Feeds

back to article Internet Explorer tracks cursor even when minimised

A security researcher has published yet another reason not to use Internet Explorer for anything, under any circumstances: it can track your mouse cursor movements, even when it’s minimised. Affecting all versions newer than IE 6.0, and with no plans for a fix by Microsoft, the bug is demonstrated here (not being an IE user, …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Which ad analytics companies?

Would be nice to know

9
0
Bronze badge

Re: Which ad analytics companies?

WHICH anal lit licks company? Well, start with faecebook. Does not fb count nowadays as an analytics tool? Even as an aggregator?

0
20

Re: Which ad analytics companies?

If you used mozilla you could use ghostery. But then, that would defeat he question.

0
0

Re: Which ad analytics companies?

Ghostery works on all browsers. Not just Firefox. I currently have it installed here on Opera. Can be interesting to see how many tracking items appear on some sites!!

(I also block advertiser's domains at the DNS level in my router... a much nicer internet experience all round....)

1
0
Anonymous Coward

Re: Which ad analytics companies?

" anal lit licks"?

Are you 6 years old?

16
1

Re: Which ad analytics companies?

I did not know that.

1
0
Anonymous Coward

Re: Which ad analytics companies?

"block advertiser's domains at the DNS level "

I tried that while back (via a hosts file), but found pages took AGES longer to load due to the timeouts!

1
0
Bronze badge
Alert

Re: Which ad analytics companies?

""block advertiser's domains at the DNS level "

I tried that while back (via a hosts file), but found pages took AGES longer to load due to the timeouts!"

I suppose you could setup a small webserver that would send back a 1x1 image for every picture that was requested, or a single line of html saying <html></html> for documents etc. It would be a bit more work though.

0
0

Re: Which ad analytics companies?

@dssf: Thank you for your valuable post. I appreciate the time you took to research the subject and comprehensively answer the question posed in the original post. I now know precisely which advertising analytics companies to block in order to mitigate the risk at work. Again, thank you.

0
0
Silver badge

Re: Which ad analytics companies? @AC13:29 re. hosts file sloth

I suspect you didn't read the instructions. Some win os's can't handle large blocklists and totally crawl so you have to turn off the DNS caching service which cures that (turn it off anyway, it does no harm). Things do fly after that.

Anyway, well done for trying, give it another go.

0
0
Linux

Re: Which ad analytics companies?

I use an old Linux router for my DNS blocking, not a hosts files, and that is fine on most sites. It also works house wide for any device in use - PCs, Phones, Tablets, etc. Yet some sites like this here El'Reg always hang for a few seconds when loading up the last part of this page in Opera. 'tis a pain.

But a bit of patience is worth it. Some websites out there just have waaaaaay too many flashing adverts. I get amazed at the YouTube "experience" with adverts enabled.

0
0
Silver badge

Re: Which ad analytics companies?

""block advertiser's domains at the DNS level "

Try Privoxy, a proxy server that you can use to filter out anything you don't want. IIRC, it returns a dummy document or a tiny image for requests that are filtered out, so you don't have to wait for a timeout. Because it's a proxy server, it removes the junk regardless of the browser you're using. You can filter at domain level or any other level. The only shortcoming is that you have to keep the block list up to date yourself, unlike the AdBlock list.

0
0
Silver badge

Microsoft has always been sending stuff back to the mothership. The more worrying thing is that they seem to be lightweights in the 'reporting home' game.

3
1

This post has been deleted by a moderator

Bronze badge
Paris Hilton

Re: info back to the mothership

Okay I have not read the whole exploit info, just this article, but what use is mouse movements when you do not know what they relate to?

My take on this article was that the mouse movements are tracked, what use to analytic's is that when the subject matter in question is unknown?

Yes the info on that webpage that the ad appears on is known (maybe) to the people doing the tracking and that is a serious issue. But if it is tracking movements while a background tab or minimized is it really a problem? I am not saying it does not need fixing, but any javascript can already do this if you go to a page with it on.

