[dba-Tech] Internet Explorer Data Leakage (versions 6 to 10)

Jim Lawrence accessd at shaw.ca
Thu Dec 13 14:32:32 CST 2012


You mean this demo?

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8" />
  <title>Exploit Demo</title>
  <script type="text/javascript">
    window.attachEvent("onload", function() {
      var detector = document.getElementById("detector");
      detector.attachEvent("onmousemove", function (e) {
        detector.innerHTML = e.screenX + ", " + e.screenY;
      });
      setInterval(function () {
        detector.fireEvent("onmousemove");
      }, 100);
    });
  </script>
</head>
<body>
  <div id="detector"></div>
</body>
</html>

These type of compromise should be out there so everyone knows them, as rest
assured, every person in the malware business is already fully versed in
this exploit. Really it is only four to five lines of code and not
particularly difficult code. You would have to add an AJAX piece of code
collect the positions remotely of course but that would also be less than
ten lines of additional code; four lines if you have attached the JQuery
library.

The choice now is either stop using all tablets and Smartphones or stop
using IE until a universal fix is built and distributed. Better safe than
sorry.

Jim

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian
Andersen
Sent: Thursday, December 13, 2012 1:18 AM
To: Discussion of Hardware and Software issues
Subject: [dba-Tech] Internet Explorer Data Leakage (versions 6 to 10)


http://spider.io/blog/2012/12/internet-explorer-data-leakage/

This is a pretty severe security issue. All it takes is a little bit of
javascript on any site you visit and they are able to fully track where your
mouse is on your screen (even when IE is minimized). All versions of IE are
vulnerable to this starting from IE 6. It's already being exploited in the
wild.

There is a demo included as a link, if you want to test this out yourself.

- Hans


Excerpt from link:
_______________

"On the 1st of October, 2012, we disclosed to Microsoft the following
security vulnerability in Internet Explorer, versions 6-10, which allows
your mouse cursor to be tracked anywhere on the screen-even if the Internet
Explorer window is minimised. The vulnerability is particularly troubling
because it compromises the security of virtual keyboards and virtual
keypads.

The motivation for using a virtual keyboard is typically that it reduces the
chance of a keylogger recording one's keypresses and thereby compromising
one's passwords or credit card details. (c.f. bit.ly/YnNBYE; bit.ly/VpapWf)

Whilst the Microsoft Security Research Center has acknowledged the
vulnerability in Internet Explorer, they have also stated that there are no
immediate plans to patch this vulnerability in existing versions of the
browser. It is important for users of Internet Explorer to be made aware of
this vulnerability and its implications.

The vulnerability is already being exploited by at least two display ad
analytics companies across billions of page impressions per month."


_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com



More information about the dba-Tech mailing list