back to article Microsoft: IE mouse tracking vuln no big deal. Sort of...

Microsoft has dismissed allegations that Internet Explorer can allow attackers to track the position of the user's mouse cursor, arguing that the original report was self-serving and that the observed behavior does not represent a credible threat. "From what we know now, the underlying issue has more to do with competition …

COMMENTS

This topic is closed for new posts.
  1. Old Handle

    Gotta side with MS on this one

    While there's no need for a minimized window to know the mouse position, I don't consider mouse position nearly as sensitive as keyboard input. It should still be fixed though. But where to set the limit is an interesting question. Off the top of my head, I'd say that a page in a minimized window or an inactive tab has no legitimate reason to track the mouse. But I'm not completely sure about the active tab of a background window. I'm imagining some web app that involves dragging elements chosen from a pop-up window into the main one or something like that. Seems like that could have valid uses, although there may be a better way to accomplish it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Gotta side with MS on this one

      > While there's no need for a minimized window to know the mouse position, I don't consider mouse position nearly as sensitive as keyboard input. It should still be fixed though ..

      It defeats virtual keyboards .. which are used to defeat against key loggers ...

      1. Ole Juul
        Coat

        Re: Gotta side with MS on this one

        It defeats virtual keyboards .. which are used to defeat against key loggers ...

        I'm sticking with punch cards just to be safe.

      2. Anonymous Coward
        Anonymous Coward

        Re: Gotta side with MS on this one

        "It defeats virtual keyboards .. which are used to defeat against key loggers ..."

        Except that it has no idea what applications are running that you're using. e.g. a memory game like pairs will have the same movement as a keypad. I doubt the processing to identify these patterns is worth the results.

        The fact virtual keyboards are used to get around key loggers implies key loggers can be installed onto the targets machine. It would be far easier to use a modified key logger that checks the process exe name and screen captures it and the mouse movements than rely on this mouse tracking lark from IE. The modified key logger also has the advantage of capturing virtual keyboards that move keys around.

        While I agree this is a risk, it's a bloody small one and you'd have to be one ambitious attacker to rely on it.

      3. Anonymous Coward
        Anonymous Coward

        Re: Gotta side with MS on this one

        I only have one site that requires a virtual keyboard - for online banking. It comes up in a different location each time, and the order of the keys are different each time. Knowing my mouse movements or locations is of no help here. Unless they're willing to play the long game on just how random those positions really are.....but for it to be useful they'd need the other 3 factors my banking site requires to get in and do damage.

  2. djack
    Facepalm

    Just becasue you can't see a viable attack vector ...

    ... doesn't mean that there isn't one, or that no-one else will figure one out.

    The assumption that you are cleverer and more prepared than those out to get you is the best way to set yourself up for a fall.

  3. Anonymous Coward
    Anonymous Coward

    I am old fashioned. I want the choice to have the "feature" active or not.

    Until then, I am using an alternative browser.

  4. pixl97
    FAIL

    Microsoft's answer:

    "Bla bla, no current threat, bla bla hypothetical, bla bla hard to exploit, bla bla."

    The correct answer:

    "Oops, our mistake, we'll fix that."

    1. MIc
      Thumb Down

      I like how you make this generalization about the one software company that patches its software faster and more regularly than any other software shop.

      admit it. It's just hip to be negative and cynical about everything with the Reg community.

      1. pixl97

        Re:

        I'm negative and cynical about everything without the Reg communities help, thank you.

        And I will keep the flame to EVERY software providers feet on keeping their products patched. Open Source, Commercial, Freeware, and locked down and private. Remember Microsoft responds to security threats these days pretty well, because in the past they did not. Microsoft addresses security issues relatively responsibly because sitting on the problem and hiding it or going after the researchers ended up with the bugs hitting full disclosure lists and turning in to 0-day exploits.

      2. Anonymous Coward
        Anonymous Coward

        Faster than anyone else? Come on now...

        Please warn me when Microsoft will be able to distribute a fix in less than 24 hours like it's commonplace on (an)other OS despite the greater distance between the upstream devs and the distro maintainers.

