14 Dec 2012

Internet Explorer Bug Tracks Every Mouse Move, Even Outside the Browser


A newly-discovered bug in Internet Explorer is threatening the privacy of millions of computer users worldwide. According to the findings of traffic specialists at Spider.io, a flaw in the way Internet Explorer implements the Event Model makes it easy for an attacker to track the position of the mouse cursor, as well as the state of the control, shift and alt keys.

The security vulnerability allows an attacker to track mouse movements anywhere on the screen, even outside of the browser, regardless of the browser window’s state (minimized, maximized, focused or unfocused). This means the tracking code runs even when the browser is not actively in use (such as when the user is listening to music on a website and working on an Excel spreadsheet).

To carry the attack out, a malicious party would have to inject exploit Javascript code into a legitimate website either by hacking into the page or by purchasing an ad slot. According to researchers at spider.io, the ad-space based attack is already exploited in the wild by some ad analytics companies who are probably analyzing click patterns from web visitors.

The exploit was first identified in October when Microsoft was notified of the issue. “Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser. It is important for users of Internet Explorer to be made aware of this vulnerability and its implications,” reads the blog post.

Unfortunately for Internet Explorer users, the bug affects all browsers from version 6 to the latest iteration in Windows 8 (version 10) - all versions of Internet Explorer since Windows XP and Windows Server 2003. To put it in figures, it affects 26% of all computer users.

However, if ad tracking poses little threat to web users, this method of tracking the cursor could be used to read input from on-screen keyboards used by banking websites and other critical services where password security is paramount.

The proof-of-concept exploitation demo is pretty convincing, but – as the attacker can’t see what application is under the cursor, nor its window shape, the exploit alone is not enough to let an attacker know what the victim is typing in exactly.