Internet Explorer tracks cursor even when minimised A security researcher has published yet another reason not to use Internet Explorer for anything, under any circumstances: it can track your mouse cursor movements, even when it’s minimised. Affecting all versions newer than IE 6.0, and with no plans for a fix by Microsoft, the bug is demonstrated here (not being an IE user, …
@dssf: Thank you for your valuable post. I appreciate the time you took to research the subject and comprehensively answer the question posed in the original post. I now know precisely which advertising analytics companies to block in order to mitigate the risk at work. Again, thank you.
Ghostery works on all browsers. Not just Firefox. I currently have it installed here on Opera. Can be interesting to see how many tracking items appear on some sites!!
(I also block advertiser's domains at the DNS level in my router... a much nicer internet experience all round....)
""block advertiser's domains at the DNS level "
I tried that while back (via a hosts file), but found pages took AGES longer to load due to the timeouts!"
I suppose you could setup a small webserver that would send back a 1x1 image for every picture that was requested, or a single line of html saying <html></html> for documents etc. It would be a bit more work though.
I use an old Linux router for my DNS blocking, not a hosts files, and that is fine on most sites. It also works house wide for any device in use - PCs, Phones, Tablets, etc. Yet some sites like this here El'Reg always hang for a few seconds when loading up the last part of this page in Opera. 'tis a pain.
But a bit of patience is worth it. Some websites out there just have waaaaaay too many flashing adverts. I get amazed at the YouTube "experience" with adverts enabled.
""block advertiser's domains at the DNS level "
Try Privoxy, a proxy server that you can use to filter out anything you don't want. IIRC, it returns a dummy document or a tiny image for requests that are filtered out, so you don't have to wait for a timeout. Because it's a proxy server, it removes the junk regardless of the browser you're using. You can filter at domain level or any other level. The only shortcoming is that you have to keep the block list up to date yourself, unlike the AdBlock list.
I suspect you didn't read the instructions. Some win os's can't handle large blocklists and totally crawl so you have to turn off the DNS caching service which cures that (turn it off anyway, it does no harm). Things do fly after that.
Anyway, well done for trying, give it another go.
Some of here don't run Windows at all.... Its not like those who do can easily get rid of IE in its entirety, with Windows8 you can turn it off, not remove it easily.
Time and time again Microsoft leave known vulnerabilities in their software sometimes for months/years, I would simply not trust my security in the hands of the McDonalds equivalent of the software world.
That's one of the main problems about non open source software, you are completely at the mercy of one company to fix any known bugs - Known bugs are generally fixed far faster in the opensource world.
More ammo for me to strike fear into the hearts of the few die-hards I haven't yet been able to convert to Firefox or Opera from using IE.
With this one I can be more subtle in my conversion attack: I can simply say "Look, just make sure you close all other IE windows and tabs before using your bank because of [the issue in this article]", instead of the more sledge-hammerish "Why are you still using that insecure and user-unfriendly pile of shite!?!"
(Also, I don't want to just preach Firefox, but I don't encourage using Chrome because of Google's spying and malware-like distribution methods, nor Safari because... well, it's Apple. Which pretty much leaves Firefox and Opera as my only reasonable mainstream choices. So I recommend to a user to try both and run with the one they prefer.)
Unfortunately Firefox has become a memory hungry, bug ridden pile of shite as of late. Shame and it hurts me to say this because it was once my favourite browser, even donated to compaigns like the NYT ad.
Maybe on the back of Google's easy money to keep it as the default search engine they turned more into evangelists of various causes and lost track of what they should really be working on - a great browser.
I'm with you on this. I used to love Firefox. Unfortunately however over the years not only has resource usage gone up it's not entirely uncommon to see Firefox in infinite loop ("hmm why is my notebook fan suddenly going into hyper-drive when it's only my browser that's open?") and silently consume all available PRAM there is to consume.
It's sad really. It used to be an awesome browser.
I'd never use Opera because of their constant whining to the EU about Microsoft's "monopoly". Perhaps if they weren't charging for a browser back when everyone else was already giving them out for free they'd have less problems today.
Chrome? I've still got this love-hate relationship with it. I've got both Chrome and IE pinned to my task bar with IE being my browser of choice (albeit with cookies and java script disabled globally with a few exceptions for sites I generally trust). I don't know... never really trusted Google I suppose when it came to the topic of "privacy".
This little IE problem here though... that's really become the final straw for me despite my precautions. Even though I have java script disabled for all sites not within my trusted zone it's all too common for websites to be compromised these days.
Back to Chrome it is I guess. Rather Google have my data than a bunch of hackers.
(And yup, I'm paranoid.)
I'd never use Opera because of their constant whining to the EU about Microsoft's "monopoly". Perhaps if they weren't charging for a browser back when everyone else was already giving them out for free they'd have less problems today.
