If there’s one thing that Microsoft doesn’t need, it’s more bad publicity for Internet Explorer. The company’s browser has often been criticized to be slow and simply downright inferior compared to other offerings right now. Unfortunately for them, it looks like more bad news is on the way.
The bad news comes in the form of a security hole in Internet Explorer that was recently discovered by security researchers. Far from a simple exploit, the vulnerability could potentially allow hackers to track your mouse movements — even if the window is inactive or minimized. It also affects version 6-10 of the browser, making virtually everyone that uses it vulnerable.
Even worse, hackers would be able to do this without having to install any form of malicious software on your computer. Instead, attackers can gain access by simply buying an ad slot on any website. These ads can also be found anywhere, from YouTube to any major news site on the Internet. So those thinking they can avoid this problem by staying away from the shady parts of the Internet should take notice — that won’t help at all.
Spider.io, a vendor of a hosted platform, discovered the flaw and contacted Microsoft about it. Microsoft, however, said they are not rushing to fix it and states that it has “no immediate plans” to patch it in existing browser versions. This led spider.io to go public with the exploit and warn users of the potential damages it could cause. The video below demonstrates the issue:
The main reason why this flaw could be so damaging is because it allows hackers to circumvent the current security measure that virtual keyboards provide. Virtual keyboards are sometimes used to enter sensitive information such as passwords or credit card details because they are not susceptible to the usual keyloggers that we’ve heard so much about in the past. This new flaw that allows the tracking of mouse movements would allow a hacker to determine details entered on a virtual keyboard in a matter of minutes.
To Microsoft’s credit, they issued another statement a day after the vulnerability went public demonstrating a change of stance regarding the matter.
“We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers. We will update this blog with more information as it is available”.
However, the exploit remains unpatched as of today. So for those of you that do use Internet Explorer and are worried about your sensitive information — Stay away from the browser for now, at least until Microsoft fixes it.
[via NakedSecurity ]