back to article Internet Explorer tracks cursor even when minimised

A security researcher has published yet another reason not to use Internet Explorer for anything, under any circumstances: it can track your mouse cursor movements, even when it’s minimised. Affecting all versions newer than IE 6.0, and with no plans for a fix by Microsoft, the bug is demonstrated here (not being an IE user, …

COMMENTS

This topic is closed for new posts.

Page:

  1. Anonymous Coward
    Anonymous Coward

    Which ad analytics companies?

    Would be nice to know

    1. dssf

      Re: Which ad analytics companies?

      WHICH anal lit licks company? Well, start with faecebook. Does not fb count nowadays as an analytics tool? Even as an aggregator?

      1. Anonymous Coward
        Anonymous Coward

        Re: Which ad analytics companies?

        " anal lit licks"?

        Are you 6 years old?

      2. Jordan Davenport

        Re: Which ad analytics companies?

        @dssf: Thank you for your valuable post. I appreciate the time you took to research the subject and comprehensively answer the question posed in the original post. I now know precisely which advertising analytics companies to block in order to mitigate the risk at work. Again, thank you.

    2. Nanners

      Re: Which ad analytics companies?

      If you used mozilla you could use ghostery. But then, that would defeat he question.

      1. Mark Allen

        Re: Which ad analytics companies?

        Ghostery works on all browsers. Not just Firefox. I currently have it installed here on Opera. Can be interesting to see how many tracking items appear on some sites!!

        (I also block advertiser's domains at the DNS level in my router... a much nicer internet experience all round....)

        1. Nanners

          Re: Which ad analytics companies?

          I did not know that.

        2. Anonymous Coward
          Anonymous Coward

          Re: Which ad analytics companies?

          "block advertiser's domains at the DNS level "

          I tried that while back (via a hosts file), but found pages took AGES longer to load due to the timeouts!

          1. phuzz Silver badge
            Alert

            Re: Which ad analytics companies?

            ""block advertiser's domains at the DNS level "

            I tried that while back (via a hosts file), but found pages took AGES longer to load due to the timeouts!"

            I suppose you could setup a small webserver that would send back a 1x1 image for every picture that was requested, or a single line of html saying <html></html> for documents etc. It would be a bit more work though.

            1. Mark Allen
              Linux

              Re: Which ad analytics companies?

              I use an old Linux router for my DNS blocking, not a hosts files, and that is fine on most sites. It also works house wide for any device in use - PCs, Phones, Tablets, etc. Yet some sites like this here El'Reg always hang for a few seconds when loading up the last part of this page in Opera. 'tis a pain.

              But a bit of patience is worth it. Some websites out there just have waaaaaay too many flashing adverts. I get amazed at the YouTube "experience" with adverts enabled.

            2. Kubla Cant

              Re: Which ad analytics companies?

              ""block advertiser's domains at the DNS level "

              Try Privoxy, a proxy server that you can use to filter out anything you don't want. IIRC, it returns a dummy document or a tiny image for requests that are filtered out, so you don't have to wait for a timeout. Because it's a proxy server, it removes the junk regardless of the browser you're using. You can filter at domain level or any other level. The only shortcoming is that you have to keep the block list up to date yourself, unlike the AdBlock list.

          2. BlueGreen

            Re: Which ad analytics companies? @AC13:29 re. hosts file sloth

            I suspect you didn't read the instructions. Some win os's can't handle large blocklists and totally crawl so you have to turn off the DNS caching service which cures that (turn it off anyway, it does no harm). Things do fly after that.

            Anyway, well done for trying, give it another go.

  2. Anonymous Coward
    Anonymous Coward

    Microsoft has always been sending stuff back to the mothership. The more worrying thing is that they seem to be lightweights in the 'reporting home' game.

  3. Anonymous Coward
    Anonymous Coward

    So, will Microsoft demand 30% for anything that is stolen? Why does Microsoft make it so easy for the criminals to get data?

  4. Anonymous Coward
    Anonymous Coward

    Oh no, this is terrible!

    No wait, hang on, I don't use IE. Carry on.

    1. yossarianuk

      Re: Oh no, this is terrible!

      Some of here don't run Windows at all.... Its not like those who do can easily get rid of IE in its entirety, with Windows8 you can turn it off, not remove it easily.

      Time and time again Microsoft leave known vulnerabilities in their software sometimes for months/years, I would simply not trust my security in the hands of the McDonalds equivalent of the software world.

      That's one of the main problems about non open source software, you are completely at the mercy of one company to fix any known bugs - Known bugs are generally fixed far faster in the opensource world.

  5. Nordrick Framelhammer

    So Micro$oft have fucked things up again

    Are any of us really surprised?

