Microsoft refuses to patch IE mouse tracking flaw that is currently being exploited

Here is an interesting bit of information; there is a known exploit that works on versions 6-10 of Internet Explorer that Microsoft will not patch. The flaw, according to the source, allows your mouse to be tracked anywhere on the screen, even if the IE window is minimized.

While this may not sound like a major security concern, there are bigger implications at play here as at least two display ad analytics companies are using this exploit across billions of page impressions per month. So to say that this is a moot point is a bit irrelevant as your mouse movements are currently being tracked without your consent.

There are two issues that this flaw raises that need to be highlighted. The first being that if you use a virtual keypad or keyboard, this exploit can be used to track your inputs and harvest your data and second, why won’t Microsoft fix this exploit if it is being used by advertising agencies that could be against the users consent?

The source states that they told Microsoft about the exploit on October 1st, 2012, the company told them that they have no immediate plans to fix the issue:

Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser.

Seeing that Microsoft has already spat in the face of advertisers with its default “do not track” feature being turned on, you would think the company would actively pursue this type of exploit to protect the end user.

We have pinged Microsoft for a response as to why the company will not fix the flaw; we will update this post with their comment when they respond.

Source: Spider.io |YouTube

Report a problem with article
Previous Story

Best Buy to start selling Surface online today; in some stores Sunday

Next Story

Unofficial Facebook Windows 8 app looks like the real deal

48 Comments

View more comments

Since when is "no immediate plans" suddenly "refusing to" patch.

The bias on this site is getting worse by the day.

ahhell said,
Since when is "no immediate plans" suddenly "refusing to" patch.

The bias on this site is getting worse by the day.


TBH this looks like stupidity rather than bias, which is worse.

I could well believe that the response to the source was real. It's no surprise that Microsoft will not reveal their update plans to individuals.

This is normal.

Look, I can understand being upset about the mouse tracking bug. But they "spat in the face of advertisers"? How about advertisers, Apache, etc. spat in the face of users.

This place is getting worse every day.

Yea they complain that MS spat in advertisers faces, then complain they don't with the mouse tracking thing. This is ridiculous, if I wanted self-contradicting paranoid noise I'd stay on Slashdot.

Well it can have some kind of pertinence, when you think about it....

Okay, just imagine it this way, a rogue webpage having this flaw, with a mouse logger (Mouse version of a keylogger) running for a couple hours, notices the user clicking often at X: 100, Y: 950. A javascript then could be fired up to popup at that exact location, or exactly where the mouse cursor is.

I can imagine quite a few scenarios where this could get very very annoying very very fast.

Yea well it's been in since IE6, and I've never encountered anything like you say, so I don't think it's going to be exactly 'very fast' at all.

Farchord said,
Well it can have some kind of pertinence, when you think about it....

Okay, just imagine it this way, a rogue webpage having this flaw, with a mouse logger (Mouse version of a keylogger) running for a couple hours, notices the user clicking often at X: 100, Y: 950. A javascript then could be fired up to popup at that exact location, or exactly where the mouse cursor is.

I can imagine quite a few scenarios where this could get very very annoying very very fast.

This could work, except this flaw would work in EVERY BROWSER, not just IE, as this is part of W3C standards to read the coordinates of the cursor position.

People are really trying hard to find a way that this is an exploit. This functionality has been around in browsers since what the mid 90s.

They are calling this an exploit because the mouse coordinates are still tracked when IE is minimized or not the primary window, which is WORTHLESS, as the browser cannot see what is under the mouse NOR can it shove a malicious script under the current mouse cursor position on the FREAKING DESKTOP outside of the browser.

I can write a program in windows and track the mouse from it, does that suddenly make it a flaw? One part of the windows API allows for mouse tracking outside your application, maybe they are just saying we let windows do it, why not IE

Idially the browser should work inside a sandbox. It should not report mouse position when the mouse is not over a focused document displayed by it. I don't think it can be used to exploit anything but it is still a design problem imo.

I've yet to test this in newer version of IE but in older versions of IE there was a difference between IE and other browsers. Ie would track the mouse position even outside of the browser window and even on events that were not related to mouse events (like onbeforeunload).

This was used by some scripts to know if the user was leaving a page by closing it using the x button.

Since the "tracking script" has no idea what is under my mouse cursor, this exploit is useless...?
I'd still like them to fix it though.

I worked for a software company that used the information to track users as they accessed a site. Information was useful in figuring out effectiveness of a site and where users were running into problems. Helpful for optimizing site layout. We sold directly to the site owners and we were not the only company in the field.

Don't nearly all browsers support screenX and screenY javascript for events? This gets the cursor position relative to the screen thus making it an issue that isn't IE only.

The only time I see this being useful is on a tablet where the events would happen when typing on a virtual keyboard for example (if they even register at all at that point).

I don't think I've ever seen any website use the UI that the exploit demo has as it doesn't make much sense to type numbers with a mouse.

Yeah started thinking about that. You'd probably have to bind the event to something on a page first and if the browser is minimized you don't have anything where you could do something that fires events. Or at least that's how it should be.

mrbester said,
This works even when IE is unfocused or minimised. That makes it a bigger problem.

Bigger than what? There is no way to even know where the user has the taskbar docked, let alone where anything else is on the screen. It has no way to see what is under the mouse at any time or eve 'guess' what is under the mouse to have any credible information.

Tracking the mouse inside a web page is more dangerous, and this is something all browsers support.

"There are two issues that this flaw raises that need to be highlighted. The first being that if you use a virtual keypad or keyboard, this exploit can be used to track your inputs and harvest your data and second, why won't Microsoft fix this exploit if it is being used by advertising agencies that could be against the users consent?"
This is the biggest load of **** I've heard. That would depend on your screen resolution, your zoom level, what application you are using for the input or if it's on the webpage, what zoom level the webpage is at (if on a webpage), if you go over random characters and don't click them, etc. SO MANY FACTORS.
As the creator of a web password input panel I cannot believe this rubbish is being spouted as gospel, show me where someone's password has been compromised, you won't because you can't get a password just from mouse movement unless you know EVERYTHING about that person's computer and where they've actually clicked.

Even if you somehow managed to get the password, you'd need to know the service (website, IM, ...) it is used for as well as the username. That's impossible.

Yes, i agree for a regular desktop or notebook.
However, Surface changes the rules (specific resolution, specific position of the screen..)

There are two issues that this flaw raises that need to be highlighted. The first being that if you use a virtual keypad or keyboard

...Only when using a MOUSE with the virtual keyboard, and knowing the user is using a keyboard onscreen and where the keyboard is located on the screen and 1000 other things that would make cracking the user's Wifi a far easier way to obtain information.

This is NONSENSE...

Obtaining any useful data from mouse tracking is about as crazy as people complaining that their neighbor can see when they leave their house and when they come home.

The irony, is these people complaining are the SAME ones that will install Chrome, and use GMail and use GDocs and Google+, that actually does collect useful information from BILLIONS of people. So it is ok to give Google access to EVERYTHING, but it is a HORRIBLE SIN to let a mouse cursor be tracked.

Here is the thing, tracking a mouse is irrelevant unless it can detect what is underneath, and IT CANNOT...

Commenting is disabled on this article.