Update to Alleged Information and Security Issue with Mouse Position Behavior


Over the last few days we’ve seen reports alleging abuse of a browser behavior regarding mouse position. Microsoft is working closely with other companies to address the concern of mouse position movement. From what we know now, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy.

We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers. We will update this blog with more information as it is available.

Online advertisers started a shift (link) “from a ‘served’ to a ‘viewable’ impression[s].” Many different analytics companies stepped up to compete in this space. That competition has had many public results, including lawsuits (link). One of the companies involved in this space is Spider.io, which recently reported an issue in IE involving mouse pointer information. Spider.io is an advertising analytics company. Their recent blog post, “There are two ways to measure ad viewability. There is only one right way,” makes their point of view very clear. Different analytics companies use different and equivalent methods to gather consumer information across different browsers on different devices.

The only reported active use of this behavior involves competitors to Spider.io providing analytics. The theoretical use of this behavior to compromise the safety or privacy of consumers is something Microsoft’s security team has discussed with researchers across the industry. We take these risks very seriously. Getting all the pieces to line up in order to take advantage of this behavior – serving an ad to a site that asks for a logon, the user using an on screen (or virtual) keyboard, knowing how that onscreen keyboard works – is hard to imagine. From investigating the specific behavior when mouse position data is visible outside the browser window, sites can view only the mouse state; they cannot view the actual content that the user is interacting with. From our conversations with security researchers across the industry, we see very little risk to consumers at this time. As we have stated previously, there are no reported cases of any consumer having their information compromised.  

—Dean Hachamovitch, Corporate Vice President, Internet Explorer

Update:
Since the time of our post – these additional security blogs provide a good and balanced overview with respect to this topic: Actionable Intelligence: The Mouse That Squeaked and Spider.io Warns of Massive IE Security Flaw; But is it Legit?

 

Comments (72)

  1. Matt H says:

    It is quite rare to see a desktop PC user interacting with an on-screen keyboard, but what about other form factors, like Surface RT or WP8? An on-screen keyboard is quite common, and always in a predictable location. Can these users' privacy or security be compromised by this issue? If so, it seems like at least mobile IE9 and all versions of  IE10 should be patched, and quickly.

  2. phone has no mouse says:

    And surface had extra security measures for on screen keyboard. Blog post says site can't tell what is under the mouse anyway….

  3. JulienM says:

    @Matt H

    The mouse cursor doesn't move when the user use the on screen keyboard with his fingers.

    Touch events don't necessarily cause the mouse pointer to move.

    so I guess Windows 8 tablet users are safe from this bug.

  4. Steve says:

    Well written Dean… A classic product manager trying to skate around the issue.

    It's a security bug that's existed in IE for over a decade… Just fix it so that IE isn't the embarrassing sIEve we all know it to be!

  5. Peter says:

    I have to agree with Steve.

    All fluff about ad companies, no useful information and no time frame for a fix. Why not just own up to your mistakes? That would be a better way to become "the browser I loved to hate".

    The fact of the matter is that this behavior allows arbitrary sites to gather potential private information from the users desktop, i.e. outside of the site's intended scope. As such it should be fixed swiftly, before more people than just some ad networks use these techniques.

  6. Gillian says:

    So when you fix the global event object from leaking info when the focus, and cursor are not even within the IE window are you also going to fix the security bug with named popup/opened windows sharing a common namespace even when they are not tied to the same domain?

    This is the other trick "advertisers" yeah (air-quotes) advertisers use to track secure information without user concent or knowledge.

    Should we bring up the ieframe.dll leaks too? Or is 2 gaping security holes in IE enough for one day!

  7. Armand says:

    @Dean Hachamovitch, Corporate Vice President, Internet Explorer

    Please fix your post title: "alleged" needs to be removed as you yourself pointed out that Microsoft Internet Explorer does indeed enable a website to track mouse movements and certain keystrokes even though IE does not have the active focus, nor is even under the cursor.

    By definition alone this is a security hole!

    You can argue about how severe it is all day long but call a spade a spade – it's a security breach!

