Hans-Christian Andersen
hans.andersen at phulse.com
Thu Dec 13 14:36:33 CST 2012
> The choice now is either stop using all tablets and Smartphones or stop > using IE until a universal fix is built and distributed. Better safe than > sorry. All tablets and smartphones? - Hans On 2012-12-13, at 12:32 PM, "Jim Lawrence" <accessd at shaw.ca> wrote: > You mean this demo? > > <!DOCTYPE html> > <html> > <head> > <meta charset="utf-8" /> > <title>Exploit Demo</title> > <script type="text/javascript"> > window.attachEvent("onload", function() { > var detector = document.getElementById("detector"); > detector.attachEvent("onmousemove", function (e) { > detector.innerHTML = e.screenX + ", " + e.screenY; > }); > setInterval(function () { > detector.fireEvent("onmousemove"); > }, 100); > }); > </script> > </head> > <body> > <div id="detector"></div> > </body> > </html> > > These type of compromise should be out there so everyone knows them, as rest > assured, every person in the malware business is already fully versed in > this exploit. Really it is only four to five lines of code and not > particularly difficult code. You would have to add an AJAX piece of code > collect the positions remotely of course but that would also be less than > ten lines of additional code; four lines if you have attached the JQuery > library. > > The choice now is either stop using all tablets and Smartphones or stop > using IE until a universal fix is built and distributed. Better safe than > sorry. > > Jim > > -----Original Message----- > From: dba-tech-bounces at databaseadvisors.com > [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian > Andersen > Sent: Thursday, December 13, 2012 1:18 AM > To: Discussion of Hardware and Software issues > Subject: [dba-Tech] Internet Explorer Data Leakage (versions 6 to 10) > > > http://spider.io/blog/2012/12/internet-explorer-data-leakage/ > > This is a pretty severe security issue. All it takes is a little bit of > javascript on any site you visit and they are able to fully track where your > mouse is on your screen (even when IE is minimized). All versions of IE are > vulnerable to this starting from IE 6. It's already being exploited in the > wild. > > There is a demo included as a link, if you want to test this out yourself. > > - Hans > > > Excerpt from link: > _______________ > > "On the 1st of October, 2012, we disclosed to Microsoft the following > security vulnerability in Internet Explorer, versions 6-10, which allows > your mouse cursor to be tracked anywhere on the screen-even if the Internet > Explorer window is minimised. The vulnerability is particularly troubling > because it compromises the security of virtual keyboards and virtual > keypads. > > The motivation for using a virtual keyboard is typically that it reduces the > chance of a keylogger recording one's keypresses and thereby compromising > one's passwords or credit card details. (c.f. bit.ly/YnNBYE; bit.ly/VpapWf) > > Whilst the Microsoft Security Research Center has acknowledged the > vulnerability in Internet Explorer, they have also stated that there are no > immediate plans to patch this vulnerability in existing versions of the > browser. It is important for users of Internet Explorer to be made aware of > this vulnerability and its implications. > > The vulnerability is already being exploited by at least two display ad > analytics companies across billions of page impressions per month." > > > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com > > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com