    1. Anonymous Coward
      Anonymous Coward

      Re: So Micro$oft have fucked things up again

      This hardly sounds like a mistake, this sounds deliberate even more so as they seem like they don't give a rat's arese about removing this rather unpleasant "feature"!

  6. Steven Roper
    Devil

    Oh, I love this!

    More ammo for me to strike fear into the hearts of the few die-hards I haven't yet been able to convert to Firefox or Opera from using IE.

    With this one I can be more subtle in my conversion attack: I can simply say "Look, just make sure you close all other IE windows and tabs before using your bank because of [the issue in this article]", instead of the more sledge-hammerish "Why are you still using that insecure and user-unfriendly pile of shite!?!"

    (Also, I don't want to just preach Firefox, but I don't encourage using Chrome because of Google's spying and malware-like distribution methods, nor Safari because... well, it's Apple. Which pretty much leaves Firefox and Opera as my only reasonable mainstream choices. So I recommend to a user to try both and run with the one they prefer.)

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh, I love this!

      Unfortunately Firefox has become a memory hungry, bug ridden pile of shite as of late. Shame and it hurts me to say this because it was once my favourite browser, even donated to compaigns like the NYT ad.

      Maybe on the back of Google's easy money to keep it as the default search engine they turned more into evangelists of various causes and lost track of what they should really be working on - a great browser.

      1. Anonymous Coward
        Anonymous Coward

        Re: Oh, I love this!

        I'm with you on this. I used to love Firefox. Unfortunately however over the years not only has resource usage gone up it's not entirely uncommon to see Firefox in infinite loop ("hmm why is my notebook fan suddenly going into hyper-drive when it's only my browser that's open?") and silently consume all available PRAM there is to consume.

        It's sad really. It used to be an awesome browser.

        I'd never use Opera because of their constant whining to the EU about Microsoft's "monopoly". Perhaps if they weren't charging for a browser back when everyone else was already giving them out for free they'd have less problems today.

        Chrome? I've still got this love-hate relationship with it. I've got both Chrome and IE pinned to my task bar with IE being my browser of choice (albeit with cookies and java script disabled globally with a few exceptions for sites I generally trust). I don't know... never really trusted Google I suppose when it came to the topic of "privacy".

        This little IE problem here though... that's really become the final straw for me despite my precautions. Even though I have java script disabled for all sites not within my trusted zone it's all too common for websites to be compromised these days.

        Back to Chrome it is I guess. Rather Google have my data than a bunch of hackers.

        (And yup, I'm paranoid.)

        1. Anonymous Coward
          Unhappy

          Re: Oh, I love this!

          I'd never use Opera because of their constant whining to the EU about Microsoft's "monopoly". Perhaps if they weren't charging for a browser back when everyone else was already giving them out for free they'd have less problems today.

          Well you'd probably be pretty cheesed off if you coded a product for some years as a means of earning a crust, and then a competitor ripped the rug out from you by giving away a vaguely similar product free, on the back of a monopoly in another business line.

          And arguably the reason why IE is so insecure is because nobody pays for it, and there's no commercial market for browsers - so if people don't pay, who's willing to invest in improvements? "Free" software is good because you don't pay for it up front, but you then live with the downsides for some while. Look at how sparse the market is for good email clients - they're mostly free because Outlook Express was given away "free", but there's now not much choice or innovation (even Mozilla parted ways with Thunderbird). Acrobat Reader is another example of "free" meaning "not as good as something there's a market for".

          1. yossarianuk
            Linux

            Re: Oh, I love this!

            > Acrobat Reader is another example of "free" meaning "not as good as something there's a market for"

            If you run a Linux distro the native pdf readers are infinitely better than Adobes piece if crap reader, far faster (I mean far far far faster), less memory usage, far less size file in the app and generally far less exploits than the official adobe reader.

            i.e KDE uses okular, Since running Linux I barely even hate .pdf format any more.

            p.s We can have the official adobe reader also on Linux but you would have to be messed in the head to do so.

            1. Anonymous Coward
              Anonymous Coward

              Re: Oh, I love this!

              If you run a Linux distro ...

              Which I don't. There are acceptable alternatives to Acrobat Reader running under Windows, but the point I was making was quite simply that if you destroy the economics of an established market by giving something away free, even though it cost money to produce, then it is very difficult to remake an economic market, and that harms future product development by all firms. Open Source goes some way to fill the gap, but the mixed views on Firefox illustrate that it isn't a perfect solution, and the lack of polish around all of the few Linux distros I've tried again causes me to be dubious.

              Paying for something certainly doesn't mean it is any good. But not paying for it should mean people ask why it is being given away, and what the longer term impact will be.

      2. Anonymous Coward
        Anonymous Coward

        Re: Oh, I love this!

        "Firefox has become a memory hungry, bug ridden pile of shite as of late."

        These statements always make me laugh. I have come across neither issue with Firefox and neither has anybody else I know who uses Firefox.

