,” the company said.



Leave a Reply

You must be logged in to post a comment.