Well you'd probably be pretty cheesed off if you coded a product for some years as a means of earning a crust, and then a competitor ripped the rug out from you by giving away a vaguely similar product free, on the back of a monopoly in another business line.
And arguably the reason why IE is so insecure is because nobody pays for it, and there's no commercial market for browsers - so if people don't pay, who's willing to invest in improvements? "Free" software is good because you don't pay for it up front, but you then live with the downsides for some while. Look at how sparse the market is for good email clients - they're mostly free because Outlook Express was given away "free", but there's now not much choice or innovation (even Mozilla parted ways with Thunderbird). Acrobat Reader is another example of "free" meaning "not as good as something there's a market for".
> Acrobat Reader is another example of "free" meaning "not as good as something there's a market for"
If you run a Linux distro the native pdf readers are infinitely better than Adobes piece if crap reader, far faster (I mean far far far faster), less memory usage, far less size file in the app and generally far less exploits than the official adobe reader.
i.e KDE uses okular, Since running Linux I barely even hate .pdf format any more.
p.s We can have the official adobe reader also on Linux but you would have to be messed in the head to do so.
If you run a Linux distro ...
Which I don't. There are acceptable alternatives to Acrobat Reader running under Windows, but the point I was making was quite simply that if you destroy the economics of an established market by giving something away free, even though it cost money to produce, then it is very difficult to remake an economic market, and that harms future product development by all firms. Open Source goes some way to fill the gap, but the mixed views on Firefox illustrate that it isn't a perfect solution, and the lack of polish around all of the few Linux distros I've tried again causes me to be dubious.
Paying for something certainly doesn't mean it is any good. But not paying for it should mean people ask why it is being given away, and what the longer term impact will be.
There have been issues in the past with Firefox chewing up memory at the same time as AVG chewing up chunks of memory to sandbox the lot.
The 'cure' has always been the same as the old Microsoft advice - you need more memory/faster processor etc. It's your fault for having a crappy system (even though it was fine up to a couple of days ago).
I am one of those who suffered in the past but refused to go out and get more memory to fix someone elses screw-up.
"These statements always make me laugh. I have come across neither issue with Firefox and neither has anybody else I know who uses Firefox."
What a numpty. Theres bug reports -- lots of them, with los of posts apeice -- and lots and lots and lots of other complaints about Firefox memory usage all over the internet. There's 3 issues really *and a solution*:
1) some Firefox versions did have memory use bugs (leaks or excessive usage), since they've gone thorugh like 13 major versions the last couple years. This isn't actually the main prolem.
2) People expect more out of their browser now. Opening pages with huge graphics and javascript, lots of tabs, etc., is going to use more RAM than "back in the day".
3) TUNING. To make benchmarks look good, Firefox has ridiculous memory use defaults now! image.mem.max_decoded_image_kb is set to 512000KB, so Firefox will keep all these decoded (huge!!) images for other tabs and such in memory; javascript.options.mem.high_water_mark is set to 128MB. It turns out when Firefox is set to cache 640MB of crap in memory, it uses lots of memory 8-). I turned these WAAAAAY down (1024KB and 8MB), it DRASTICALLY reduced memory use and the only side effect is it takes a fraction of a second to re-decode the images when you switch tabs on my slowest system (and not even a noticeable delay on the others.)
"It's more likely that your computer is a pile of shite."
Spoken like a true Windows user -- the UNIX way is not "Oh, this app will just barely run on a high-end system so it's fine", but rather to keep improving efficiency since, you know, computers can be run multi-user and at that point it's better to not have a single app hog the whole computer.
All the people I know who complain about Firefox's memory usage are Windows users.... Maybe its because your using a 32bit version (unlike 64bit Linux users).....
http://arstechnica.com/information-technology/2012/11/64-bit-firefox-for-windows-should-be-prioritized-not-suspended/
Chrome is o.k however for working with nothing beats Firefox imo, I never have issues with memory (apart from crappy Flash) with Firefox on 64bit Linux systems and haven't for at least 5 years.
The fact that a majority of software for 64bit Windows is still32 bit is proof of the damage Microsoft's monopoly is having for technological progress - they didn't start supporting 64 bit in any serious way until 2008(ish).
Even a lot of webserver based software is stuck with 32bit packages in the Windows world i.e PHP
http://windows.php.net/download/#php-5.4 - only x86 packages available for Windows ... in 2012..
God-damn Barbarians.
This post has been deleted by its author
I am missing something here? Every virtual keyboard I've seen jumbles up the keys so knowing where the mouse was when I clicked is completely pointless since you still have no idea which key I clicked on.
I'm with the first AC on this too - which ad companies are using this? It's not something you can do accidentally (unless it's google, when of course it's just a rogue engineer leaving proof of concept code in the project and they're accidentally storing all that mouse location data unwittingly, the poor dears).
