Bugtraq mailing list archives

By Date By Thread Information disclosure (mouse tracking) vulnerability in Microsoft Internet Explorer versions 6-10 From: Nick Johnson <nick () spider io>

Date: Tue, 11 Dec 2012 16:25:58 +0000

Summary: Unprivileged attackers can track your system-wide mouse movements from any IE page, even when the page is unfocused or minimised. Package: Microsoft Internet Explorer Affected: Tested on versions 6–10 Introduction ----------------- A security vulnerability in Internet Explorer, versions 6–10, allows your mouse cursor to be tracked anywhere on the screen, even if the Internet Explorer window is inactive, unfocused or minimised. The vulnerability is notable because it compromises the security of virtual keyboards and virtual keypads. As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software. An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit. This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month. As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimise Internet Explorer—your mouse cursor can be tracked across your entire display. Details of the vulnerability ----------------- Internet Explorer’s event model populates the global Event object with some attributes relating to mouse events, even in situations where it should not. Combined with the ability to trigger events manually using the fireEvent() method, this allows JavaScript in any webpage (or in any iframe within any webpage) to poll for the position of the mouse cursor anywhere on the screen and at any time—even when the tab containing the page is not active, or when the Internet Explorer window is unfocused or minimized. The fireEvent() method also exposes the status of the control, shift and alt keys. Affected properties of the Event object are altKey, altLeft, clientX, clientY, ctrlKey, ctrlLeft, offsetX, offsetY, screenX, screenY, shiftKey, shiftLeft, x and y. Exploit ----------------- <!DOCTYPE html> <html> <head> <meta charset="utf-8" /> <title>Exploit Demo</title> <script type="text/javascript"> window.attachEvent("onload", function() { var detector = document.getElementById("detector"); detector.attachEvent("onmousemove", function (e) { detector.innerHTML = e.screenX + ", " + e.screenY; }); setInterval(function () { detector.fireEvent("onmousemove"); }, 100); }); </script> </head> <body> <div id="detector"></div> </body> </html> Demonstration ----------------- A demonstration of the security vulnerability may be seen here: http://iedataleak.spider.io/demo The implications for virtual keyboards and virtual keypads ----------------- We have created a game to illustrate how easily this security vulnerability in Internet Explorer may be exploited to compromise the security of virtual keyboards and virtual keypads. The game may be found at http://iedataleak.spider.io/ By Date By Thread Current thread: Information disclosure (mouse tracking) vulnerability in Microsoft Internet Explorer versions 6-10 Nick Johnson (Dec 11)