Update to Alleged Information and Security Issue with Mouse Position Behavior

Over the last few days we’ve seen reports alleging abuse of a browser behavior regarding mouse position. Microsoft is working closely with other companies to address the concern of mouse position movement. From what we know now, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy.

We are actively working to adjust this behavior in IE. There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers. We will update this blog with more information as it is available.

Online advertisers started a shift (link) “from a ‘served’ to a ‘viewable’ impression[s].” Many different analytics companies stepped up to compete in this space. That competition has had many public results, including lawsuits (link). One of the companies involved in this space is Spider.io, which recently reported an issue in IE involving mouse pointer information. Spider.io is an advertising analytics company. Their recent blog post, “There are two ways to measure ad viewability. There is only one right way,” makes their point of view very clear. Different analytics companies use different and equivalent methods to gather consumer information across different browsers on different devices.

The only reported active use of this behavior involves competitors to Spider.io providing analytics. The theoretical use of this behavior to compromise the safety or privacy of consumers is something Microsoft’s security team has discussed with researchers across the industry. We take these risks very seriously. Getting all the pieces to line up in order to take advantage of this behavior – serving an ad to a site that asks for a logon, the user using an on screen (or virtual) keyboard, knowing how that onscreen keyboard works – is hard to imagine. From investigating the specific behavior when mouse position data is visible outside the browser window, sites can view only the mouse state; they cannot view the actual content that the user is interacting with. From our conversations with security researchers across the industry, we see very little risk to consumers at this time. As we have stated previously, there are no reported cases of any consumer having their information compromised.  

—Dean Hachamovitch, Corporate Vice President, Internet Explorer

Update:
Since the time of our post – these additional security blogs provide a good and balanced overview with respect to this topic: Actionable Intelligence: The Mouse That Squeaked and Spider.io Warns of Massive IE Security Flaw; But is it Legit?

Comments

• Anonymous
  December 13, 2012
  It is quite rare to see a desktop PC user interacting with an on-screen keyboard, but what about other form factors, like Surface RT or WP8? An on-screen keyboard is quite common, and always in a predictable location. Can these users' privacy or security be compromised by this issue? If so, it seems like at least mobile IE9 and all versions of  IE10 should be patched, and quickly.

• Anonymous
  December 13, 2012
  And surface had extra security measures for on screen keyboard. Blog post says site can't tell what is under the mouse anyway....

• Anonymous
  December 13, 2012
  @Matt H The mouse cursor doesn't move when the user use the on screen keyboard with his fingers. Touch events don't necessarily cause the mouse pointer to move. so I guess Windows 8 tablet users are safe from this bug.

• Anonymous
  December 13, 2012
  Well written Dean... A classic product manager trying to skate around the issue. It's a security bug that's existed in IE for over a decade... Just fix it so that IE isn't the embarrassing sIEve we all know it to be!

• Anonymous
  December 13, 2012
  I have to agree with Steve. All fluff about ad companies, no useful information and no time frame for a fix. Why not just own up to your mistakes? That would be a better way to become "the browser I loved to hate". The fact of the matter is that this behavior allows arbitrary sites to gather potential private information from the users desktop, i.e. outside of the site's intended scope. As such it should be fixed swiftly, before more people than just some ad networks use these techniques.

• Anonymous
  December 13, 2012
  The comment has been removed

• Anonymous
  December 13, 2012
  The comment has been removed

• Anonymous
  December 13, 2012
  Good one Dean!

• Anonymous
  December 13, 2012
  The comment has been removed

• Anonymous
  December 13, 2012
  is this a windows bug or IE big?

• Anonymous
  December 13, 2012
  The underlying issue is that IE doesn't properly restrict reporting to it's own window coordinates. I have books on my shelf explaining how to do this from over a decade ago. The real issue here is that it takes eons for Microsoft to patch bugs in IE. It has always been this way and I don't see this changing. No amount of PR spin will alter the fact. Either improve the bug fixing process and provide real timelines for when and how bugs in IE will be fixed, or developers will continue trash talking IE and refusing to work with it.

• Anonymous
  December 13, 2012
  This is not an issue, even for people with virtual keyboards. For example, clicks are not registered. The evil ad-company will just have a large list of mouse-coordinates. Even if they could guess what window/item was beneath the cursor, it would require some really clever heuristic to detect whether the mouse stopped because of a click or otherwise. They would never be able to reliably guess passwords or anything valueable.

• Anonymous
  December 14, 2012
  @DavidH  "The real issue here is that it takes eons for Microsoft to patch bugs in IE" The bug was privately reported October 1 2012. Lets see if it takes an aeon (a long indefinite period, aka 1B years), of it it is fixed by the time IE10 is released for Windows 7.