    You lose major credibility every time you come on this blog and put PR spin on your posts. You should have posted that you acknowledged there was a security hole issue posted online, that BECAUSE it was NOT filed in CONNECT it gained INSTANT attention and your team is working on a patch they expect to release as a critical update within a few days.

    Dancing around the issue and trying to put the blame on the issue reporter is a classic sign of a weak manager/company trying to point the finger in hopes of distracting the public from the real issue – IE has a long standing security issue that it is taking its sweet time about fixing!

  8. Dean's a *** says:

    Good one Dean!

  9. Pieter says:

    Virtual online keyboards is not very commonly used, except in South Africa where some of the major banks still tries to force you to use virtual keyboards and IE is still the predominant browser. So in a case here it is a major risk.

  10. mocax says:

    is this a windows bug or IE big?

  11. David H says:

    The underlying issue is that IE doesn't properly restrict reporting to it's own window coordinates. I have books on my shelf explaining how to do this from over a decade ago.

    The real issue here is that it takes eons for Microsoft to patch bugs in IE. It has always been this way and I don't see this changing. No amount of PR spin will alter the fact.

    Either improve the bug fixing process and provide real timelines for when and how bugs in IE will be fixed, or developers will continue trash talking IE and refusing to work with it.

  12. Security says:

    This is not an issue, even for people with virtual keyboards.

    For example, clicks are not registered.

    The evil ad-company will just have a large list of mouse-coordinates.

    Even if they could guess what window/item was beneath the cursor, it would require some

    really clever heuristic to detect whether the mouse stopped because of a click or otherwise.

    They would never be able to reliably guess passwords or anything valueable.

  13. Ian Boyd says:

    @DavidH  "The real issue here is that it takes eons for Microsoft to patch bugs in IE"

    The bug was privately reported October 1 2012. Lets see if it takes an aeon (a long indefinite period, aka 1B years), of it it is fixed by the time IE10 is released for Windows 7.

  14. Josh G says:

    Gentlemen, dean is right on this one. Save your anger for real issues. Bitching about stuff like this only delays fixing real sec threats.

  15. Raymond says:

    when will IE 10 be finished for windows 7?

  16. Lee says:

    "This is not an issue" Are you kidding me?

    This is very much a big issue. IE is leaking information. A real world demonstration was made that shows how easy it is to determine the phone number of someone called in Skype. All by just having IE open. And to top it off, it works even while IE IS MINIMIZED.

    "Really clever heuristic"?

    It doesn't take much at all to determine which buttons a user clicks on if they move to click, click, then abruptly move away. This is predictable and already exploited.

    The discussion of this being something that merely affects business competition is a very disingenuous. This is a big security risk, period. Not as bad as ActiveX was 'in the browser we loved to hate', but still big.

  17. Lee says:

    Additionally, the possibilities for evil to use this exploit are staggering. Suppose evil people get a list of alllllll the positions your cursor has been for the past few days. By using this technique + finding uniqueness (and oh yes, bad people with botnets and compromised ad servers CAN, in fact, uniquely identify you), they can have a better picture of what exactly you are doing. Oh what's that? People who click here, here, here, and move here are most likely using Notepad? Oh, what's that, people who click here are most likely using Skype? Remember how Stuxnet profiled Iran's nuclear reactors? Remember how it determined WHO to attack, and then attack ONLY THEM?

    This vulnerability can get them in the door to determine who is worth profiling and then other exploits are used to exploit further.

    Bottom line, hackers don't just use ONE exploit, they use several. And this is a nice way to determine if your compromised machine is worth saying 'hello' to.

    πŸ™‚

  18. Steve says:

    Dean,

    Just fix it. You would have been better off not posting at all.

    All the comments above are right on the money.

    Its a security breech just because you can't think of a way to exploit doesn't mean it can't be done. People will find ways to use this to their advantage.

  19. Lee says:

    To give you a better understanding of the issue, a few seconds of googling pulls up images like this:

    web.media.mit.edu/…/cheese-list.jpg

    I don't know if images are allowed on the blog here, but the image itself shows mouse movement super imposed on a website. I assure you that the information recorded is enough to probabilistic determine useful information of what sites you might be on. Especially if a little number crunching is provided by a bot net of some sort. Now just imagine this leaked information extends outside of IE and on your entire computer. It is breaking out of the sandbox that the frickin web browser is supposed to provide!

