A security researcher has published yet another reason not to use Internet Explorer for anything, under any circumstances: it can track your mouse cursor movements, even when it’s minimised.
Affecting all versions newer than IE 6.0, and with no plans for a fix by Microsoft, the bug is demonstrated here (not being an IE user, this El Reg hack hasn’t tested the game).
As the notice from spider.io states, the exploit “compromises the security of virtual keyboards and virtual keypads” – often used as a “secure” login that defeats keyloggers.
“An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit,” the company writes. “The vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month. As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimise Internet Explorer—your mouse cursor can be tracked across your entire display.”
The 21-lines-of-code exploit posted by spider.io demonstrates that JavaScript in any Webpage, or any iframe, can poll for the position of the mouse cursor via fireEvent(), because IE “populates the global Event object with some attributes relating to mouse events, even in situations where it should not”.
The Register wouldn't anticipate a fix in a hurry, since the fix would devalue a couple of billion ad-clicks. ®
