X

Possible IE bug would let hackers track mouse moves

Microsoft is investigating a researcher's assertion that all versions of the Web browser are vulnerable to a flaw that allows attackers to track cursor movements on the screen, even if the browser window isn't in use.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

Microsoft is investigating a possible flaw in its Internet Explorer Web browser that allegedly enables attackers to track users' mouse cursor anywhere on the screen, even if the browser window isn't in use.

The alleged flaw, which security firm Spider.io says it discovered a few months ago, compromises the security of virtual keyboards and virtual keypads in all supported versions of the browser since IE6, the security firm reports.

"As long as the page with the exploitative advertiser's ad stays open -- even if you push the page to a background tab or, indeed, even if you minimize Internet Explorer -- your mouse cursor can be tracked across your entire display," the security firm said in a statement.

Even the security-conscious are at risk of having their cursor movements recorded, Spider.io warned. "An attacker can get access to your mouse movements simply by buying a display ad slot on any Web page you visit," the security firm warned, adding that any site from YouTube to The New York Times would be a possible attack vector due to ad exchange activity.

At least two display ad analytics companies are exploiting the suspected vulnerability (see video below demonstrating the issue) to see what people are looking at online, Spider.io said.

The security researcher said it informed Microsoft of the issue on October 1 but that the software giant doesn't appear to be in a hurry to patch the vulnerability.

"Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser," the firm said in a statement. "It is important for users of Internet Explorer to be made aware of this vulnerability and its implications."

Microsoft appeared to downplay the issue, blaming competition between analytics companies.

"From what we know now, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy," Dean Hachamovitch, VP of Internet Explorer, said in a company blog post this afternoon.

"We are actively working to adjust this behavior in IE," he wrote, adding that there are similar capabilities in other browsers. He promised to update the blog when more information becomes available.