    If you take away one thing from my posts, it should be this: This is just ONE itty bitty vulnerability. While it doesn't give an attacker much, it gives away more than you realize and it is enough to be used IN CONJUNCTION with other vulnerabilities to really ruin your day/week/life.

  20. IP tester says:

    Steve and Peter are same person.

  21. Tom says:

    @Security, what if someone installs an ad serving toolbar on IE and visits their bank site, which requires them to click in their PIN code? if the toolbar could track those statistics and send it back to the main server, couldn't you simply overlay the coords on top of a screenshot of the page and deduce their PIN that way?

    Still seems relatively unsafe. Also, this blog post is a joke. You guys can't even fix a simple problem like loading JS/CSS/HTML on demand outside of an iframe. Trident is a joke. IE is a joke. Sorry guys, try again. Maybe use WebKit this time? πŸ™‚

  22. mocax says:

    so the mouse position is being broadcast to all windows in the OS and it is up to the program's discretion to make use of the data?

  23. V for Vendetta says:

    Guys Guys !

    Just stop using IE and start using Chrome.

    Because IE will provide your mouse movement advertising agencies who cannot figure out what is on the screen just some numeric pixel values.

    With Chrome, they will NOT let anyone capture your mouse coordinates BUT send ALL activities to Google server which Google (with its habit of harvesting user info) will use to profile you and sell to highest bidder (agencies interested in profiling people). How else they make billions of dollars annual revenue if everything they are offering is free? By selling YOU out.

    Well I don't give a crrrap about either of them.

    Lee said, "Are you kidding me?"

    No sir, we are kidding ourselves.

    Welcome to the internet !!

    Anything running on BGP protocol is NOT SAFE!

  24. Lee says:

    Those are completely different mechanisms. It's disingenuous to try to put them in the same boat.

    The mechanism that is built into Chrome to transmit browse history is CONSENSUAL and BY DESIGN. In fact, part of that mechanism is a check box in Chrome's settings. The issue with IE is a security vulnerability that happens WITHOUT CONSENT and NOT INTENDED due to the way the [incorrect handling of] Javascript works.

    The vulnerability in IE can send that information to ANYONE. IT's not a matter of the browser-maker knowing what you are doing, it's a matter of ANYONE WHO MAKES A MALICIOUS web page ad or scriptlet can know what you are doing.

    Stop trying to blame the messenger.

    Stop trying to deflect blame to competitor.

    Stop trying to say 'lol other companies do it too'.

    The word 'Chrome' or any other company besides Microsoft has no business in this discussion.

    This is a VULNERABILITY as discovered that exists in INTERNET EXPLORER.

    Extra points:

    FYI: The mechanism that you ARE talking about, the one that Google Chrome uses to share information with Google, is also present in Internet Explorer. So, yes, IE ALSO shares information with Microsoft. But again, this discussion is not about that consensual feature.

  25. Lee says:

    Sorry, I didn't mean to sound like a dick.

    I just hate it when companies try to blatantly dismiss vulnerabilities such as this and whitewash it with 'lol well it's low risk, don't worry about it' when I know for a fact it's much more important than they make it out to be.

  26. Sam says:

    @Lee, Microsoft does not sell your information and make profit. They sell products like Windows Servers, DataCenter, Pro, RT, Office, SharePoint, Dynamics, Xbox, Phones, Surface, PixelSense etc. and provide service for those products.

    Unless you are a Google employee; then no matter what Google claims, how your bias refrains and make harder on you to even think about it impartially, when you practically realize some karma slaps it will definitely make you feel like dick and leave you wondering "What was I thinking?"

  27. Pandit Babu (India) says:

    i agree with these claims. i received email from oracle education on gmail. next hours i was watching videos on youtube and every ad was about oracle courses. youtube is google service which i witness. i don't know with how many other companies they shard that info? their terms says 'we share your information with our trusted parties'. what about user? how do they know if every user also trust their personal information with those parties which google trust in? this issue of internet explorer is nothing compared to what google does. this issue should be fixed. but just mouse movement information leak is a very minor vulnerability. there are big problems such as chrome.