So advertiser X knows that while playing Battlefield 3 my mouse moves are all over the place, but he does not know I am playing BF3. For all they know I am visiting an XXX site and relieving myself whilst still holding the mouse.

Paris, well I did mention those sites.

2
5
Bronze badge
Trollface

Re: info back to the mothership

It's to spot people drawing big swastickas and anarchy symbols.

0
0
Anonymous Coward

So, will Microsoft demand 30% for anything that is stolen? Why does Microsoft make it so easy for the criminals to get data?

3
3
Anonymous Coward

Oh no, this is terrible!

No wait, hang on, I don't use IE. Carry on.

19
1

Re: Oh no, this is terrible!

Some of here don't run Windows at all.... Its not like those who do can easily get rid of IE in its entirety, with Windows8 you can turn it off, not remove it easily.

Time and time again Microsoft leave known vulnerabilities in their software sometimes for months/years, I would simply not trust my security in the hands of the McDonalds equivalent of the software world.

That's one of the main problems about non open source software, you are completely at the mercy of one company to fix any known bugs - Known bugs are generally fixed far faster in the opensource world.

8
12

So Micro$oft have fucked things up again

Are any of us really surprised?

8
8
Anonymous Coward

Re: So Micro$oft have fucked things up again

This hardly sounds like a mistake, this sounds deliberate even more so as they seem like they don't give a rat's arese about removing this rather unpleasant "feature"!

12
3
Silver badge
Devil

Oh, I love this!

More ammo for me to strike fear into the hearts of the few die-hards I haven't yet been able to convert to Firefox or Opera from using IE.

With this one I can be more subtle in my conversion attack: I can simply say "Look, just make sure you close all other IE windows and tabs before using your bank because of [the issue in this article]", instead of the more sledge-hammerish "Why are you still using that insecure and user-unfriendly pile of shite!?!"

(Also, I don't want to just preach Firefox, but I don't encourage using Chrome because of Google's spying and malware-like distribution methods, nor Safari because... well, it's Apple. Which pretty much leaves Firefox and Opera as my only reasonable mainstream choices. So I recommend to a user to try both and run with the one they prefer.)

8
8
Anonymous Coward

Re: Oh, I love this!

Unfortunately Firefox has become a memory hungry, bug ridden pile of shite as of late. Shame and it hurts me to say this because it was once my favourite browser, even donated to compaigns like the NYT ad.

Maybe on the back of Google's easy money to keep it as the default search engine they turned more into evangelists of various causes and lost track of what they should really be working on - a great browser.

13
9
Anonymous Coward

Re: Oh, I love this!

How about Chromium or SRWare Iron then?

5
1

Re: Oh, I love this!

I'm with you on this. I used to love Firefox. Unfortunately however over the years not only has resource usage gone up it's not entirely uncommon to see Firefox in infinite loop ("hmm why is my notebook fan suddenly going into hyper-drive when it's only my browser that's open?") and silently consume all available PRAM there is to consume.

It's sad really. It used to be an awesome browser.

I'd never use Opera because of their constant whining to the EU about Microsoft's "monopoly". Perhaps if they weren't charging for a browser back when everyone else was already giving them out for free they'd have less problems today.

Chrome? I've still got this love-hate relationship with it. I've got both Chrome and IE pinned to my task bar with IE being my browser of choice (albeit with cookies and java script disabled globally with a few exceptions for sites I generally trust). I don't know... never really trusted Google I suppose when it came to the topic of "privacy".

This little IE problem here though... that's really become the final straw for me despite my precautions. Even though I have java script disabled for all sites not within my trusted zone it's all too common for websites to be compromised these days.

Back to Chrome it is I guess. Rather Google have my data than a bunch of hackers.

(And yup, I'm paranoid.)

3
5

This post has been deleted by its author

Anonymous Coward

Re: Oh, I love this!

Better advice would be to close all browser sessions, launch a new one to do your banking and then close it when you are finished regardless of which browser you are using.

11
0
Anonymous Coward

Re: Oh, I love this!

"Firefox has become a memory hungry, bug ridden pile of shite as of late."

These statements always make me laugh. I have come across neither issue with Firefox and neither has anybody else I know who uses Firefox.