        In the meantime, enjoy your years-old vulns that MS can't be arsed to fix.

        1. Anonymous Coward
          Anonymous Coward

          @AC

          "Please warn me when Microsoft will be able to distribute a fix in less than 24 hours"

          The DigiNotar incident for example? Where a CA, actively used by our Dutch government no less, was discovered to be overrun by kiddies and their root certificates completely overrun. All thanks to high tech security such as outdated virus scanners (when any were present) and unsupported OS's. Yeah, our government are zmartz pplz when it comes to IT "zecurity".

          Microsoft was ready to revoke the certs ASAP, it would have been pretty near 24Hr response. But only to be thwarted by our government to delay the update for 1 - 2 weeks because those idiots feared that their websites might otherwise stop working.

          <sneer>Who cares about the population now at risk of running into legit looking fraud sites? Not our Dutch government; no, its their sites which are much more important </sneer>

  5. Azzy

    This seems useful for spear phishing...

    Don't have to get em to open a poisoned document, or enter info on a phishing site. Just get em to open an inoccuous page in another tab, and then go back to what they were doing (maybe a page with a video on it that'll take a while to load, so they'll get bored and tab away), or let it open a pop-under advert. And then wait for them to log onto the system with an onscreen keyboard. You know where to expect the clicks for each key because you've gone to the login page and been asked to enter the PW on the onscreen keyboard yourself.

    For home users, it's just a typical advertising/privacy concern. But in situations where security is critical, it provides a way of bypassing a standard defense against keylogging, and gives spear phishers another weapon.

    The only saving grace is the fact that noplace where security matters uses IE, and if they do, they deserve what they get - but this isn't an excuse Microsoft would hold up for why they don't need to fix it.

  6. CleatsAndCode
    WTF?

    Spider.io may have competitors, but they have discovered, in my opinion- a pretty big vulnerability within IE. This is where heat mapping with analytics crosses the border with more sinister intentions. Good luck to spider, and I wish them well.

    1. MIc

      buzz word bingo

      what the hell does that even mean. You just jammed a bunch of tech words you head one time to make it sounds like you had a legit idea.

      "heat mapping with analytics "???? please create a working prototype

      1. Anonymous Coward
        Holmes

        Re: buzz word bingo

        "Heat mapping with analytics" may be inelegantly stated, but if I am understanding what the previous poster said, he is referring to the ability to see which places a cursor congregates around in the UI using analytical packages, which would give the analyst insight into what the user is doing. That insight can be used for nefarious reasons.

  7. M Gale

    Well there's an opportunity.

    Like a more-selective script blocker. "Allow this site to see your mouse movements? (Y/N)"

    Combine it with things like "location", "screen orientation" and various other things that modern browsers are quite happy to blindly report to whoever asks for it.

    1. Bush_rat
      Mushroom

      Re: Well there's an opportunity.

      Oh god, not my orientation!

  8. WaveSynthBeep
    FAIL

    Hello Mr Bayes

    If apps like Swype can work out what I'm trying to type by a few inaccurate slidey movements on a touchscreen, an attacker sure as hell can. It's just an application of stats, and not very complex stats at that.

    1. El Andy

      Re: Hello Mr Bayes

      Apps like Swype know what you are sliding your fingers over. That makes all the difference between making it possible to determine what you're trying to type and just having random movements. The point the IE team are making is that without that sort of knowledge (which you can't get from this 'vulnerability') the potential for realistic exploitation is incredibly slim.

      1. WaveSynthBeep

        Re: Hello Mr Bayes

        That doesn't matter for pattern matching. Humans can recognise written signatures whatever they're written on, however they're scaled, even if slightly mis-shapen. It's the relative movements that count. And it's a numbers game - even if only 1% matches succeed that's still a win.

  9. Nuke
    Facepalm

    FTFA:- "This is a matter for the public to decide – in particular, it's a matter for the privacy experts"

    Self-contradiction in one. Well done!

This topic is closed for new posts.

Other stories you might like