Microsoft responds to IE mouse tracking exploit claims

Yesterday, it was announced that there was a mouse tacking exploit in Internet Explorer that was currently being exploited by advertising companies. Microsoft has finally responded to the claims and denies that the exploit is being used out in the wild.

A comment was provided to us:

“We are currently investigating this issue, but to date there are no reports of active exploits or customers that have been adversely affected. We will provide additional information as it becomes available and will take the appropriate action to protect our customers.” – Microsoft Spokesperson

The quote denies the Spider.io claim that the exploit is currently being used in the wild but the good news is that Microsoft is actively looking into the claim.

We are at a point of he-said/she-said currently as the source claims it is being exploited, Microsoft says it is not and if Spider.io did report the exploit previously to Microsoft, why are they just now looking into the claim again?

Whatever the reason or issue, Microsoft is now taking the exploit seriously after the issue became public.

Report a problem with article
Previous Story

Microsoft to go after Chinese resellers of pirated Windows PCs

Next Story

John McAfee back in US; claims he was pretending to be nuts

19 Comments

Commenting is disabled on this article.

Wait has anyone actually tried this with a tablet keyboard? AFAIK onscreen keyboard presses aren't considered mouse positions .-. i'll test it in a little bit, just for good measure

Oh, how one word can make all the difference! MS are not actually denying that customer's may have been affected by this, only that they've not been "adversely" affected - I wonder how MS define "adversely"? If advertising companies have been using this exploit, is the affect on users "adverse" or not?!

GreatMarkO said,
Oh, how one word can make all the difference! MS are not actually denying that customer's may have been affected by this, only that they've not been "adversely" affected - I wonder how MS define "adversely"? If advertising companies have been using this exploit, is the affect on users "adverse" or not?!

Adverse would be using the information to cause harm or spy on users. It cannot do this, thus there is not any KNOWN adverse affect to users.

Software 'affects' users in many ways, for example, IE can display pictures and words on the screen, this 'affects' the user, but does not adversely affect the user as it is a function of what a browser does.

Get it yet?

Let me guess (without searching your post history), you use GMail or GDocs or any of Google's services, and they TELL USERS UPFRONT they are using your information in ways that 'adversely' affect you, but I bet you don't really care?

thenetavenger said,

Adverse would be using the information to cause harm or spy on users. It cannot do this, thus there is not any KNOWN adverse affect to users.

This. They can't prove that no one is exploiting it. It's not like they wait for someone to exploit a critical system flaw and then patch it afterwards even if they already knew about it. (Or do they sometimes if it's obscure enough?)

thenetavenger said,

Get it yet?

Let me guess (without searching your post history), you use GMail or GDocs or any of Google's services, and they TELL USERS UPFRONT they are using your information in ways that 'adversely' affect you, but I bet you don't really care?

Chill mate!! - I was only making a light-hearted point about how the word "adversely" could be interpreted/twisted(!)

(and no, FYI I don't use GMail or GDocs!)

thenetavenger said,

Adverse would be using the information to cause harm or spy on users. It cannot do this, thus there is not any KNOWN adverse affect to users.

Software 'affects' users in many ways, for example, IE can display pictures and words on the screen, this 'affects' the user, but does not adversely affect the user as it is a function of what a browser does.

Get it yet?

Let me guess (without searching your post history), you use GMail or GDocs or any of Google's services, and they TELL USERS UPFRONT they are using your information in ways that 'adversely' affect you, but I bet you don't really care?

The almighty NT kernel will save us, right?

Studio384 said,
It wsn't exploid, until they (spider.io) where so folish to publish a working exploit on the web, idiots.

they wanted their minute of fame and they got it.

would it have been a chrome/firefox flaw nobody would care. Fortunately for them any IE minor flaw can make the headlines.

I don't know about older versions of IE but I expect the rumored windows 8 update coming in mid 2013 will also bring us IE 10.1 or maybe even 10.5 depending on how big the update itself is overall. So any small bugs like this should be fixed with that at least.

Knowing that sites can read what you type with the touchscreen keyboards on other applications/websites it not nice at all especially on all the new windows tablets. How could they leave something like that unpatched for 2 months and still don't have any news regarding a fix even now that it was made public?

francescob said,
Knowing that sites can read what you type with the touchscreen keyboards on other applications/websites it not nice at all especially on all the new windows tablets. How could they leave something like that unpatched for 2 months and still don't have any news regarding a fix even now that it was made public?

