December 14, 2012, 10:56 AM — Do you use Internet Explorer? If you do, hopefully you've already applied the updates from Patch Tuesday earlier this week. But, even if you did it seems your browser might still be vulnerable to a potentially serious issue.
Spider.io, a company in the business of helping customers distinguish between actual human website visitors and automated bot activity, claims to have discovered a flaw that affects Internet Explorer the current flagship browser from Microsoft, versions 6 through 10. The vulnerability reportedly allows the mouse cursor position to be tracked wherever it is on the screen--even if IE is minimized.
Spider.io disclosed the vulnerability to Microsoft on October 1, 2012, but it was not addressed in the most recent security update for Internet Explorer. Spider.io asserts that the flaw is being actively exploited, and claims the Microsoft Security Research Center (MSRC) has acknowledged the vulnerability, but has no immediate plan to patch it.
I asked Microsoft for its position on the alleged vulnerability. A spokesperson sent me this official response: "We are currently investigating this issue, but to date there are no reports of active exploits or customers that have been adversely affected. We will provide additional information as it becomes available and will take the appropriate action to protect our customers."
Jason Miller, manager of research and development for VMware questions whether the issue is a "bug" or a "feature". "One could question whether this is a vulnerability or a feature introduced into the browser to help establish metrics of usage. Regardless, the researchers have proven that this "issue" could be used maliciously."
I spoke with Qualys CTO Wolfgang Kandek. He expressed concerns over the implications such a vulnerability might have for online banking. Many banks have implemented on-screen virtual keyboards for entering account credentials as a means of avoiding traditional keylogger attacks.