[dba-Tech] Internet Explorer Data Leakage (versions 6 to 10)

Hans-Christian Andersen hans.andersen at phulse.com
Thu Dec 13 11:03:29 CST 2012


Judging by recent statistics, still a large percentage of the world uses IE. What might be interesting as well is if this vulnerability affects IE in Windows 8's Metro-land.

Best regards,
Hans-Christian Andersen


On 13 Dec 2012, at 08:29, Peter Brawley <peter.brawley at earthlink.net> wrote:

> On 2012-12-13 9:43 AM, Tina Norris Fields wrote:
>> Holy Toledo! Thanks, Hans-Christian, for posting this.
>> T
>> 
>> Tina Norris Fields
>> tinanfields at torchlake.com
>> 231-322-2787
>> 
>> On 12/13/2012 4:18 AM, Hans-Christian Andersen wrote:
>>> http://spider.io/blog/2012/12/internet-explorer-data-leakage/
>>> 
>>> This is a pretty severe security issue. All it takes is a little bit of javascript on any site you visit and they are able to fully track where your mouse is on your screen (even when IE is minimized). All versions of IE are vulnerable to this starting from IE 6. It's already being exploited in the wild.
>>> 
>>> There is a demo included as a link, if you want to test this out yourself.
> 
> No thx, but why's anyone still using IE?
> 
> PB
> 
> -----
> 
>>> 
>>> - Hans
>>> 
>>> 
>>> Excerpt from link:
>>> _______________
>>> 
>>> "On the 1st of October, 2012, we disclosed to Microsoft the following security vulnerability in Internet Explorer, versions 6–10, which allows your mouse cursor to be tracked anywhere on the screen—even if the Internet Explorer window is minimised. The vulnerability is particularly troubling because it compromises the security of virtual keyboards and virtual keypads.
>>> 
>>> The motivation for using a virtual keyboard is typically that it reduces the chance of a keylogger recording one’s keypresses and thereby compromising one’s passwords or credit card details. (c.f. bit.ly/YnNBYE; bit.ly/VpapWf)
>>> 
>>> Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser. It is important for users of Internet Explorer to be made aware of this vulnerability and its implications.
>>> 
>>> The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month."
>>> 
>>> 
>>> _______________________________________________
>>> dba-Tech mailing list
>>> dba-Tech at databaseadvisors.com
>>> http://databaseadvisors.com/mailman/listinfo/dba-tech
>>> Website: http://www.databaseadvisors.com
>> 
>> _______________________________________________
>> dba-Tech mailing list
>> dba-Tech at databaseadvisors.com
>> http://databaseadvisors.com/mailman/listinfo/dba-tech
>> Website: http://www.databaseadvisors.com
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com



More information about the dba-Tech mailing list