  28. Lee says:

    I do not work for Google. I admit, however, that I have a pro-Google bias because I like the products they make, but I am also pro-Apple because I like some of their products and yes, even pro-Microsoft products (I'm a .NET developer by trade and passion).

    That said, my character has nothing to do with this issue.

    This is about acknowledging there is a vulnerability and taking accountability in offering a solution.

    I am criticizing this post because it's a complete dismissal of the problem in the typical corporate save-face fashion and does not help us, the people who use the Internet.

  29. Tom says:

    @Lee

    IE only collects data for telemetry (to improve the software). The data is anonymous and its only confined to the components of browser frame (like how many times control X was used) as opposed to what's going inside the browser. You can always disable the telemetry agent and Microsoft will collect no information, whatsoever.

    Meaning unless I have a Xbox membership or using Microsoft billing, they will never know which Bank I am affiliated with even if I use IE for Internet Banking. Can't say the same thing about Google. Because now I know they even know how many bucks I have in my account when I was carelessly banking on my Android phone browser.

  30. Yannick says:

    @Lee – Nice for you (yes, that's sarcasme), but anyway, I've news for you: this blog is about the development of IE, not about how "awesome" Chrome is (it's not awesome, like V for Vendetta). You know, there is a lot of news on that IE has an exploit that tracks the position of your mouse. Anyway: it isn't useful at al! You don't know if it's hovering or clicking, you don't know what it does in wich window. So, what's the problem? Chrome is one big privacy hole, so let's stop using Chrome and start using IE. Like Microsoft say it:

    The Browser You LoveD to Hate.

  31. Lee says:

    I am not talking about Chrome. We should stop talking about Chrome and Google.

    Chrome may have issues, but stop deflecting blame here…

    Like I just discussed, this is a Internet Explorer VULNERABILITY found ONLY IN INTERNET EXPLORER.

    The only thing that I want is for Microsoft to actually admit that.

  32. Lee says:

    @mocax : The issue is caused because in Internet Explorer javascript handler for mouse movement is continuously executes even though the mouse has exceeded the bounds of the browser window. This leaks more information about the outside world (the os) from the browser, which is supposed to be a sandbox, isolated place. IT IS NOT SUPPOSED TO DO THIS AT ALL.

    From there, it is trivial to stream this back to malware servers to determine what you are looking at and what you are doing.

  33. Security says:

    Some points:

    1. Each person has a unique mouse dexterity.

    2. Moving mouse to position, then stopping is not the same a click.

    3. Computers have different resolutions and window sizes – content is placed differently.

    4. Applications that let Windows position themselves are placed on screen "almost at random".

    5. Toolbars and ActiveX can already monitor everything on the computer, no need for JavaScript exploits.

    6. Repeated letters cannot be captured.

    This is a bug, yes, but it is not a security bug.

    Finally, this bug is also CONSENSUAL. I am certain that Microsoft's terms state, that they are not resposible for any damage, bla bla bla.

    Lee, you must have accepted these terms when you installed Windows and IE. πŸ˜‰

  34. Lee says:

    That is not what I mean by consensual. Not at all. πŸ™‚

    I don't mean consent as a waiver of liability. I mean consent as in giving this information away to 3rd parties is NOT BY DESIGN.

    In any case, let me counter with other points:

    – The uniqueness can be tracked. Which actually makes this vulnerability worse.

    – Don't downplay a vulnerability by saying there are many other vulnerabilities on the operating system. That doesn't inspire confidence in Microsoft. πŸ™‚

    – Windows cascade and display in known ways. If someone were monitoring the overall aggregate data acquired by mouse movements, one could determine the normal layout of your screen and the sizes of the windows that you interact with on a daily basis. Got ya.

    – Any time information leaks, it is an issue. Splitting hairs by calling it not a 'security bug' is not important. IT CAN BE USED TO COMPROMISE SECURITY, period.

  35. Leonard says:

    I saw this on HackerNews. Apparently IE even leaks mouse position through events that are totally unrelated to the mouse. marquee onbounce (!!!) is the example given: news.ycombinator.com/item

  36. Disgusted says:

    I'm disgusted Dean – you have a wide open security breach with example code publicly available and you are blaming advertisers.

