[dba-Tech] Internet Explorer Data Leakage (versions 6 to 10)

Hans-Christian Andersen hans.andersen at phulse.com
Thu Dec 13 16:34:36 CST 2012


I tried it for fun in the 3 main other browsers for fun (Chrome, Safari, Firefox) and it didn't work. And, saying that, it won't affect any other browsers for these 2 reasons:

1. The .fireEvent() method is a Microsoft proprietary bit of javascript. No other browser understands what this means.

2. All the other browsers seem to respect the principle that you should not be able to track the location of the mouse once it leaves the boundaries of the browser window or the window is no longer in focus (ie. minimised).

It has been speculated that the reason that IE does this is because it has some deep hooks into the Windows API that other browsers do not and this is also probably why Microsoft appears to be reluctant to fix it (for now).


- Hans





On 2012-12-13, at 1:53 PM, "John Bartow" <john at winhaven.net> wrote:

> Good grief. Well, no, bad grief. Sometimes you just have to wonder what the
> MS IE team is thinking.
> 
> Does it affect any other browser?
> 
> -----Original Message-----
> From: dba-tech-bounces at databaseadvisors.com
> [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian
> Andersen
> Sent: Thursday, December 13, 2012 3:36 PM
> To: Discussion of Hardware and Software issues
> Subject: Re: [dba-Tech] Internet Explorer Data Leakage (versions 6 to 10)
> 
> 
> According to the article, it affects IE 10 as well as all previous versions
> of IE starting from IE 6.
> 
> - Hans
> 
> 
> 
> On 2012-12-13, at 1:33 PM, "John Bartow" <john at winhaven.net> wrote:
> 
>> Does this affect IE10?
>> 
>> -----Original Message-----
>> From: dba-tech-bounces at databaseadvisors.com
>> [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of 
>> Hans-Christian Andersen
>> Sent: Thursday, December 13, 2012 3:18 AM
>> To: Discussion of Hardware and Software issues
>> Subject: [dba-Tech] Internet Explorer Data Leakage (versions 6 to 10)
>> 
>> 
>> http://spider.io/blog/2012/12/internet-explorer-data-leakage/
>> 
>> This is a pretty severe security issue. All it takes is a little bit 
>> of javascript on any site you visit and they are able to fully track 
>> where your mouse is on your screen (even when IE is minimized). All 
>> versions of IE are vulnerable to this starting from IE 6. It's already 
>> being exploited in the wild.
>> 
>> There is a demo included as a link, if you want to test this out yourself.
>> 
>> - Hans
>> 
>> 
>> Excerpt from link:
>> _______________
>> 
>> "On the 1st of October, 2012, we disclosed to Microsoft the following 
>> security vulnerability in Internet Explorer, versions 6-10, which 
>> allows your mouse cursor to be tracked anywhere on the screen-even if 
>> the Internet Explorer window is minimised. The vulnerability is 
>> particularly troubling because it compromises the security of virtual 
>> keyboards and virtual keypads.
>> 
>> The motivation for using a virtual keyboard is typically that it 
>> reduces the chance of a keylogger recording one's keypresses and 
>> thereby compromising one's passwords or credit card details. (c.f. 
>> bit.ly/YnNBYE; bit.ly/VpapWf)
>> 
>> Whilst the Microsoft Security Research Center has acknowledged the 
>> vulnerability in Internet Explorer, they have also stated that there 
>> are no immediate plans to patch this vulnerability in existing 
>> versions of the browser. It is important for users of Internet 
>> Explorer to be made aware of this vulnerability and its implications.
>> 
>> The vulnerability is already being exploited by at least two display 
>> ad analytics companies across billions of page impressions per month."
>> 
>> 
>> _______________________________________________
>> dba-Tech mailing list
>> dba-Tech at databaseadvisors.com
>> http://databaseadvisors.com/mailman/listinfo/dba-tech
>> Website: http://www.databaseadvisors.com
>> 
>> _______________________________________________
>> dba-Tech mailing list
>> dba-Tech at databaseadvisors.com
>> http://databaseadvisors.com/mailman/listinfo/dba-tech
>> Website: http://www.databaseadvisors.com
> 
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com




More information about the dba-Tech mailing list