Microsoft has already confirmed that it’s working on a patch to fix the recently-discovered security flaw that allows attackers to track mouse position, but the company has also explained that compromising users’ data is “theoretical” and “hard to imagine.”
Spider.io, the web analytics company that reported the vulnerability, says that it’s actually fairly simple to exploit this flaw, as it doesn’t require “serving an ad to a site that asks for a logon,” as the Redmond-based technology company said in its blog post.
“This is not the case. Ads do not need to be served to sites requiring login details. Ads need only to be served to some page which is open in Internet Explorer. The page with an embedded ad may be in a background tab. The page may be minimised. You may be using an entirely different application—potentially a different browser or some other desktop application—to log in,” Spider.io said in a new post.
In addition, the company has also explained its decision to go public with the flaw, emphasizing that it actually contacted Microsoft before disclosing it.
Microsoft, on the other hand, said this flaw is not important and an update for it would only be released in the next version of the browser.
“We made clear our belief that the Internet Explorer vulnerability was both significant and that its exploitation by an analytics company would suggest a disregard for user privacy and for the security efforts of browser vendors. Our suggestions were ignored by all the relevant parties as not being important,” the company explained.
Security companies have already reacted to news regarding a new security flaw in Internet Explorer, with Sophos recommending users to stop using Microsoft’s browser until a patch is released.
“In the meantime, while we're waiting for a possible fix, the best solution - if you are worried about this flaw - is to use a different browser than Internet Explorer,” Lisa Vaas of Sophos said.