        It's more likely that your computer is a pile of shite.

        1. Anonymous Coward
          Anonymous Coward

          Re: Oh, I love this!

          Person A: "I got Malaria"

          Person B: "These statements always make me laugh. I have never had Malaria and neither has anybody else I know...It's more likely you had a cold"

        2. Elmer Phud

          Re: Oh, I love this!

          There have been issues in the past with Firefox chewing up memory at the same time as AVG chewing up chunks of memory to sandbox the lot.

          The 'cure' has always been the same as the old Microsoft advice - you need more memory/faster processor etc. It's your fault for having a crappy system (even though it was fine up to a couple of days ago).

          I am one of those who suffered in the past but refused to go out and get more memory to fix someone elses screw-up.

        3. Henry Wertz 1 Gold badge

          Re: Oh, I love this!

          "These statements always make me laugh. I have come across neither issue with Firefox and neither has anybody else I know who uses Firefox."

          What a numpty. Theres bug reports -- lots of them, with los of posts apeice -- and lots and lots and lots of other complaints about Firefox memory usage all over the internet. There's 3 issues really *and a solution*:

          1) some Firefox versions did have memory use bugs (leaks or excessive usage), since they've gone thorugh like 13 major versions the last couple years. This isn't actually the main prolem.

          2) People expect more out of their browser now. Opening pages with huge graphics and javascript, lots of tabs, etc., is going to use more RAM than "back in the day".

          3) TUNING. To make benchmarks look good, Firefox has ridiculous memory use defaults now! image.mem.max_decoded_image_kb is set to 512000KB, so Firefox will keep all these decoded (huge!!) images for other tabs and such in memory; javascript.options.mem.high_water_mark is set to 128MB. It turns out when Firefox is set to cache 640MB of crap in memory, it uses lots of memory 8-). I turned these WAAAAAY down (1024KB and 8MB), it DRASTICALLY reduced memory use and the only side effect is it takes a fraction of a second to re-decode the images when you switch tabs on my slowest system (and not even a noticeable delay on the others.)

          "It's more likely that your computer is a pile of shite."

          Spoken like a true Windows user -- the UNIX way is not "Oh, this app will just barely run on a high-end system so it's fine", but rather to keep improving efficiency since, you know, computers can be run multi-user and at that point it's better to not have a single app hog the whole computer.

      3. yossarianuk
        Linux

        Re: Oh, I love this!

        All the people I know who complain about Firefox's memory usage are Windows users.... Maybe its because your using a 32bit version (unlike 64bit Linux users).....

        http://arstechnica.com/information-technology/2012/11/64-bit-firefox-for-windows-should-be-prioritized-not-suspended/

        Chrome is o.k however for working with nothing beats Firefox imo, I never have issues with memory (apart from crappy Flash) with Firefox on 64bit Linux systems and haven't for at least 5 years.

        The fact that a majority of software for 64bit Windows is still32 bit is proof of the damage Microsoft's monopoly is having for technological progress - they didn't start supporting 64 bit in any serious way until 2008(ish).

        Even a lot of webserver based software is stuck with 32bit packages in the Windows world i.e PHP

        http://windows.php.net/download/#php-5.4 - only x86 packages available for Windows ... in 2012..

        God-damn Barbarians.

        1. Anonymous Coward
          Windows

          Re: Oh, I love this!

          God-damn linux fanbois.......

          1. yossarianuk

            Re: Oh, I love this!

            ... Speaking actual facts.

            If anyone has used KDE and actually wanted to use the official Adobe reader they need urgent help

      4. Paratrooping Parrot

        Re: Oh, I love this!

        I have about 150 tabs open in Firefox and I only use 450 Megabytes of RAM. So, I have no idea what has happened to your machine.

    2. Anonymous Coward
      Anonymous Coward

      Re: Oh, I love this!

      How about Chromium or SRWare Iron then?

      1. BoldMan

        Re: Oh, I love this!

        Another tumbs up for SRWare iron

    3. This post has been deleted by its author

    4. Anonymous Coward
      Anonymous Coward

      Re: Oh, I love this!

      Better advice would be to close all browser sessions, launch a new one to do your banking and then close it when you are finished regardless of which browser you are using.

      1. Wensleydale Cheese
        Go

        Re: Oh, I love this!

        "Better advice would be to close all browser sessions, launch a new one to do your banking and then close it when you are finished regardless of which browser you are using."

        My bank advises exactly that.

  7. Invidious Aardvark

    I am missing something here? Every virtual keyboard I've seen jumbles up the keys so knowing where the mouse was when I clicked is completely pointless since you still have no idea which key I clicked on.