    You should not have posted anything about a security breach until you have a patch available!

    As for this post now that you've made it you need to correct it ASAP.

    REMOVE the word ALLEGED immediately! You have clearly indicated as has anyone that has viewed the exploit code that this is NOT alleged, we've seen the exploit in action and all witnessed it first hand!

    Next add an addendum to this post indicating that it was extremely unprofessional to use this blog to point fingers at an ad network and That Dean & Microsoft should be solely focused on fixing the security breach ASAP and you expect to have a patch available as fast as possible.

    I'm switching from IIS to apache Monday morning this type of behavior from Microsoft on web security is absolutely disgusting.

    Alternatively if you are unfit your resignation Dean will also be accepted.

  37. Viktor says:

    Well that was easy.

    Open google.com and bing.com in two tabs. Type the same keyword in both and hit search button.

    Now, in both results pages hover with your mouse on different result links and observe the URL in status bar at the bottom of browser window.

    Bing will show you the direct URL to resource. With Google, you will get URL to Google server. When you click, they will take you to their server first, then redirect you to the original resource.

    Q: Why would they do that?

    A: They are collecting information.

    Q: Why would they do that?

    A: They want to make money.

    Q: How will they make money?

    A: (read the above comments again to find out)

  38. FanTam1337 says:

    @Lee

    First of all, stop shouting and no one is "deflecting" the blame. Its because Google has the biggest stake in advertising world and no wonder if this so called "exploit" exhibition all over the Internet is funded by them. More people using Chrome means more money starting to flow in their pocket without user consent.

    Secondly, the mouse movement tracking is not a security bug. You cannot capture anything besides dummy coordinates with no underlying content and no real-time page-state to "guess" what was on the page.

    Even on virtual keyboard, the click on keyboard cannot be captured. You cannot tell remotely, which key was clicked on the keyboard. And by the way who use virtual keyboard with mouse when touch is there? And touch events are different than that of mouse.

    Finally, the "behavior bug" fix is coming so don't cry about it.

  39. @Lee says:

    Is this a bug? Yes.

    Can this be exploited? No.

    Is this a security issue? Not really.

    Stop whining and go back to Chrome. Thanks.

  40. Security says:

    @Victor, don't be naive. Bing does it too. They do it through JavaScript though.

    @Lee, http://www.cs.wm.edu/…/ccs11.pdf. Point being, mouse movement is quite unique from person to person.

  41. Viktor says:

    @Security, NAIVE? I don't understand where are you getting those "hypertheticals"… be realistic willya?

    Bing does NOT collect click information via JavaScript. You can check using fiddler, network monitor or any network sniffer?  No XMLHTTPRequest packet will sent back to Bing when you click a result link on Bing result page.  

    With Bing its a straight deal.

    With Google its a betrayal.

  42. @Lee: the point you keep missing is that for the mouse data to be useful, you actually have to have at least some idea of what is on screen. And that simply isn't possible to determine using this alone. The images of mouse cursor activity overlaid on a webpage falls apart if you overlay the data over completely random webpages instead. The so-called demonstration of being able to read a Skype phone number could only work if Skype is open and located at a known position on screen, which again is impossible to determine.

    You could argue that heuristics could be used to determine certain application targets, but it's very much grasping at straws, the sheer number of combinations and behaviours leads to a signal to noise ratio that would be deeply unfavourable to malware attempting to use the data.

  43. Security says:

    @Victor

    Go to Bing, search. Open IE dev tools and turn on network inspection.

    Click on a search result without releasing the mouse (otherwise you will be taken to the page).

    Observe in dev tool that Bing downloads an image from this url:

    /fd/ls/GLinkPing.aspx?IG=ebed87486be644048edabb29866355cd&CID=2B01F2B8EB956AB207C6F68FEA926A1A&PM=Y&&ID=SERP,5097.1

    What do you think this extremly detailed url is for? Or look at the name, LinkPing!

