Another Security Threat Of IE
A vulnerability affecting Internet Explorer versions 6 through 10 could make it possible for a hacker to monitor the movements of your mouse, even if the browser window is minimized.
Video on Security Risk of IE
According to UK-based web analytic firm Spider.io, this means that passwords and PINs could be captured by a man in browser if they are typed on a virtual (on-screen) keyboard.
However, there are no reported cases of any consumer having their information compromised.”
The security loophole essentially allows attackers to track an IE user's mouse movements, even if they haven't installed any software as such.
All that attackers have to do is buy a display ad slot on any website. Spider.io adds, "This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector."
2 impacts of this security loophole in IE
1) First those using virtual keyboard as a way to avoid possible keyloggers can now no longer assume that the virtual keyboard is safe.
2) Secondly it appears that unscrupulous ad companies have been using this flaw for a while to measure the view ability of display ads.
How the loopholes exactly works?
The way it works is this: IE’s event model logs attributes relating to mouse events. When combined with the ability to trigger events manually using the fireEvent() method, researchers explained, JavaScript in any webpage or iframe can poll for the position of the mouse cursor anywhere on the screen and at any time. The fireEvent() method also exposes the status of the control, shift and alt keys.
Opinion of Microsoft
“The underlying issue has more to do with competition between analytics companies than consumer safety or privacy. … We are actively working to adjust this behavior in IE and will provide more information when it is available.”
No comments:
Post a Comment