Even on RT you can have the keyboard in various different layouts so you couldn't really know with any sort of certainty which key a user might be clicking on. Nor can you know that the virtual keyboard is visible, the user might well be clicking on just about anything. I'm not overly convinced there is an actual attack vector using this.
Faecebook demands javascript in most cases, unles the user is willing to put up with minimally functional pages. I would not be surprised if leaving fb open all the time gives faecebook regular access to clicks and page visits above and beyond referrers in browsers do. If so, then that is a much larger problem that iexploDer
I gave. You a thumbs up, since you helped me feel a bit better about the detritus hurled at me.
I think it IS a good idea for me to not give a damn about the rank rankings of the feeble-minded, the shills, and the rabid-fans of whomever my comments are aimed at. It just would be pretty kewl if downthumbers were algorithm-managed to prevent a$$holes from flexing their muscles too much. No down-thumbing without justification, point by point. No downthumbing with anonymity, to balance out the hit-and-run attacks. But, NO decent programmers or moderators dare invoke such a system lest they face the wrath of their commentards, who probably donate or influence in some way a huge number of forums out there.
Sad state of affairs. But, 635 + and 652- is probably a good trend .Just this morning, I was around 637+ and 602 -, and the ms, apple, and fb shils ripped my ass from continent to continent.... To leave me INcontinent....
See, there's is tthe problem... Trying to "enhance" or read into someone else's (my lame) lame jokes to your own satisfaction. Why not just WRITE your own instead of being a voice killer. I wasn't trying to be imaginative. I WAS conveying displeasure with those products. Imagine if I could muster up 50 or 60 friends, or a bot farm, and just start geographically originating down mods randomly or against everything *I* was a lame joke, or a strong opinion. If I got caught, I'd be banned. If not a bot, then rank or position would spare me if I were high enough. I am not directly attacking the moderator, but I **DO** strongly feel that unfettered assailing of a fellow commentart is tantamount to bullying. Unfortunately, hardly ever is there a counterforce to clamp down at the commentard level, and then whinging to the moderator of a typical site justs elicits not much. If I designed a moderator system, it would be heuristic, and it would reward positive behaivor, not mood-killing behavior. Attack politicians, stupid corporate behavior, not a thought out missive or half-baked (but non-radioactive) joke.
Now, I will probably incure 40-50 more hits for daring to defend myself or to appear to be "lecturing"....
I do not think in the entire year + that I have commented on this forum that I have EVER down-modded anyone. I do not go and just randomly up-mod, either, but I do occasionally upmod. I disparage events, and lame corporate behavior, but I try not to tear down or berate fellow commentards unless I am singled out or feel singled out. Unfortunately, trying to reason with what should be reasonable people is like an ant trying to move a bulldozer.
Sigh.
Tee hee - whining about downvotes just to up your post count in hope of getting a better badge. As if word plays on product names isn't lame enough. And then you compound it with the old shill argument. And get the spelling wrong on that! "Just thinly veiled abuse" - hmm. Seems you're either a psychology student or a 12 yar old who's a patient for one :)
GROW UP. You do not know me, and have no real need to go off on personal attacks when I didn't single you out as a person. Why do you think I need a shrink? Yes, I incorrectly spelled a word, but reasonable people go for the intent, not the minor spelling error. Disclaimer: I am guilty of occasionally making hints about a spelling error in a post, but I try to elicit humor, not negativity, since I despise bullies or those behaving as bullies.
Down voted and survey says:
While you may have initially started out with a valid point you, yourself, went above and beyond on the rantings about the voting here. While it may be that you make some valid points about the voting system here these points can also be looked at as this: Why make down voting (or any voting on ElReg) require a post about why the vote was posted? This basically negated the AC icon here and opens up a world of shit on those who may agree or disagree with a certain point. I'm not having it. Once you went on the attack to bitch and whine about being down voted you came across as a 12 year old having a temper tantrum. Your continued responses to this fact just serve to make you look like even more of a child.
Who gives a shit about the ups and downs a persons particular account has? About the only thing I cared about recently was that 1000 post milestone that has taken me 5 sad years to accumulate. If you want to bitch about your totals heres something you can shoot for.
"In total, your posts have been upvoted 847 times and downvoted 345 times."
Read from it what you will but I see from that, that at least most of the crap I spew resonants with the local commentards and that most tend to like what I have to say. I would rather not be Barry Shitpeas where everyone hates me but loves reading the next pile of trash I spew out.
Just my 2 cents.
Now, i will give my first -1 JUST because you had the unctuous temerity to accuse me of going after a badge. I do NOT gie a fuck about the posting badge. I never had any say in its arrival, and i do not know how to turn it off. My posting count is well over 650, and when the badge arrived, i was over 600 or so. So, go give yourself a cold, self-aggrandizing shower.
I rarely, if ever see people downvoted for calling facebook facefuck or other names.
