Spider.io, a web analytics firm, told Microsoft about the flaw in October, but Redmond has done nothing about it. The issues affects all version of Internet Explorer from version 6 to version 10 and only since the finding have been made public has Microsoft commented on the vulnerability. At the moment Microsoft has no plans to patch the flaw.
The team at Spider.io have created a game to illustrate how easy it is to exploit IE and compromise the security of virtual keyboards. The game may be found at iedataleak.spider.io. There is also a demonstration showing how the flaw can be used to track the mouse over the Skype keypad despite the fact that the Internet Explorer window is not active.
According to Doug de Jager, chief executive of spider.io, the vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.
“The vulnerability is being exploited rather mischievously by these companies to measure the viewability of display ads – arguably the hot topic in display advertising at the moment,” de Jager told the Guardian. “Almost every US-based user of Internet Explorer will have their mouse cursor tracked via this exploit almost every day they browse the web.”
Microsoft’s lack of action is a little surprising and it is Redmond’s indifference that has caused Spider.io to disclose the details of the flaw. “We are currently investigating this issue, but to date there are no reports of active exploits or customers that have been adversely affected,” Microsoft said in a statement, adding that it would take “appropriate action to protect our customers”.
Details of the vulnerability
Due to a design flaw, Internet Explorer is populating the global Event object with attributes relating to mouse events, even when it shouldn’t. This means that a web page can be created which uses the fireEvent() method to poll for the mouse position anywhere on the screen and at any time. The reason why the flaw allows programs like Skype to be tracked is that the fireEvent() method and the mouse positions are processed even when the page isn’t active or focused.