It's more likely that your computer is a pile of shite.

5
26
Anonymous Coward

Re: Oh, I love this!

Person A: "I got Malaria"

Person B: "These statements always make me laugh. I have never had Malaria and neither has anybody else I know...It's more likely you had a cold"

23
0
Linux

Re: Oh, I love this!

All the people I know who complain about Firefox's memory usage are Windows users.... Maybe its because your using a 32bit version (unlike 64bit Linux users).....

http://arstechnica.com/information-technology/2012/11/64-bit-firefox-for-windows-should-be-prioritized-not-suspended/

Chrome is o.k however for working with nothing beats Firefox imo, I never have issues with memory (apart from crappy Flash) with Firefox on 64bit Linux systems and haven't for at least 5 years.

The fact that a majority of software for 64bit Windows is still32 bit is proof of the damage Microsoft's monopoly is having for technological progress - they didn't start supporting 64 bit in any serious way until 2008(ish).

Even a lot of webserver based software is stuck with 32bit packages in the Windows world i.e PHP

http://windows.php.net/download/#php-5.4 - only x86 packages available for Windows ... in 2012..

God-damn Barbarians.

4
13
Silver badge

Re: Oh, I love this!

There have been issues in the past with Firefox chewing up memory at the same time as AVG chewing up chunks of memory to sandbox the lot.

The 'cure' has always been the same as the old Microsoft advice - you need more memory/faster processor etc. It's your fault for having a crappy system (even though it was fine up to a couple of days ago).

I am one of those who suffered in the past but refused to go out and get more memory to fix someone elses screw-up.

3
1

Re: Oh, I love this!

Another tumbs up for SRWare iron

0
0
Silver badge
Unhappy

Re: Oh, I love this!

I'd never use Opera because of their constant whining to the EU about Microsoft's "monopoly". Perhaps if they weren't charging for a browser back when everyone else was already giving them out for free they'd have less problems today.

Well you'd probably be pretty cheesed off if you coded a product for some years as a means of earning a crust, and then a competitor ripped the rug out from you by giving away a vaguely similar product free, on the back of a monopoly in another business line.

And arguably the reason why IE is so insecure is because nobody pays for it, and there's no commercial market for browsers - so if people don't pay, who's willing to invest in improvements? "Free" software is good because you don't pay for it up front, but you then live with the downsides for some while. Look at how sparse the market is for good email clients - they're mostly free because Outlook Express was given away "free", but there's now not much choice or innovation (even Mozilla parted ways with Thunderbird). Acrobat Reader is another example of "free" meaning "not as good as something there's a market for".

2
5
Linux

Re: Oh, I love this!

> Acrobat Reader is another example of "free" meaning "not as good as something there's a market for"

If you run a Linux distro the native pdf readers are infinitely better than Adobes piece if crap reader, far faster (I mean far far far faster), less memory usage, far less size file in the app and generally far less exploits than the official adobe reader.

i.e KDE uses okular, Since running Linux I barely even hate .pdf format any more.

p.s We can have the official adobe reader also on Linux but you would have to be messed in the head to do so.

7
1
Silver badge
Windows

Re: Oh, I love this!

God-damn linux fanbois.......

2
6

Re: Oh, I love this!

... Speaking actual facts.

If anyone has used KDE and actually wanted to use the official Adobe reader they need urgent help

2
0
Silver badge

Re: Oh, I love this!

If you run a Linux distro ...

Which I don't. There are acceptable alternatives to Acrobat Reader running under Windows, but the point I was making was quite simply that if you destroy the economics of an established market by giving something away free, even though it cost money to produce, then it is very difficult to remake an economic market, and that harms future product development by all firms. Open Source goes some way to fill the gap, but the mixed views on Firefox illustrate that it isn't a perfect solution, and the lack of polish around all of the few Linux distros I've tried again causes me to be dubious.

Paying for something certainly doesn't mean it is any good. But not paying for it should mean people ask why it is being given away, and what the longer term impact will be.

1
4
Go

Re: Oh, I love this!

