[dba-Tech] Internet Explorer Data Leakage (versions 6 to 10)

Jim Lawrence accessd at shaw.ca
Thu Dec 13 14:58:37 CST 2012


I am being facetious. 

Only if you are running IE as your browser. One question comes to mind; Can
you use any other browser than IE on the new Win8 product line?

Jim

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian
Andersen
Sent: Thursday, December 13, 2012 12:37 PM
To: Discussion of Hardware and Software issues
Subject: Re: [dba-Tech] Internet Explorer Data Leakage (versions 6 to 10)


> The choice now is either stop using all tablets and Smartphones or stop
> using IE until a universal fix is built and distributed. Better safe than
> sorry.

All tablets and smartphones?

- Hans



On 2012-12-13, at 12:32 PM, "Jim Lawrence" <accessd at shaw.ca> wrote:

> You mean this demo?
> 
> <!DOCTYPE html>
> <html>
> <head>
>  <meta charset="utf-8" />
>  <title>Exploit Demo</title>
>  <script type="text/javascript">
>    window.attachEvent("onload", function() {
>      var detector = document.getElementById("detector");
>      detector.attachEvent("onmousemove", function (e) {
>        detector.innerHTML = e.screenX + ", " + e.screenY;
>      });
>      setInterval(function () {
>        detector.fireEvent("onmousemove");
>      }, 100);
>    });
>  </script>
> </head>
> <body>
>  <div id="detector"></div>
> </body>
> </html>
> 
> These type of compromise should be out there so everyone knows them, as
rest
> assured, every person in the malware business is already fully versed in
> this exploit. Really it is only four to five lines of code and not
> particularly difficult code. You would have to add an AJAX piece of code
> collect the positions remotely of course but that would also be less than
> ten lines of additional code; four lines if you have attached the JQuery
> library.
> 
> The choice now is either stop using all tablets and Smartphones or stop
> using IE until a universal fix is built and distributed. Better safe than
> sorry.
> 
> Jim
> 
> -----Original Message-----
> From: dba-tech-bounces at databaseadvisors.com
> [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian
> Andersen
> Sent: Thursday, December 13, 2012 1:18 AM
> To: Discussion of Hardware and Software issues
> Subject: [dba-Tech] Internet Explorer Data Leakage (versions 6 to 10)
> 
> 
> http://spider.io/blog/2012/12/internet-explorer-data-leakage/
> 
> This is a pretty severe security issue. All it takes is a little bit of
> javascript on any site you visit and they are able to fully track where
your
> mouse is on your screen (even when IE is minimized). All versions of IE
are
> vulnerable to this starting from IE 6. It's already being exploited in the
> wild.
> 
> There is a demo included as a link, if you want to test this out yourself.
> 
> - Hans
> 
> 
> Excerpt from link:
> _______________
> 
> "On the 1st of October, 2012, we disclosed to Microsoft the following
> security vulnerability in Internet Explorer, versions 6-10, which allows
> your mouse cursor to be tracked anywhere on the screen-even if the
Internet
> Explorer window is minimised. The vulnerability is particularly troubling
> because it compromises the security of virtual keyboards and virtual
> keypads.
> 
> The motivation for using a virtual keyboard is typically that it reduces
the
> chance of a keylogger recording one's keypresses and thereby compromising
> one's passwords or credit card details. (c.f. bit.ly/YnNBYE;
bit.ly/VpapWf)
> 
> Whilst the Microsoft Security Research Center has acknowledged the
> vulnerability in Internet Explorer, they have also stated that there are
no
> immediate plans to patch this vulnerability in existing versions of the
> browser. It is important for users of Internet Explorer to be made aware
of
> this vulnerability and its implications.
> 
> The vulnerability is already being exploited by at least two display ad
> analytics companies across billions of page impressions per month."
> 
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com


_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com



More information about the dba-Tech mailing list