    I'm with the first AC on this too - which ad companies are using this? It's not something you can do accidentally (unless it's google, when of course it's just a rogue engineer leaving proof of concept code in the project and they're accidentally storing all that mouse location data unwittingly, the poor dears).

    1. P. Lee

      > Every virtual keyboard I've seen jumbles up the keys

      Does this work on RT? I assume that has a virtual keyboard where the keys don't move around.

      1. El Andy

        Re: > Every virtual keyboard I've seen jumbles up the keys

        Even on RT you can have the keyboard in various different layouts so you couldn't really know with any sort of certainty which key a user might be clicking on. Nor can you know that the virtual keyboard is visible, the user might well be clicking on just about anything. I'm not overly convinced there is an actual attack vector using this.

  8. dssf

    Faecebook Next?

    Faecebook demands javascript in most cases, unles the user is willing to put up with minimally functional pages. I would not be surprised if leaving fb open all the time gives faecebook regular access to clicks and page visits above and beyond referrers in browsers do. If so, then that is a much larger problem that iexploDer

    1. dssf

      Re: Faecebook Next?

      Justify that fracking sown thumb. Explain yourself, or your vote is just thinly veiled abuse. Explain why fb should not be considered an analytics aggregator. You can't. So, you, and you hurled vote, run along, or be considered a schill.

      1. Goat Jam
        Mushroom

        Re: Faecebook Next?

        It is my considered opinion that if you are not getting downvoted by elreg commentards then you are not trying hard enough.

        "Love me or hate me, but spare me your indifference". - Libbie Fudim.

        1. Anonymous Coward
          Anonymous Coward

          @Goat Jam

          Down voted for no other reason than to balance the stats.....

          1. Goat Jam
            Pint

            Re: @Goat Jam

            Cheers for that!

        2. dssf

          Re: Faecebook Next?

          I gave. You a thumbs up, since you helped me feel a bit better about the detritus hurled at me.

          I think it IS a good idea for me to not give a damn about the rank rankings of the feeble-minded, the shills, and the rabid-fans of whomever my comments are aimed at. It just would be pretty kewl if downthumbers were algorithm-managed to prevent a$$holes from flexing their muscles too much. No down-thumbing without justification, point by point. No downthumbing with anonymity, to balance out the hit-and-run attacks. But, NO decent programmers or moderators dare invoke such a system lest they face the wrath of their commentards, who probably donate or influence in some way a huge number of forums out there.

          Sad state of affairs. But, 635 + and 652- is probably a good trend .Just this morning, I was around 637+ and 602 -, and the ms, apple, and fb shils ripped my ass from continent to continent.... To leave me INcontinent....

      2. Anonymous Coward
        Anonymous Coward

        Re: Faecebook Next?

        OK:

        "Faecebook", "Faecebook", "faecebook", "iexploDer"

        (-1, unimaginative)

        1. dssf

          Re: Faecebook Next?

          See, there's is tthe problem... Trying to "enhance" or read into someone else's (my lame) lame jokes to your own satisfaction. Why not just WRITE your own instead of being a voice killer. I wasn't trying to be imaginative. I WAS conveying displeasure with those products. Imagine if I could muster up 50 or 60 friends, or a bot farm, and just start geographically originating down mods randomly or against everything *I* was a lame joke, or a strong opinion. If I got caught, I'd be banned. If not a bot, then rank or position would spare me if I were high enough. I am not directly attacking the moderator, but I **DO** strongly feel that unfettered assailing of a fellow commentart is tantamount to bullying. Unfortunately, hardly ever is there a counterforce to clamp down at the commentard level, and then whinging to the moderator of a typical site justs elicits not much. If I designed a moderator system, it would be heuristic, and it would reward positive behaivor, not mood-killing behavior. Attack politicians, stupid corporate behavior, not a thought out missive or half-baked (but non-radioactive) joke.

          Now, I will probably incure 40-50 more hits for daring to defend myself or to appear to be "lecturing"....

          I do not think in the entire year + that I have commented on this forum that I have EVER down-modded anyone. I do not go and just randomly up-mod, either, but I do occasionally upmod. I disparage events, and lame corporate behavior, but I try not to tear down or berate fellow commentards unless I am singled out or feel singled out. Unfortunately, trying to reason with what should be reasonable people is like an ant trying to move a bulldozer.

          Sigh.

      3. Woodgar

        Re: Faecebook Next?

        Faecebook? iexploDer?

        Seriously?

      4. Anonymous Coward
        Anonymous Coward

        Re: Faecebook Next? @dssf

        Tee hee - whining about downvotes just to up your post count in hope of getting a better badge. As if word plays on product names isn't lame enough. And then you compound it with the old shill argument. And get the spelling wrong on that! "Just thinly veiled abuse" - hmm. Seems you're either a psychology student or a 12 yar old who's a patient for one :)

Page:

This topic is closed for new posts.

Other stories you might like