Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE exploit can track mouse cursor...


  • Please log in to reply
4 replies to this topic

#1 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:06:16 PM

Posted 12 December 2012 - 07:49 PM

http://akamai.infoworld.com/d/security/ie-exploit-can-track-mouse-cursor-even-when-youre-not-in-ie-209063?source=rss_security

>>>"As long as the page with the exploitative advertiser's ad stays open -- even if you push the page to a background tab or, indeed, even if you minimize Internet Explorer -- your mouse cursor can be tracked across your entire display," Spider.io said. The company added that, while the problem has been acknowledged by the Microsoft Security Research Center, there are apparently no immediate plans for a patch.<<<

Live Demo: http://iedataleak.spider.io/demo

BC AdBot (Login to Remove)

 


#2 4dude

4dude

  • Members
  • 578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:16 PM

Posted 13 December 2012 - 03:42 AM

This works ONLY IF YOU HAVE SCRIPTS ENABLED! (I usually have them disabled)

I enabled them just for this test to see exactly what it did then i disabled them again.. (I figured it would only work WITH SCRIPTS)

#3 Union_Thug

Union_Thug

    Bleeps with the fishes...

  • Topic Starter

  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:06:16 PM

Posted 13 December 2012 - 11:15 AM

Thanks, I just disabled active scripting in Ex-PLODE-r and it effectively blocks this exploit. :)

#4 Union_Thug

Union_Thug

    Bleeps with the fishes...

  • Topic Starter

  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:06:16 PM

Posted 14 December 2012 - 08:12 AM

...and the "Evil Empire" (M$) STRIKES BACK!

Update to Alleged Information and Security Issue with Mouse Position Behavior


We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers. We will update this blog with more information as it is available.

Online advertisers started a shift (link) "from a 'served' to a 'viewable' impression[s]." Many different analytics companies stepped up to compete in this space. That competition has had many public results, including lawsuits (link). One of the companies involved in this space is Spider.io, which recently reported an issue in IE involving mouse pointer information. Spider.io is an advertising analytics company. Their recent blog post, "There are two ways to measure ad viewability. There is only one right way," makes their point of view very clear. Different analytics companies use different and equivalent methods to gather consumer information across different browsers on different devices.

The only reported active use of this behavior involves competitors to Spider.io providing analytics. The theoretical use of this behavior to compromise the safety or privacy of consumers is something Microsoft's security team has discussed with researchers across the industry. We take these risks very seriously. Getting all the pieces to line up in order to take advantage of this behavior – serving an ad to a site that asks for a logon, the user using an on screen (or virtual) keyboard, knowing how that onscreen keyboard works – is hard to imagine. From investigating the specific behavior when mouse position data is visible outside the browser window, sites can view only the mouse state; they cannot view the actual content that the user is interacting with. From our conversations with security researchers across the industry, we see very little risk to consumers at this time. As we have stated previously, there are no reported cases of any consumer having their information compromised.

—Dean Hachamovitch, Corporate Vice President, Internet Explorer



#5 Union_Thug

Union_Thug

    Bleeps with the fishes...

  • Topic Starter

  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:06:16 PM

Posted 14 December 2012 - 05:11 PM

...and the "Evil Empire" (M$) STRIKES BACK!
Update to Alleged Information and Security Issue with Mouse Position Behavior

snip

—Dean Hachamovitch, Corporate Vice President, Internet Explorer


How ironical is it that the M$ CVP for Internet Explorer is named Hachamovitch as in HACK-amovitch ***ROFLSNICKER***

Anyhoo...

Microsoft refutes Internet Explorer information disclosure leak
Microsoft: IE mouse tracking vuln no big deal. Sort of... Will fix it anyway. Probably..

Posted Image

Edited by Union_Thug, 14 December 2012 - 05:19 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users