Microsoft refuses to patch IE mouse tracking flaw that is currently being exploited

Here is an interesting bit of information; there is a known exploit that works on versions 6-10 of Internet Explorer that Microsoft will not patch. The flaw, according to the source, allows your mouse to be tracked anywhere on the screen, even if the IE window is minimized.

While this may not sound like a major security concern, there are bigger implications at play here as at least two display ad analytics companies are using this exploit across billions of page impressions per month. So to say that this is a moot point is a bit irrelevant as your mouse movements are currently being tracked without your consent.

There are two issues that this flaw raises that need to be highlighted. The first being that if you use a virtual keypad or keyboard, this exploit can be used to track your inputs and harvest your data and second, why won’t Microsoft fix this exploit if it is being used by advertising agencies that could be against the users consent?

The source states that they told Microsoft about the exploit on October 1st, 2012, the company told them that they have no immediate plans to fix the issue:

Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser.

Seeing that Microsoft has already spat in the face of advertisers with its default “do not track” feature being turned on, you would think the company would actively pursue this type of exploit to protect the end user.

We have pinged Microsoft for a response as to why the company will not fix the flaw; we will update this post with their comment when they respond.

Source: Spider.io |YouTube

Report a problem with article
Previous Story

Best Buy to start selling Surface online today; in some stores Sunday

Next Story

Unofficial Facebook Windows 8 app looks like the real deal

48 Comments

Commenting is disabled on this article.

There are two issues that this flaw raises that need to be highlighted. The first being that if you use a virtual keypad or keyboard

...Only when using a MOUSE with the virtual keyboard, and knowing the user is using a keyboard onscreen and where the keyboard is located on the screen and 1000 other things that would make cracking the user's Wifi a far easier way to obtain information.

This is NONSENSE...

Obtaining any useful data from mouse tracking is about as crazy as people complaining that their neighbor can see when they leave their house and when they come home.

The irony, is these people complaining are the SAME ones that will install Chrome, and use GMail and use GDocs and Google+, that actually does collect useful information from BILLIONS of people. So it is ok to give Google access to EVERYTHING, but it is a HORRIBLE SIN to let a mouse cursor be tracked.

Here is the thing, tracking a mouse is irrelevant unless it can detect what is underneath, and IT CANNOT...

"There are two issues that this flaw raises that need to be highlighted. The first being that if you use a virtual keypad or keyboard, this exploit can be used to track your inputs and harvest your data and second, why won't Microsoft fix this exploit if it is being used by advertising agencies that could be against the users consent?"
This is the biggest load of **** I've heard. That would depend on your screen resolution, your zoom level, what application you are using for the input or if it's on the webpage, what zoom level the webpage is at (if on a webpage), if you go over random characters and don't click them, etc. SO MANY FACTORS.
As the creator of a web password input panel I cannot believe this rubbish is being spouted as gospel, show me where someone's password has been compromised, you won't because you can't get a password just from mouse movement unless you know EVERYTHING about that person's computer and where they've actually clicked.

Even if you somehow managed to get the password, you'd need to know the service (website, IM, ...) it is used for as well as the username. That's impossible.

Yes, i agree for a regular desktop or notebook.
However, Surface changes the rules (specific resolution, specific position of the screen..)

Don't nearly all browsers support screenX and screenY javascript for events? This gets the cursor position relative to the screen thus making it an issue that isn't IE only.

The only time I see this being useful is on a tablet where the events would happen when typing on a virtual keyboard for example (if they even register at all at that point).

I don't think I've ever seen any website use the UI that the exploit demo has as it doesn't make much sense to type numbers with a mouse.

Yeah started thinking about that. You'd probably have to bind the event to something on a page first and if the browser is minimized you don't have anything where you could do something that fires events. Or at least that's how it should be.

mrbester said,
This works even when IE is unfocused or minimised. That makes it a bigger problem.

Bigger than what? There is no way to even know where the user has the taskbar docked, let alone where anything else is on the screen. It has no way to see what is under the mouse at any time or eve 'guess' what is under the mouse to have any credible information.

Tracking the mouse inside a web page is more dangerous, and this is something all browsers support.

I worked for a software company that used the information to track users as they accessed a site. Information was useful in figuring out effectiveness of a site and where users were running into problems. Helpful for optimizing site layout. We sold directly to the site owners and we were not the only company in the field.

Since the "tracking script" has no idea what is under my mouse cursor, this exploit is useless...?
I'd still like them to fix it though.

