

Microsoft responds to IE mouse tracking vulnerability - alt_
http://blogs.msdn.com/b/ie/archive/2012/12/13/update-to-alleged-information-and-security-issue-with-mouse-position-behavior.aspx

======
chris_wot
_Getting all the pieces to line up in order to take advantage of this behavior
– serving an ad to a site that asks for a logon, the user using an on screen
(or virtual) keyboard, knowing how that onscreen keyboard works – is hard to
imagine._

ORLY? The imagination of a Microsoft engineer quite clearly is no equal to the
imagination of a creative exploiter. After all, nobody could imagine the
Morris Worm, or Word Macro viruses, or even SQL Slammer.

Attacks come through exploitable vectors. Lining up those exploitable vectors
may _seem_ tricky, but that hasn't stopped this from happening. And frankly,
this particular attack vector seems to be one of the more exploitable ones.

~~~
mattmanser
I don't agree at all.

It's an x, y position, what possible use is it? Two integers.

MS are right about this, this is just spider.io being alarmist for free
publicity.

~~~
ambrop7
So you're saying if you were given a mouse movement trace on top of a virtual
keyboard, you couldn't possibly deduce what was typed?

Someone should just make a program that does that, and this will all be
settled. Maybe even make it guess what kind of virtual keyboard was used.

~~~
kevingadd
A better question is what degree of danger this information actually poses. It
is _possible_ to reverse a password hash created by bcrypt regardless of what
settings you used. The question is HOW LONG would it take, and whether the
cost makes the value of any potential exploit less than zero. If the value is
less than zero, the risk is effectively minimal - at least for now.

Panic and tarring and feathering of Microsoft's security team is only
justified if the risk is severe.

~~~
jbri
A security issue is a security issue, regardless of how severe it is.

If MS had come out and said "We're working on fixing it, but we don't think
it's a critical vulnerability" - that would be understandable. What needs to
be called out is if they come and say "This isn't an issue at all".

If some website was leaking password hashes, would "well the hashes are so
strong that this isn't really an issue" be an acceptable response?

------
crististm
Nothing to see here; move along...

Interesting wording of the message. Microsoft tries to lead the attention from
the real problem to an analytics company that can't stand the heat of
competition.

We learn something new every day.

------
frontsideair
Those pesky spokespeople. Microsoft should fire them all, they're damaging the
already damaged Microsoft image. Just take a look at this statement:

"There are similar capabilities available in other browsers. Analytics firms
can expect to do viewpoint detection in IE similarly to how they do this in
other browsers."

Aren't they just throwing their hands up in defense and telling us "We're not
the only ones! Everyone else is doing it too!" That's slimy.

~~~
abcd_f
> damaged Microsoft image

I think you are stuck in the past. Microsoft has _dramatically_ improved the
security of their system. I've been using Windows as my primary OS since 3.11
days, and I hated Microsoft guts for cutting corners and shipping crap. Not
anymore. They really pulled their act together in last couple of years. From
Windows Updates, to mitigation tools like EMET, to _much_ improved MSDN
documentation - I really can't be believe that I'm saying this - they did a
great job. So please if you feel like bashing M$, there's a dedicated website
for that... it's called Slashdot :)

~~~
omgtehlion
> dramatically improved the security of their system

yes they did, but their perceived _image_ is still badly damaged

------
blahpro
To highlight the ridiculousness of this vulnerability: you don't even need to
use `fireEvent("onmousemove")` to gain access to this information. You can use
events that have _absolutely nothing to do with the mouse_ , such as onbounce*
on a hidden <marquee> element (seriously).

* "Fires when the behavior property of the marquee object is set to "alternate" and the contents of the marquee reach one side of the window." -- [http://msdn.microsoft.com/en-us/library/ie/ms536910(v=vs.85)...](http://msdn.microsoft.com/en-us/library/ie/ms536910\(v=vs.85\).aspx)

------
culshaw
Whoever Gillian is, she just rocked my world with that comment.

------
dchest
Why the hell they issue statements instead of patches? Is it hard to fix? If
yes, let us know. If no, just fix it.

~~~
kevingadd
Microsoft cannot issue patches instantly. They have to go through testing.

~~~
dchest
The issue was reported in October.

"Whilst the Microsoft Security Research Center has acknowledged the
vulnerability in Internet Explorer, they have also stated that there are no
immediate plans to patch this vulnerability in existing versions of the
browser."

