The attack that I worry about the most is malware that dumps keylogging software onto your computer, allowing a bad guy somewhere to grab your passwords and other login information, as well as any sensitive data you may happen to enter, like Social Security or credit card numbers.
Now, however, there is another type of attack that allows the bad guys to follow your computer moves. Researchers have discovered a hole in Internet Explorer that can give hackers a way to follow your mouse tracks. Even worse, you don’t actually have to be actively using your browser in order to be tracked. Do you use a virtual keyboard in hopes of avoiding keyloggers? Well, that practice may be down the drain because this new hack can read what you enter on virtual keypads. According to CNET:
“As long as the page with the exploitative advertiser’s ad stays open — even if you push the page to a background tab or, indeed, even if you minimize Internet Explorer — your mouse cursor can be tracked across your entire display,” the security firm said in a statement. “An attacker can get access to your mouse movements simply by buying a display ad slot on any Web page you visit,” the security firm warned, adding that any site from YouTube to The New York Times would be a possible attack vector due to ad exchange activity.”
The vulnerability touches every version of IE from 6 through 10. We’ve become accustomed to the problems of IE6, but IE10 is supposed to be extremely secure. Apparently, it’s not as secure as we thought.
The flaw was discovered a few months ago by a security company called Spider.io and is now just being revealed to the public. Why did it take so long to tell us? According to PC Pro, Spider.io told Microsoft that there was a problem in October. Microsoft didn’t do anything and apparently doesn’t plan to do anything (really, Microsoft?), so Spider.io brought it to the public’s attention. The company developed a game to show how the vulnerability works and to show just how easy the vulnerability in IE is to hack.
Without a fix, what should we do? The best thing is to use another browser, which I know is easier said than done. A lot of companies still use IE primarily, if not solely, and for a lot of us (and I include myself in that group) IE is the browser we prefer. But until Microsoft addresses this problem, it may be time to rethink the way we access the Web.