  44. Flávio says:

    As Microsoft said at the header, it is not a flaw, it is a behavior. That is, is a deliberate feature of invasion of privacy to analyze where the mouse pointer is on the screen, so that she (microsoft) is not even trying to "fix" this failure.

  45. WindowsVista567 says:

    @FlΓ‘vio, this is not invasion of privacy. Even if the eavesdropper, otherwise the hacker, come in contact with that information, he/she:

    – cannot know on which window was active.

    – cannot know what content the mouse was moving on.

    – cannot know about clicks.

    – cannot know what were you typing.

    Those bunch of numbers will not come back and bite you on your butt.

    So take a deep breath, roll your eyes and Chill !

  46. Mr. says:

    Does IE 10 use more watt than chrome?

  47. Marshal says:

    @Dead – the word "Alleged" is still in this post title even after its been proven (including by you and Eric Lawrence) to be a bug AND after many people have asked you to be professional and remove it.

    There's no excuse for ignoring these requests when you've clearly already updated the article once.

    Current respect for @Dean = zero

    Current credibility for @Dean = zero

    @Dean's representation for The Microsoft Internet Explorer Team? = 100%

  48. Marshal says:

    That was meant to be @Dean (there was no spite intended there… Just over zealous auto correct)

  49. Yannick says:

    @Mr. – Do you mean watt as in electric? In that case, no, IE10 use less energie.

    @Lee – You're seriously missing the point, like everybody here say. Pleas stop boycotting IE on it's own blog, and go back to Google, we want to follow the IE development without stupid reactions, thanks.

  50. Concrete Blonde says:

    For developers, how to test IE for Xbox? Is there an emulator?

  51. Dwane says:

    Uhm were still waiting Dean! You've failed to remove the word Alleged from your article about Microsoft's secuity hole that exists in every currently supported browser that you've shipped.

    Hardly seems like something you want to just sit back on when the media is upset that you didn't take full responsibility for the IE bug when you first posted it.

    Now that several sources have confirmed the bug is real it seems incredibly childish for you to continue this charade without at least accepting responsibility like a professional.

  52. Tom says:

    @Concrete Blonde, listening to "Long time ago" πŸ˜€

    Here is how you can emulate: Open the target page in IE10. Hit F12 and you will find Tools menu in the F12 developer tools. Under tools, hover over "Change user agent string" and you will get submenu with handful of devices: Windows Phone, IE for Xbox, Safari, Chrome etc.

    A web-applications may be aware of various kinds of devices and alter its behavior, at client-side, accordingly. In case the website is supposed to run on Xbox, it is imperative to consume CSS3 "@media tv" rules.

  53. WindowsVista567 says:

    @Dwane  @hAl  

    Spider IO is an infamous advertising company, trying to make some significance and now closely in bed with Google. Every step of the way, they are promoting Google and its product Chrome and cussing Microsoft and its products or any competitor to Google. How can their reports be fair?

    The mouse pointer movement data is worthless if there is no information about the underlying content or if there is no information about the clicks. But they are still exploiting it as if its some kind of horror movie.

    Mouse movement tracking must be least of your worries. The only "advantage" these advertising companies will get is to undermine IE, convince users that there is nothing bad about how other companies, such as Google, are tracking your privacy and selling the information, just because Microsoft has cut their supply line by setting DNT flag on! They are after the reputation ever since and of course the biggest animal in that jungle is Google, pulling strings, ripping off privacy and getting richer.

    There is no report of anyone getting hurt by this bug unless you have exact idea what is on the screen and you are capturing mouse click event. And if you happen to have information about mouse click event, then you have everything and you don't need the mouse movement data. Which means you have hacked someone's website and you are able to inject your code.

  54. @Marshal @Dwayne What is alleged is that it's a security or information disclosure issue, not that the bug exists. So far there is very little actual evidence that it is exploitable in any way.

