[dba-Tech] Internet Explorer Data Leakage (versions 6 to 10)

Hans-Christian Andersen hans.andersen at phulse.com
Thu Dec 13 03:18:15 CST 2012


http://spider.io/blog/2012/12/internet-explorer-data-leakage/

This is a pretty severe security issue. All it takes is a little bit of javascript on any site you visit and they are able to fully track where your mouse is on your screen (even when IE is minimized). All versions of IE are vulnerable to this starting from IE 6. It's already being exploited in the wild.

There is a demo included as a link, if you want to test this out yourself.

- Hans


Excerpt from link:
_______________

"On the 1st of October, 2012, we disclosed to Microsoft the following security vulnerability in Internet Explorer, versions 6–10, which allows your mouse cursor to be tracked anywhere on the screen—even if the Internet Explorer window is minimised. The vulnerability is particularly troubling because it compromises the security of virtual keyboards and virtual keypads.

The motivation for using a virtual keyboard is typically that it reduces the chance of a keylogger recording one’s keypresses and thereby compromising one’s passwords or credit card details. (c.f. bit.ly/YnNBYE; bit.ly/VpapWf)

Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser. It is important for users of Internet Explorer to be made aware of this vulnerability and its implications.

The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month."




More information about the dba-Tech mailing list