Microsoft has no immediate plans to release a patch

Dec 12, 2012 15:48 GMT  ·  By

Microsoft has patched several Internet Explorer bugs with the help of Patch Tuesday updates released yesterday, but a new critical vulnerability is already affecting the in-house browser.

This new security flaw could allow hackers to track mouse movements on the screen, which is a bit worrying given the fact that attackers would thus get to see the data you enter with the help of virtual keyboards, usually provided by online banking services.

Virtual keyboards are currently employed by a number of online banking providers, as they are supposed to protect users from keyloggers and other software designed to record the pressed keys and send the information to a remote location.

Spider.io claims that Internet Explorer versions 6 to 10 are all affected by the flaw, even if the browser window is inactive, unfocused or minimized.

“As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software. An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit,” Spider.io said.

In addition, the source claims it has already informed Microsoft about the vulnerability back in October, but the Redmond-based technology company said it has no immediate plans to release a fix.

The worst thing is that the flaw is already exploited by “at least two display ad analytics companies across billions of webpage impressions each month,” Spider.io continued.

“As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimise Internet Explorer—your mouse cursor can be tracked across your entire display.”

Microsoft is yet to comment on this, but we’ve contacted the company and we’re going to update the article as soon as we get an answer.

Update: here's what a Microsoft spokesperson has just told us:

"We are currently investigating this issue, but to date there are no reports of active exploits or customers that have been adversely affected. We will provide additional information as it becomes available and will take the appropriate action to protect our customers."