Earlier today we posted Microsoft’s response to the Spider.io post pertaining to the mouse tracking exploit within Internet Explorer. In a nutshell, Microsoft refuted the claims stated by Spider.io but did say that they are actively working to fix the security hole.
Not to sit back and let Microsoft put-down their initial claim, Spider.io has responded to Microsoft’s assertions on the mouse tracking issue. Rather than summarizing the content, we have posted the meat of the response below that attempts to hit back at what Microsoft stated.
There are two other points in Microsoft’s post which we believe are important to clarify.
Firstly, the post includes an ambiguous sentence: “There are similar capabilities available in other browsers.” It is important to clarify that other browsers do not leak mouse-cursor position outside of the browser window in the way that Internet Explorer does.
Secondly, it has been suggested that exploitation of the vulnerability to compromise login details and other confidential information is “theoretical”, “hard to imagine” and would require “serving an ad to a site that asks for a logon.” This is not the case. Ads do not need to be served to sites requiring login details. Ads need only to be served to some page which is open in Internet Explorer. The page with an embedded ad may be in a background tab. The page may be minimized. You may be using an entirely different application—potentially a different browser or some other desktop application—to log in. As has already been noted on Hacker News, if you were to log in at this banking website using any browser (perhaps using your Chrome browser, for the sake of argument), then you would be vulnerable to attack if you had another page open in Internet Explorer, even if Internet Explorer was minimized. There are many similarly vulnerable sites and applications. If there is any uncertainty about whether it would be possible to decipher mouse traces to determine confidential details typed in with a virtual keyboard, we suggest readers of this post try this deciphering challenge.
With the above being said, Spider.io is holding firm to their point. Additionally, to push back against the thought that they may be doing this to harm their competitors, Spider.io did state explicitly that they tried to vet this issue privately with Microsoft and took it public after their concerns were brushed over.
We don’t expect Microsoft to come out swinging against the above statement and expect the next time we hear about this issue will be when Microsoft delivers a patch to fix the flaw.