As an ac, you have the luxury of not being doenmodded every time you post. But, i do not post as ac for any reason, especially not for the purpose of criticizing anyone. And, i do not vendetra rate, either.
So, keep the run-him-away downmods. Oming. When the management wakes up, if ever it gets around to changing hands, it might enhance the voting code go nullify malicious voding and weed out vicious downvoters. But, we shall see...
You might also want to ask her if her if she's ever moved or resized the onscreen keyboard window, and if the way she moves the mouse pointer over the window would give any clues as to which keys she's selecting. The demonstration page linked to in this article shows that IE doesn't capture mouse clicks, so the attacker would need to infer clicks from some signature behaviour in the position data. And AFAIK, IE doesn't allow a script to determine the position or size of another application window, so unless the onscreen keyboard has never been moved/resized then there's no way for the attacker to know for sure whether or not the pointer position corresponds to a position within the keyboard window, let alone which of the keys within that window it then corresponds to.
Mouse cursor? This: -> _ is a cursor, a text input position indicator. This is a pointer.
Well, it's called a cursor in CSS and in such GUI APIs as I'm familiar with.
The trouble with calling it a pointer is that "pointer" is normally used for a particular type of cursor, to distinguish it from text cursors, resize cursors, wait cursors and so forth. But you can call it whatever you like.
"Although they see Redmond recapturing some market share thanks to the introduction of Windows 8 and Windows Phone 8"
I cannot see how. Given that Windows Phone 8 is still pretty much as useful as a paperweight in many countries and Windows 8 is still getting flak over the Metro/Modern/whatever UI.
Only on forums like this. Up to now I have seen 4 Win 8 laptops and 2 Win 8 phones brought into my office to have them connected to the wireless network (we don't give out the password) and the people who bought them have been surprisingly positive about it. I was expecting them to be asking if they could replace it with Win 7 but they don't want to.
Small sample size of anecdotal evidence to be sure, but it seems to be popular with the people actually using it and not just slagging it off because of what they have read elsewhere
Yup. I have, as any commentard who has seen my rants will tell you, 3 machines all happily running Windows 8 and I wouldn't go back to Windows 7 if you paid me. In fact, currently at a client site using Windows XP and it's amazing to see how dated it has become. Like if you saw a picture of Maria Whittaker as she is now.
Anyway, back to the 'debate', this supposed security flaw is, as others have pointed out, not a security flaw. There is not a chance in hell of anyone gaining any meaningful or useful information and certainly no chance of giving away any password information.
Personally I've used Chrome for a few years now, pretty much since it came out, but all the tracking and tracing it does scares the crap out of me. Would you rather trust MS or Google? Tough question. But I have to say that since upgrading to Windows 8 I've found myself using IE again. It works fine, it's fast, doesn't crash and ive had no issues at all. This bullshit post and all the Linux dribblers have done nothing to convince me otherwise. I know Linux/UNIX is great and has its place but seriously, how many non technical people would have a shit clue what to do with it? By all means criticise when necessary and point out flaws where they exist but this is just bollocks scare mongering. I'm starting to think TheRegister was bought by an Apple owned company :-)
I didn't think it was possible to fully remove IE from a windows machine? I would really appreciate some instructions on how to do this, because for now, I've just shoved it out of the way where my parents can't find it and have disguised firefox as IE so they don't complain about where the 'internet button' has gone.
You shouldn't be running any other windows or tabs when you go to a banking logon page.
Your bank's initial page shouldn't contain any uncontrolled links.
The logon page should allow you to close the initial page behind it and should not contain any links at all other than those needed to actually log on.
If your banking pages contain off-site links get a different bank - they are not serious about security.
Doesn't track mouse movements on the extended screen!
I can browse as much as I want and no mouse movements are being recorded.
As soon as I move the mouse to the primary display, then you can see the mouse movements being tracked.
Also, it doesn't show you what is being clicked and it doesn't show you what is being displayed on screen.
Thanks, :-)
I slept it off. It is a new day. I will leave my posts visible, partly to knock myself in the head to remember to use fewer polarizing, inventive, (except, iexploDer, whic I first saw in IT around 1997, loked, and used when a fitting context arose) words. Otherwise, i will incur more negs faster than any positive recovery.
Again, thanks.
With GPS, microphone, camera and motion sensing phones, IPV6, built in Webcams, Bluetooth, NearField, CCTV, ANPR etc we can be tracked to mm and that's just the "Visible" technology.
I personally don't fret about it too much as I don't have a life worth watching but there are times when I wonder if tin foil covered safe houses free of data connections will spring up, areas with poor cell coverage will command a premium.
Won't be long and Faraday cages and "alternative browsers" will be outlawed.
And to the hoodie wearing teenagers you're just not thinking it through.
Mines the one with your life path on a USB stick in the pocket.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