I've yet to test this in newer version of IE but in older versions of IE there was a difference between IE and other browsers. Ie would track the mouse position even outside of the browser window and even on events that were not related to mouse events (like onbeforeunload).

This was used by some scripts to know if the user was leaving a page by closing it using the x button.

I can write a program in windows and track the mouse from it, does that suddenly make it a flaw? One part of the windows API allows for mouse tracking outside your application, maybe they are just saying we let windows do it, why not IE

Idially the browser should work inside a sandbox. It should not report mouse position when the mouse is not over a focused document displayed by it. I don't think it can be used to exploit anything but it is still a design problem imo.

Well it can have some kind of pertinence, when you think about it....

Okay, just imagine it this way, a rogue webpage having this flaw, with a mouse logger (Mouse version of a keylogger) running for a couple hours, notices the user clicking often at X: 100, Y: 950. A javascript then could be fired up to popup at that exact location, or exactly where the mouse cursor is.

I can imagine quite a few scenarios where this could get very very annoying very very fast.

Yea well it's been in since IE6, and I've never encountered anything like you say, so I don't think it's going to be exactly 'very fast' at all.

Farchord said,
Well it can have some kind of pertinence, when you think about it....

Okay, just imagine it this way, a rogue webpage having this flaw, with a mouse logger (Mouse version of a keylogger) running for a couple hours, notices the user clicking often at X: 100, Y: 950. A javascript then could be fired up to popup at that exact location, or exactly where the mouse cursor is.

I can imagine quite a few scenarios where this could get very very annoying very very fast.

This could work, except this flaw would work in EVERY BROWSER, not just IE, as this is part of W3C standards to read the coordinates of the cursor position.

People are really trying hard to find a way that this is an exploit. This functionality has been around in browsers since what the mid 90s.

They are calling this an exploit because the mouse coordinates are still tracked when IE is minimized or not the primary window, which is WORTHLESS, as the browser cannot see what is under the mouse NOR can it shove a malicious script under the current mouse cursor position on the FREAKING DESKTOP outside of the browser.

Look, I can understand being upset about the mouse tracking bug. But they "spat in the face of advertisers"? How about advertisers, Apache, etc. spat in the face of users.

This place is getting worse every day.

Yea they complain that MS spat in advertisers faces, then complain they don't with the mouse tracking thing. This is ridiculous, if I wanted self-contradicting paranoid noise I'd stay on Slashdot.

Since when is "no immediate plans" suddenly "refusing to" patch.

The bias on this site is getting worse by the day.

ahhell said,
Since when is "no immediate plans" suddenly "refusing to" patch.

The bias on this site is getting worse by the day.


TBH this looks like stupidity rather than bias, which is worse.

I could well believe that the response to the source was real. It's no surprise that Microsoft will not reveal their update plans to individuals.

This is normal.

Ubuntu uploads search results to Amazon, I'm switching to a stone tablet, just need to find a silver one to match my tinfoil hat.

J_R_G said,
Ubuntu uploads search results to Amazon, I'm switching to a stone tablet, just need to find a silver one to match my tinfoil hat.

My mouse was tracked when I clicked the like button.

-T- said,
OMG, hey can track my mouse!!!!!!!

That's it I'm installing Ubuntu.

Be sure to use Chrome on Ubuntu and Gmail and Gdocs and Google+...

That way Google will have access to every bit of your information to use, and as a bonus Amazon and others get access to more information through Ubuntu.

Brilliant. *Smacks head*

If I know the location of the on-screen keyboard, and I know the coordinates you use, I can infer if you are a user that uses the keyboard, and can also infer the input (as each key is selected) as you move your mouse. Fun.

alan said,
This is another reason not to use IE. Its as if Microsoft want you to move from IE,

I'm a Firefox user since 2004. But don't be a as*.

Clearly there must be some valid reasons for not fixing it.

There is no reason because the exploit itself is meaningless outside the browser. If i know your mouse is in the upper left screen. What good is it if I have no idea what is up there? Sure its usefull if you know what content the person is looking at or being displayed in that area, but if the window is minimized, and it doesnt allow them to "peer" at what you are hovering over, all they have is a set of coordinates that could be a cmd prompt for all they know. At least that is what I am getting.

Sure, take the extremist route. Do you even know how this works? I don't, but I figure it's for web pages that need to track user input, but it'd require breaking a lot of them, to rework it so it only tracks in the browser. Of course, you'd complain if that happened to..

