On the 1st of October, 2012, a vulnerability in Internet Explorer ( from 6 to 10 versions) was submitted by spider.io and it showed a exploit that could be used to track one’s pointer movements on the screen. This exploit could be used by those interested in gaining sensible information even when the target only used a virtual keyboard.
Although the issue was submitted to the Microsoft Security Research Center, it seems that they are not interested in fixing the problem, and it remains unresolved. This vulnerability is especially dangerous to those using virtual keyboards to enter credit card details or phone numbers.
How could this affect users of IE?
Even those who are using virtual keyboards for the purpose of bypassing any keyloggers are not safe, this is because the exploit tracks the movement and clicks of your mouse even when Internet Explorer is minimized. The researchers at spider.io have created a demo page that shows the exploit in action, and there is also a video that shows how easy it is to learn what someone is clicking on a dial pad.
The submitter of the exploit have stated that they have informed Microsoft of the issue, and from what we can see on their website, there was no action taken to address it:
Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browse
Furthermore, because the exploit can be implemented on IE 6-10, there are a lot of potential victims out there and they need to made aware of the problem. Luckily, where Microsoft refuses to take action, others do. Also on the page describing the problem, spider.io assures users that there are companies that are trying to come up with a solution.
The course Microsoft is taking in regard to this problem is unprofessional to say the least, but we think that they are only trying to keep Internet Explorer as the best browser to download other browsers with. If this is the case, then they are doing a terrific job! The bug report submitted by Nick Johnson of spider.io can is pretty extensive, and it describes in the vulnerability detail. Also, he has presented the code for the exploit itself:
We hope that the importance of this problem is noticed by more people and more security companies and that a tool will be released soon to make IE safe for those who do not want to migrate towards a good browser.
Update: Following the furore surrounding the vulnerability, Microsoft has finally succumbed to the pressure and has now clarified that it is investigating the issue. They still insist that the underlying issue has more to do with competition between analytics companies than consumer safety or privacy, but spider.io’s report paints a different picture altogether.