  55. Jason T. says:

    "Update to Alleged Information and Security Issue with Mouse Position Behavior"

    NOT ALLEGED! Information is being leaked. Both mouse movements and CTRL, SHIFT, & ALT keys

    "we’ve seen reports alleging abuse of a browser behavior regarding mouse position"

    Excuse me? you've already confirmed this is occurring (see this comment):

    "We are actively working to adjust this behavior in IE"

    You wouldn't need to be actively working on "adjusting" read:Changing! this "behavior" read:Leaking in IE if there wasn't a problem… and you certainly wouldn't need to put a blog post on the IE Blog if there was nothing actually going on… you'd put a cease & desist order out and a simple denial of any leak post out.  But you didn't you posted not-quite-so-clear-smothered-in-PR-deflection yes we are aware and are working on something but we are heading into a weekend and we are not planning to work on this data leaking right now when we can blame ad networks that everyone notoriously hates.

    As always with any security breach you can't just look at the picture and presume that you can't think of a way to abuse this info therefore there is no risk.

    I would never have thought that a standalone iPhone would be able to read my blood pressure but with the flash light on right next to the video camera it is possible to detect the slightest skin tone color change as blood pulses with each beat and from that you can accurately detect blood pressure.  I swore this was a scam until I looked into it… but it isn't.

    Likewise this info leaking in IE is most definitely, undeniable 100% leaking from the browser as confirmed by EVERYONE that has investigated the issue.

    THEREFORE

    You seriously need to RETRACT the AMBIGUOUS wording and tone of this article and present the cold hard facts.  IE IS LEAKING INFO… maybe not enough in YOUR opinion to be an issue but it most certainly is leaking!

  56. IE10Sucks4ever says:

    Internet Explorer Sucks…Less

  57. @Jason T says:

    The abuse is alledged.

    What spider.io reported as findings in the wild is usage of this feature by competing userstatistics companies but only within the browserwindows (so usage not particular to IE !!!) to track user behavior.

    Although this is not the intended use of the mouse positioning script support it does not seem illegal. Spider.io might call it abuse.

    However that is correctly described as alledged since others who use this method might see this as a normal business practice.

    Almost all tracking activities could be seen by some people as abuse.

    Ignoring the DNT setting of IE10 might wel be called abuse.

  58. Jessica says:

    @"@Jason T" – PS please use your real name or at least a non-@ fake name so we can properly reference your comment!

    This post is about IE and the topic of IE leaking mouse movements that exist outside the browser window and also outside the browser even having focus – Period.

    On that note IE is most certainly leaking the mouse events that it should not be providing to JavaScript on a page.  Therefore the bug is 100% real.  There's more details about some of the potential risks listed here: webbugtrack.blogspot.ca/…/bug-593-ie-leaks-all-your-windows-mouse.html

    We can argue all day long as to whether it is a huge security hole or just a small one but you can't deny for a second that it is a hole and Dean even discussed the fact that they are actively working on fixing it.

    It's for that reason that this post is causing such a stir! Dean/Microsoft would win a lot more developer support if he stepped off his PR podium and spoke the real truth.

    "Yes there is a security bug."

    "Yes we are working on a fix."

    "Microsoft does not feel that this security bug is that major _____(explanation why they feel differently than everyone else)____"

    So again we ask that Dean take 2 minutes to update this post to more accurately reflect the fact that this issue has been confirmed and there are test cases available – it is not "Alleged"

  59. @Jessica says:

    The leaking of the mouse positions out side the browser windows could be considered a bug.

    However it is not nescesarily a security issue.

    The area outside the browserwindows is like a black box.

    Knowing where you are in a black box does not reveal what is written on the floor of the box.

    You nor anyone else have provided a method of exploiting this leaking of mouse positions in a real life scenarion into getting meaningfull data.

    spider.io claimed exploitation on billions of webpages.  

    However what they were referring to was extually not a bug but was about using mouse positions inside a browser windows. Something which is normal behavior in ALL browser.

    All claims on exploitation are alledged and are found to be actually untrue as they refer to normal browser behavior

    All claims on abuse are alledged

    All claims on posing a real security issue are alledged.

  60. Mr. says:

    IE 10 is definetely better than IE9.

  61. Snow miser says:

    Make IE10 program thing like google chrome frame is… but IE10 frame for windows xp and vista!!! Come on Microsoft don't you care for your customers?

  62. Google says:

    Official Confession:

    We are shameless because we are Google.