IE10 is more secure than FF, Chrome and Safari.

https://www.nsslabs.com/report...socially-engineered-malware

And FF, Chrome and others also allow tracking of the mouse. It's a feature of pretty much all browsers. It can be easily implemented with JavaScript.

Always makes me laugh how people who bash IE never actually know what they're talking about. They think they're somehow computer literate and more knowledgeable because they use another browser, when in reality it's the opposite.

That test is regarding the efficiency of malware filters, and technically has absolutely nothing to do with how the browser attacks against vulnerabilities in the browser itself.

Have to agree. This is possible in other browsers as well. And it's impact is really negligible. What do I care what advertisers can track mouse movement, I still ain't gonna click on their ad if it doesn't interest me.

FISKER_Q said,
That test is regarding the efficiency of malware filters, and technically has absolutely nothing to do with how the browser attacks against vulnerabilities in the browser itself.

And what do you think makes more of a difference? I'll drop a hint, malware blockers. Of course IE is good against exploits as well, IE10 has the strongest sand box, and opts into every platform anti-exploit. FF is still not sand boxed, 5+ years after IE was first sand boxed, and it did not opt into all platform anti-exploits, until recently. At this point, you are reduced to telling us how MS hires bad programmers, and all the good programmers by random coincidence work at google and Mozilla. whatever.

alan said,
This is another reason not to use IE. Its as if Microsoft want you to move from IE,

PC EliTiST said,
Go to "Turn Windows Features On or Off" and completely disable IE. Don't look back again.

Lol what the heck is with you people? Are there actually any reasons? Why disable IE? It's not going to do you any good besides damping your ridiculous bias.

J_R_G said,
And what do you think makes more of a difference? I'll drop a hint, malware blockers.

That may be the case, but that still doesn't make IE more secure.

1Pixel said,
IE10 is more secure than FF, Chrome and Safari.

https://www.nsslabs.com/report...socially-engineered-malware

And FF, Chrome and others also allow tracking of the mouse. It's a feature of pretty much all browsers. It can be easily implemented with JavaScript.

Always makes me laugh how people who bash IE never actually know what they're talking about. They think they're somehow computer literate and more knowledgeable because they use another browser, when in reality it's the opposite.

NSS labs has a bit of a history of being paid by MS to paint IE in a favorable light in those sort of studies.

Also makes me laugh when people say crap like this. Chrome is based on an open source browser and Firefox is open source project..which means more eyes to look at the code and find issues, meaning an obvious increase in reported issues.

SharpGreen said,

NSS labs has a bit of a history of being paid by MS to paint IE in a favorable light in those sort of studies.

Also makes me laugh when people say crap like this. Chrome is based on an open source browser and Firefox is open source project..which means more eyes to look at the code and find issues, meaning an obvious increase in reported issues.

And you assume that all eyes viewing the code are ethical people and would always report the exploits they find.

Wow. I bet you would like to also buy a sandy oceanfront property in Nevada?

In reality, security professionals and hackers use open source projects to find exploits and hold on to them to use.

All it takes is ONE person that is smarter than the person that wrote the code to read it and find a usable exploit. And no matter how brilliant any programmer thinks they are, there is always someone smarter.

We work with security professionals that literally have their own 'bag of tricks' that they obtained from reading OSS code for their own use to exploit and crack systems.

They have never offered a fix and don't even share with each other the exploits they noticed, let alone contribute fixes to the project.

Then when a company needs to break back into one of their own servers because of a rogue employee, these are people they hire.

The problem is, you need the smartest people to also be the most honest people EVERY TIME to have any security advantage from the visibility 'sunshine' aspect of OSS, and it is a fairy tale.

SharpGreen said,

NSS labs has a bit of a history of being paid by MS to paint IE in a favorable light in those sort of studies.

Thats BS. NSS Labs are hired by all sorts of companies to test for security holes in software, so their results need to be accurate or no one will use them again. They don't get paid to say false crap. But i'm guessing you're referring to IE8, as NSS Labs also found it to be most secure at the time, but it was originally a private test for MS to see how their browser compared to others. MS later decided to release the good results.

The latest tests with IE10 are independent and something NSS Labs did in their own time.

Actually ie9 is secure more than other browsers. IE 10 is more secure than that. Unless you are basing your views comparing ie 6 to other current browsers you really don't knowbwhat you are talking about.