Mouse & modifier key tracking vulnerability in IE 6-10

http://spider.io/blog/2012/12/internet-explorer-data-leakage/

Demo and YouTube video of demo at the bottom of http://iedataleak.spider.io/demo. I didn't test it but watched the video. It appears that mouse click events (outside of expected areas) aren't vulnerable, but you can still achieve inappropriate information gathering.

 

Are there any mitigations we can useÉ

I keep psw and http addresses on a stick encrypted then decrypt them and copy past them into the sites. So that uses clipboard.

This all occurs while sandboxed.

 

Stop using IE? Maybe an extension to IE could intercept the events and discard or modify the threatening ones? Block third party content and carefully control what windows you have open so as to reduce the possibility that something might be snooping on you via this technique? Don't use the mouse to write out words in any applications or use a mouse driven onscreen keyboard if you have potentially threatening pages open in IE?

 

Microsoft: We’re investigating the Internet Explorer mouse-tracking vulnerability

Article

 

More information (Hat Tip) to Merijn for this.

 

Does this "issue" apply if we use INPrivate Browser?

 

Thanks, one MS comment here is other browsers have this issue.

Which ones are they?

If I don't use on screen keyboard and am inside the sandbox I suspect none of this bug applies?

 

Based on the Microsoft statement, the vuln does take place in-privacy mode as well. There will be more as MS has had time to investigate further.

 

Best guess is that MS will be forthcoming with a FixIt within the next days, all depending on the outcome of the MS investigation. More as I know more.
Stay tuned.

 

Do you mean the linked to blog entry comment: "There are similar capabilities available in other browsers."? I don't know what is considered "similar capabilities" and the author chose not to elaborate on that. Perhaps, and hopefully, all browser developers will review their approaches and any/all surfaced issues will be promptly, correctly addressed.

FWIW, the same blog entry linked to a video by Spider.io on assessing ad viewability... http://spider.io/blog/2012/12/there...e-ad-viewability-there-is-only-one-right-way/ ... which I watched. IE was the only browser described as having this issue. However, Firefox was described as having a significantly different issue of its own which 1) can also be used to determine ad viewability, and 2) could creatively be used to gather some information. IIRC, no related issues were mentioned for Webkit browsers and Opera wasn't mentioned at all. You might watch that video for yourself.

Edit: Later, I'm going to re-watch that video myself. To be honest, I'm not sure I ever thought through the possibilities to collect information about the user based on the absolute and/or relative position of ads and knowing what could affect their position(s).

Conceptually, the issue isn't limited to the on screen keyboard scenario. That is but one specific, bad/worst case example of where you wouldn't want webpage script to be able to gather information about unrelated mouse movements involving other applications, browser windows, etc.

As for whether a particular "sandbox" could offer protection, I think that would depend on what if anything it does WRT compartmentalizing screens and mouse/keyboard activity, events.

 

This is the latest I have:
http://dankaminsky.com/2012/12/14/mouse/
http://blog.lumension.com/6235/spider-io-warns-of-massive-ie-security-flaw-but-is-it-legit/