Researchers at Spider.io, an advertising analytics firm, discovered the function and reported it to Microsoft in early October. They identified a vulnerability in Internet Explorer, found in versions 6 through 10, that enables people to track the mouse cursor anywhere on a display, which could compromise the security of virtual keyboards and virtual keypads.
Here’s a video demo of the exploit:
Microsoft acknowledged the issue, but did not address it in the latest patch update for the browser. So far, Microsoft claims its evidence indicates that sites can view only the mouse state, but not the actual content that the user is interacting with.
The company now says it is working closely with other companies to address the vulnerability.
“We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers,” Hachamovitch added. “The only reported active use of this behavior involves competitors to Spider.io providing analytics. The theoretical use of this behavior to compromise the safety or privacy of consumers is something Microsoft’s security team has discussed with researchers across the industry.”
Hachamovitch says that getting all the right pieces in order to exploit this vulnerability is “hard to imagine,” and that there is “very little risk to consumers at this time.”
Sign up here with your email
ConversionConversion EmoticonEmoticon