"Better advice would be to close all browser sessions, launch a new one to do your banking and then close it when you are finished regardless of which browser you are using."

My bank advises exactly that.

0
0

Re: Oh, I love this!

I have about 150 tabs open in Firefox and I only use 450 Megabytes of RAM. So, I have no idea what has happened to your machine.

2
0
Gold badge

Re: Oh, I love this!

"These statements always make me laugh. I have come across neither issue with Firefox and neither has anybody else I know who uses Firefox."

What a numpty. Theres bug reports -- lots of them, with los of posts apeice -- and lots and lots and lots of other complaints about Firefox memory usage all over the internet. There's 3 issues really *and a solution*:

1) some Firefox versions did have memory use bugs (leaks or excessive usage), since they've gone thorugh like 13 major versions the last couple years. This isn't actually the main prolem.

2) People expect more out of their browser now. Opening pages with huge graphics and javascript, lots of tabs, etc., is going to use more RAM than "back in the day".

3) TUNING. To make benchmarks look good, Firefox has ridiculous memory use defaults now! image.mem.max_decoded_image_kb is set to 512000KB, so Firefox will keep all these decoded (huge!!) images for other tabs and such in memory; javascript.options.mem.high_water_mark is set to 128MB. It turns out when Firefox is set to cache 640MB of crap in memory, it uses lots of memory 8-). I turned these WAAAAAY down (1024KB and 8MB), it DRASTICALLY reduced memory use and the only side effect is it takes a fraction of a second to re-decode the images when you switch tabs on my slowest system (and not even a noticeable delay on the others.)

"It's more likely that your computer is a pile of shite."

Spoken like a true Windows user -- the UNIX way is not "Oh, this app will just barely run on a high-end system so it's fine", but rather to keep improving efficiency since, you know, computers can be run multi-user and at that point it's better to not have a single app hog the whole computer.

0
1

I am missing something here? Every virtual keyboard I've seen jumbles up the keys so knowing where the mouse was when I clicked is completely pointless since you still have no idea which key I clicked on.

I'm with the first AC on this too - which ad companies are using this? It's not something you can do accidentally (unless it's google, when of course it's just a rogue engineer leaving proof of concept code in the project and they're accidentally storing all that mouse location data unwittingly, the poor dears).

9
1
Silver badge

> Every virtual keyboard I've seen jumbles up the keys

Does this work on RT? I assume that has a virtual keyboard where the keys don't move around.

1
2

Re: > Every virtual keyboard I've seen jumbles up the keys

Even on RT you can have the keyboard in various different layouts so you couldn't really know with any sort of certainty which key a user might be clicking on. Nor can you know that the virtual keyboard is visible, the user might well be clicking on just about anything. I'm not overly convinced there is an actual attack vector using this.

0
0
Bronze badge

Faecebook Next?

Faecebook demands javascript in most cases, unles the user is willing to put up with minimally functional pages. I would not be surprised if leaving fb open all the time gives faecebook regular access to clicks and page visits above and beyond referrers in browsers do. If so, then that is a much larger problem that iexploDer

3
23
Bronze badge

Re: Faecebook Next?

Justify that fracking sown thumb. Explain yourself, or your vote is just thinly veiled abuse. Explain why fb should not be considered an analytics aggregator. You can't. So, you, and you hurled vote, run along, or be considered a schill.

2
26
Silver badge
Mushroom

Re: Faecebook Next?

It is my considered opinion that if you are not getting downvoted by elreg commentards then you are not trying hard enough.

"Love me or hate me, but spare me your indifference". - Libbie Fudim.

9
2
Anonymous Coward

@Goat Jam

Down voted for no other reason than to balance the stats.....

2
2
Silver badge
Pint

Re: @Goat Jam

Cheers for that!

2
3
Anonymous Coward

Re: Faecebook Next?

OK:

"Faecebook", "Faecebook", "faecebook", "iexploDer"

(-1, unimaginative)

14
0

Re: Faecebook Next?

Faecebook? iexploDer?

Seriously?

7
0

Page:

This topic is closed for new posts.