    In last few months, we have made decisions to take care of our annoying competition, Microsoft:

    ^ we have made IE9 and IE10 users to pay for it by not letting them download the attachments from Gmail (we don't care how well outlook, skydrive, office365 etc. work on our browser).

    ^ we have made decision to discontinue development for Windows 8 and Windows Phone apps, our excuse is pretty vague, that is; "we are careful about our investment" (although many freelance developers are able to manage their apps singlehandedly on three platforms Android, iOS and Windows Phone).

    ^  we have decided to discontinue Gmail service for windows phone, by pulling the plug on supporting ActiveSync (its there since the arrival of Windows Phone in Dec 2010).

    ^ now we are paying our advertising fellow agencies to conspire against Microsoft corporation by these bogus exploits (when Microsoft is shaking hands with us on forums like cppiso and w3c)

    Look, the idea "really" is to make users stop using Microsoft products and lure them to use our cool looking browser. This way we can collect user information, sell it and make profit. The more users join our "free" ecosystem with "all free" products, the more money we'll make and conspiracy / chaos will prevail with privacy ripping becoming a joke.

    ^ it has all been told in news in last 2 months. All you need is to "figure out" what's going on you stoopid!!

  63. Lee says:

    Someone was posting as my name earlier.

    No registration required == random asshats.

    My issue was with Microsoft, not Google. Stop playing the blame game and just fix the issue.

  64. Lee says:

    Stop the childish playground 'We're better than Google' 'no we're better than Microsoft' 'IE sucks' 'No, Chrome sucks'.

    Acknowledge that Microsoft fucked up with this vulnerability. Admit that the problem exists. Give us a timeline for a fix. FOLLOW THROUGH.

    I don't care about anything else. I don't care how IE is compared to Chrome or Firefox. Just fix this damn Internet Explorer vulnerability and let's get on with our lives.

  65. Lee says:

    I also like how the defense for the vulnerability comes down to not that

    – The issue is real

    – The issue is in the wild

    – The issue has been actively used by a company (spider.io? never heard of them until this week)

    but instead:

    – "welllll it's such a small issue that it's unlikely to be useful by hackers"

    – "it's unlikely"

    What a terrible logical fallacy… argument from incredulity.

    Oh, the hackers are limited by only what YOU can conceivably think of?

    What a dangerous line of reasoning.

  66. Lee says:

    And because I have some more time to kill:

    en.wikipedia.org/…/Keystroke_dynamics

    I want you to understand that there is a science to this technique (the principle can be applied to mouse movement just as easily) and that it has been done before. People make a ton of money off of understanding this.

  67. Still waiting Dean says:

    @Dean we are still waiting for you to adjust your post wording about the confirmed bug in IE.

    The comments on CNet about this issue are painting you in a bad light not because IE has the bug but because of the lack of clear communication and a lack of estimated timeline.

    It's Wednesday already but yet we don't even have confirmation that Microsoft is planning to release an out of band patch or even an expected date for it to land so we can patch up our browsers.

  68. No security risk ??? You are kidding, right ! says:

    Did you actually say:"From our conversations with security researchers across the industry, we see very little risk to consumers at this time. "?

    Unbelievable! Let me just say that. I work in building Internet Banking sites. The virtual keyboard has been a de facto standard to avoid key logging. But since IE now allows tracking the mouse, now any attacker can get the position of the mouse, thus the codes!

    I'm guessing that you would suggest to scramble in a random way a Querty keyboard. Yeah, right! Great user experience that would result from that.

  69. EricLaw says:

    Virtual keyboards are security theatre preying on the naive. Any PC vulnerable to a keylogger is just as vulnerable to a mouse-logger.

  70. Brandon says:

    So is there a fix yet?

    Seems a bit odd that Microsoft is just sitting on a security bug affecting all shipped versions of IE without an ETA for the fix.

    Seems even worse that instead of properly admitting to the bug and trying desperately to blame the bug reporter for ulterior motives.

    No wonder enterprises are moving to non-IE browsers faster than ever.

    Maybe if Microsoft committed to working with the community and having proper transparency this wouldn't be an issue?!

  71. Deborah A. Jones says:

    ditto to all of the correspondence….