Internet Explorer Mouse Tracking Flaw Exploited “at Scale” – Security Company

Microsoft disagrees and claims that users have not been “adversely affected”

By on December 14th, 2012 13:32 GMT

Redmond-based technology company Microsoft said in a statement a few hours ago that the recently discovered Internet Explorer flaw which allows hackers to track mouse movement isn’t affecting users and no exploits have been recorded so far.

Spider.io, the security company that has actually discovered and reported the flaw, claims this isn’t true, and said that it’s actually exploited “at scale.”

“Whether or not the team at MSRC failed to read our repeated mention of the vulnerability being exploited before yesterday, Microsoft can surely not deny knowledge today. The vulnerability is being exploited currently and at scale. MSRC know about it,” Spider.io spokesperson Douglas de Jager told TNW.

What’s more, Spider.io claims it has informed Microsoft of the flaw in October, but the software giant replied that such a vulnerability does not qualify for an immediate update, but only for a patch delivered when the next version is released.

Microsoft has already confirmed in an email statement sent to us this morning that it’s working on a fix.

“We are currently investigating this issue, but to date there are no reports of active exploits or customers that have been adversely affected. We will provide additional information as it becomes available and will take the appropriate action to protect our customers,” Microsoft said.

The security loophole is affecting Internet Explorer versions 6 to 10 and allows attackers to track mouse movements on a vulnerable computer even if the browser is inactive, unfocused or minimized.

Microsoft, however, sees only “very little risk to consumers at this time” and there are “no reported cases of any consumer having their information compromised.”

“From investigating the specific behavior when mouse position data is visible outside the browser window, sites can view only the mouse state; they cannot view the actual content that the user is interacting with,” the company explained.

Comments

Internet Explorer 10 is one of the affected versions
   Internet Explorer 10 is one of the affected versions