There is no risk for Tablet users.
the touch keyboard in win8 doesn't cause the mouse to move when the user hits a key with his finger.
so this flaw can't be exploited to read virtual keyboard input.

seriously, there is no real risk with this flaw.

the attacker has no way to know what website you're visiting, even if there is a virtual keypad on your bank website AND that you're running a malicious website in the background, how could it guess anything without knowing what site you're currently visiting? Not to forget, virtual keypads in bank sites often have their numbers randomized, which makes the exploit completely useless in the real world.

francescob said,
Knowing that sites can read what you type with the touchscreen keyboards on other applications/websites it not nice at all especially on all the new windows tablets. How could they leave something like that unpatched for 2 months and still don't have any news regarding a fix even now that it was made public?

Nothing you have said is accurate or true, that is why it is not an issue.

Even if a person were to use a mouse on the onscreen keyboard, knowing where the keyboard is on the screen in reference to UI and resolution would be impossible and it would be impossible to plot the mouse movement to even guess at what the user is typing.

thenetavenger said,

Nothing you have said is accurate or true, that is why it is not an issue.

I'm sure you certainly know better than the security researchers who even went as far to write an example game to show the issue with virtual keyboards.

"The implications for virtual keyboards and virtual keypads
We have created a game to illustrate how easily this security vulnerability in Internet Explorer may be exploited to compromise the security of virtual keyboards and virtual keypads. The game may be found at iedataleak.spider.io."

francescob said,

I'm sure you certainly know better than the security researchers who even went as far to write an example game to show the issue with virtual keyboards.

"The implications for virtual keyboards and virtual keypads
We have created a game to illustrate how easily this security vulnerability in Internet Explorer may be exploited to compromise the security of virtual keyboards and virtual keypads. The game may be found at iedataleak.spider.io."

This proof of concept is ridiculous because it works only if you follow exactly the requested steps AND because the target page has been designed specifically to make the PoC work.

in the real life, the attacker can't predict what page you are visiting, which makes this bug non exploitable to steal any sensitive data.

An XSS attack is far more likely to succeed than an attack based on this bug. Fortunately IE8 was the first browser to implement an XSS filter.

Of course the attacker must know which websites the user visits but when he knows he can figure out from the mouse movements what you typed as you can see in the other game proof of concept they did. My Windows 7 all-in-one shows the positions of all the keys typed with the on screen keyboard (with the touchscreen) so it doesn't seem anywhere near unexploitable to me. It's certainly not a remote execution but it's also certainly not something that should have been left unpatched for 2+ months.

francescob said,
Of course the attacker must know which websites the user visits but when he knows he can figure out from the mouse movements what you typed as you can see in the other game proof of concept they did. My Windows 7 all-in-one shows the positions of all the keys typed with the on screen keyboard (with the touchscreen) so it doesn't seem anywhere near unexploitable to me. It's certainly not a remote execution but it's also certainly not something that should have been left unpatched for 2+ months.

Most browser security flaws, including critical ones, take much more than 2 months to be fixed.

Mozilla and google often take between 6 months and more than 1 year to fix flaws. (if you don't believe me look at the mozilla/google security bulletins and the matching entries on their bug report tool)

so 2months without fixing a minor flaw is not exceptionally long.

on android/iOS flaws in web browsers are even patched much later (or never if your android device is no longer updated).

link8506 said,

Most browser security flaws, including critical ones, take much more than 2 months to be fixed.

Mozilla and google often take between 6 months and more than 1 year to fix flaws. (if you don't believe me look at the mozilla/google security bulletins and the matching entries on their bug report tool)

so 2months without fixing a minor flaw is not exceptionally long.

on android/iOS flaws in web browsers are even patched much later (or never if your android device is no longer updated).

I think that's oversimplifying a lot how the security flaws are handled: it all depends on how the flaw was reported. Nowadays that browsers are very secure almost every fixed security flaw you can see in the changelogs are for internally reported flaws that were not disclosed to the public, the bug trackers entries for those flaws are indeed kept hidden and unless the flaw informations are disclosed earlier the companies can take all the time they want to issue a patch making sure it doesn't break anything else.

When those flaws instead are/become public the patches are released almost immediately as you can see in the many times Microsoft had to release out-of-band patches for IE or how Firefox released their 16.0.1 update in days and same did Chrome after the PWN2OWN competition (Google took less than 24 hours to issue a patch to solve the issues).

In the end a patch for an undisclosed bug could even take years but if the company refuses (if what the researchers said it's true) to patch or still isn't planning a patch when the issue becomes public it certainly doesn't do any good to their reputation.