Security

Internet Explorer tracks cursor even when minimised

Keep calm: it’s only being exploited by adware blood-suckers ... probably

Richard Chirgwin Wed 12 Dec 2012 // 23:14 UTC

A security researcher has published yet another reason not to use Internet Explorer for anything, under any circumstances: it can track your mouse cursor movements, even when it’s minimised.

Affecting all versions newer than IE 6.0, and with no plans for a fix by Microsoft, the bug is demonstrated here (not being an IE user, this El Reg hack hasn’t tested the game).

As the notice from spider.io states, the exploit “compromises the security of virtual keyboards and virtual keypads” – often used as a “secure” login that defeats keyloggers.

“An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit,” the company writes. “The vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month. As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimise Internet Explorer—your mouse cursor can be tracked across your entire display.”

The 21-lines-of-code exploit posted by spider.io demonstrates that JavaScript in any Webpage, or any iframe, can poll for the position of the mouse cursor via fireEvent(), because IE “populates the global Event object with some attributes relating to mouse events, even in situations where it should not”.

The Register wouldn't anticipate a fix in a hurry, since the fix would devalue a couple of billion ad-clicks. ®

Similar topics

Broader topics

Narrower topics

Corrections Send us news

Other stories you might like

Azure issues not adequately fixed for months, complain bug hunters

Redmond kicks off Patch Tuesday with a months-old flaw fix

Jessica Lyons Hardcastle Tue 14 Jun 2022 // 13:30 UTC

Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.
In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January.
And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse.

Continue reading
Microsoft continues cyber security spending spree with Miburo buy

Brains to be added to the Customer Security and Trust in defense against 'foreign adversaries'

Richard Speed Wed 15 Jun 2022 // 15:30 UTC

Microsoft has opened its wallet once more to pick up New York-based cyber-threat analyst Miburo.
Founded by Clint Watts in 2011, Miburo is all about the detection of and response to foreign (in the context of the US) information operations. The team is to be folded into Microsoft's Customer Security and Trust organization and the work of its analysts is to be fed into the Windows giants' threat detection and analysis capabilities.
"Miburo," said Microsoft, "has become a leading expert in identification of foreign information operations." Its research teams have hunted out some nasty influence campaigns over 16 languages.

Continue reading
Microsoft fixes under-attack Windows zero-day Follina

Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

Jessica Lyons Hardcastle Wed 15 Jun 2022 // 03:02 UTC

Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.
Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.
Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

Continue reading

Supply chain attacks will get worse: Microsoft Security Response Center boss

Do you know all of your software dependencies? Spoiler alert: hardly anybody is on top of it

Jessica Lyons Hardcastle Thu 9 Jun 2022 // 02:30 UTC

RSA Conference Major supply-chain attacks of recent years – we're talking about SolarWinds, Kaseya and Log4j to name a few – are "just the tip of the iceberg at this point," according to Aanchal Gupta, who leads Microsoft's Security Response Center.
"All of those have been big," she said, in an interview with The Register at RSA Conference. "But I feel they will continue and there will be more. And there's a reason I think that."
As the head of MSRC, Gupta has a unique vantage point. Her view spans all of Microsoft's products and services, as well as visibility across industry partners' software and tools plus customers' environments including government agencies.

Continue reading
Microsoft Defender goes cross-platform for the masses

Redmond's security brand extended to multiple devices without stomping on other solutions

Richard Speed Fri 17 Jun 2022 // 15:30 UTC

Microsoft is extending the Defender brand with a version aimed at families and individuals.
"Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."
The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

Continue reading
How did you mourn Internet Explorer's passing?

Tombstones, memes, Clippy, and probably a cat or two. The web pays its respects

Richard Speed Thu 16 Jun 2022 // 16:00 UTC

Internet Explorer breathed its last for many users this week, and netizens have observed its passing in their own special way.
One joker chose to celebrate the passing of the former web bigwig with a tombstone where one could go and pay homage to the malign influence exerted by the browser.

Continue reading

Microsoft seizes 41 domains tied to 'Iranian phishing ring'

Windows giant gets court order to take over dot-coms and more

Jessica Lyons Hardcastle Tue 7 Jun 2022 // 00:04 UTC

Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India.
The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.
"Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

Continue reading
World Economic Forum wants a global map of online crime

Will cyber crimes shrug off Atlas Initiative? Objectively, yes

Jessica Lyons Hardcastle Fri 10 Jun 2022 // 21:27 UTC

RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.
The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.
This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers.

Continue reading
Microsoft forgot to renew the certificate for its Windows Insider subdomain

Visitors to insider.windows.com met with safety warning - how reassuring

Thomas Claburn in San Francisco Fri 10 Jun 2022 // 19:31 UTC

Microsoft has forgotten to renew the certificate for the web page of its Windows Insider software testing program.
Attempting to visit the Windows Insider portal was returning the familiar "Your connection is not private" warning – as if webpages larded with scripts and trackers can truly be called "private." The problem has now been fixed, and someone's no doubt getting an earful.
Browsers like Chrome, Firefox, and Safari will attempt to deter visitors from accessing the webpage, but will provide a link for those who ignore the warnings and persist on clicking through to advanced options.

Continue reading
Internet Explorer 11 limps to the end of Windows 10 road

Going from the semi-annual channel, but you'll never really wash it off the internals

Richard Speed Tue 14 Jun 2022 // 12:32 UTC

The end is nigh for support for Internet Explorer 11 on some editions of Windows 10. That is, unless users look a little too hard at Windows' internals.
Support is ending today for the Internet Explorer 11 desktop application on the Window 10 semi-annual servicing channel.
From tomorrow – June 15, 2022 – customers still clinging to the past will have to do so without the (seemingly) neverending patches for Microsoft's browser.

Continue reading

ABOUT US

MORE CONTENT

SITUATION PUBLISHING

The Register - Independent news and views for the tech community. Part of Situation Publishing

SIGN UP TO OUR DAILY NEWSLETTER

Security Scorecard

Biting the hand that feeds IT © 1998–2022

Do not sell my personal information Cookies Privacy Ts&Cs