[http://spider.io/blog/2012/12/internet-explorer-data-
leakage...](http://spider.io/blog/2012/12/internet-explorer-data-leakage/)

So, instead of fixing it:

\- receive vulnerability report

\- don't fix it and wait until there's PR disaster

\- issue statement that now "we're working actively to fix it"

\- [future] fix the issue

My question, again -- why the hell they didn't fix it in the first place? Why
go though this? Do you have to be a psychic to figure out that any Microsoft's
non-response to vulnerability (even if its effect is overblown) is a PR
disaster?

~~~
kevingadd
If Microsoft does not consider it to be a critical vulnerability, their
behavior is entirely consistent with the issue being a task on a task list
somewhere - possibly already fixed on the development branch for the next
release (or service pack) of Internet Explorer 10. It is simply not possible
to declare at this point that Microsoft decided not to fix it. Internet
Explorer is a tremendously large piece of software used by millions of
customers; do you think this is the only bug with potential security
consequences in their bug database?

More concretely: If, hypothetically, on October 1 2012, two security issues
were reported, and this is one of them, which one do you think they should
have fixed first and rushed an out-of-band patch for? Do you think it should
have been this one specifically because it's a PR disaster?

I agree that faster action is always better, and that better communication is
always better. But you have to understand that teams working on products this
large do not move quickly. In the time since this issue was reported to
Microsoft, we have only passed through roughly one release cycle of Firefox
and Chrome. So, assuming an identical issue was found and reported in Firefox
or Chrome on the same date, would the fix even be in customers' hands? Most
likely only if it were considered important enough to rush a fix.

~~~
dchest
Your reply makes a lot of sense, much more sense than the linked post. Thank
you.

------
magnetikonline
Heh, happy to note that "There are similar capabilities available in other
browsers" - but then nicely ignores the fact that the crux of this issue is
mouse position can be read even when mouse is out of browser window focus.

~~~
kevingadd
It has yet to be conclusively proven that this information presents a real
risk to anyone's privacy. It would certainly be nice to fix (and you can
observe from the post that MS is not opposed to fixing it) but it is hardly a
crisis.

~~~
chris_wot
I'm hoping it won't be conclusively proven, because by definition the proof
will be an exploit in the wild.

------
kevingadd
I find Microsoft's explanation of the facts to be quite logical. How many
users are actually going to interact with an onscreen keyboard using the mouse
cursor? It's already been stated that the supposed exploit doesn't affect the
touch keyboard on Win8.

~~~
chris_wot
As has been pointed out, at least one bank has a mouse controlled pin
keyboard.

~~~
kevingadd
Are you seriously suggesting that given nothing other than a small window into
mouse position and modifier keys (the latter would be useless for a mouse
controlled pin keyboard), an attacker would be able to not only identify when
the user clicks, but when they're visiting the bank and the alignment of the
pin keyboard? And then somehow leverage this information by itself to attack
someone without having any of their other personal information?

It is certainly information that COULD be useful as part of an attack, but it
seems utterly ridiculous that just mouse information would somehow enable you
to compromise the security of someone's bank account.

Private information should certainly remain private, and I don't doubt that
this leakage will be fixed one way or another, but this really seems more like
paranoia than anything else unless there's at least a concrete description of
how the data provided is enough to actually inflict harm. Lots of potentially
useful data is exposed by browsers (and browser plugins) every day; this isn't
the only bit.

~~~
JungleFruit
As previously stated.

This could be used to potentially track entropy of encryption key
generation(such as trucrypt or, the new MEGA sites implementation, any site or
program that employs mouse-movement/key binding for entropy.)

Mega Screenshot: [http://cdn.thenextweb.com/wp-
content/blogs.dir/1/files/2012/...](http://cdn.thenextweb.com/wp-
content/blogs.dir/1/files/2012/12/A9h3qnnCQAEhJUc.jpg)

Security Thread on Bank Login virtual keyboard:
[http://security.stackexchange.com/questions/22774/my-bank-
ma...](http://security.stackexchange.com/questions/22774/my-bank-makes-me-
enter-my-password-using-the-mouse-whats-up-with-that)

Just something an idiot can think of so, any black-hat is just having fun @
this point.

~~~
kevingadd
Thank you for a more concrete justification. I think I agree that the two
links you provided are examples of use cases that could actually be exploited
just using the position of the mouse.

------
mtgx
I have the feeling Windows 8 will become a better attack target than Windows 7
was, because of all the new (and exploitable) stuff Microsoft introduced
through the Metro stuff and through the Windows store, that are still very
much untested.

------
RoryH
'Redmond is (still) evil' it seems :-)