• Anonymous
  December 14, 2012
  The comment has been removed

• Anonymous
  December 14, 2012
  when will IE 10 be finished for windows 7?

• Anonymous
  December 14, 2012
  The comment has been removed

• Anonymous
  December 14, 2012
  The comment has been removed

• Anonymous
  December 14, 2012
  Dean, Just fix it. You would have been better off not posting at all. All the comments above are right on the money. Its a security breech just because you can't think of a way to exploit doesn't mean it can't be done. People will find ways to use this to their advantage.

• Anonymous
  December 14, 2012
  To give you a better understanding of the issue, a few seconds of googling pulls up images like this: web.media.mit.edu/.../cheese-list.jpg I don't know if images are allowed on the blog here, but the image itself shows mouse movement super imposed on a website. I assure you that the information recorded is enough to probabilistic determine useful information of what sites you might be on. Especially if a little number crunching is provided by a bot net of some sort. Now just imagine this leaked information extends outside of IE and on your entire computer. It is breaking out of the sandbox that the frickin web browser is supposed to provide! If you take away one thing from my posts, it should be this: This is just ONE itty bitty vulnerability. While it doesn't give an attacker much, it gives away more than you realize and it is enough to be used IN CONJUNCTION with other vulnerabilities to really ruin your day/week/life.

• Anonymous
  December 14, 2012
  Steve and Peter are same person.

• Anonymous
  December 14, 2012
  @Security, what if someone installs an ad serving toolbar on IE and visits their bank site, which requires them to click in their PIN code? if the toolbar could track those statistics and send it back to the main server, couldn't you simply overlay the coords on top of a screenshot of the page and deduce their PIN that way? Still seems relatively unsafe. Also, this blog post is a joke. You guys can't even fix a simple problem like loading JS/CSS/HTML on demand outside of an iframe. Trident is a joke. IE is a joke. Sorry guys, try again. Maybe use WebKit this time? :)

• Anonymous
  December 14, 2012
  so the mouse position is being broadcast to all windows in the OS and it is up to the program's discretion to make use of the data?

• Anonymous
  December 14, 2012
  Guys Guys ! Just stop using IE and start using Chrome. Because IE will provide your mouse movement advertising agencies who cannot figure out what is on the screen just some numeric pixel values. With Chrome, they will NOT let anyone capture your mouse coordinates BUT send ALL activities to Google server which Google (with its habit of harvesting user info) will use to profile you and sell to highest bidder (agencies interested in profiling people). How else they make billions of dollars annual revenue if everything they are offering is free? By selling YOU out. Well I don't give a crrrap about either of them. Lee said, "Are you kidding me?" No sir, we are kidding ourselves. Welcome to the internet !! Anything running on BGP protocol is NOT SAFE!

• Anonymous
  December 14, 2012
  The comment has been removed

• Anonymous
  December 14, 2012
  The comment has been removed

• Anonymous
  December 14, 2012
  The comment has been removed

• Anonymous
  December 14, 2012
  i agree with these claims. i received email from oracle education on gmail. next hours i was watching videos on youtube and every ad was about oracle courses. youtube is google service which i witness. i don't know with how many other companies they shard that info? their terms says 'we share your information with our trusted parties'. what about user? how do they know if every user also trust their personal information with those parties which google trust in? this issue of internet explorer is nothing compared to what google does. this issue should be fixed. but just mouse movement information leak is a very minor vulnerability. there are big problems such as chrome.

• Anonymous
  December 14, 2012
  I do not work for Google. I admit, however, that I have a pro-Google bias because I like the products they make, but I am also pro-Apple because I like some of their products and yes, even pro-Microsoft products (I'm a .NET developer by trade and passion). That said, my character has nothing to do with this issue. This is about acknowledging there is a vulnerability and taking accountability in offering a solution. I am criticizing this post because it's a complete dismissal of the problem in the typical corporate save-face fashion and does not help us, the people who use the Internet.

• Anonymous
  December 14, 2012
  The comment has been removed

• Anonymous
  December 14, 2012
  The comment has been removed

• Anonymous
  December 14, 2012
  I am not talking about Chrome. We should stop talking about Chrome and Google. Chrome may have issues, but stop deflecting blame here... Like I just discussed, this is a Internet Explorer VULNERABILITY found ONLY IN INTERNET EXPLORER. The only thing that I want is for Microsoft to actually admit that.

• Anonymous
  December 14, 2012
  @mocax : The issue is caused because in Internet Explorer javascript handler for mouse movement is continuously executes even though the mouse has exceeded the bounds of the browser window. This leaks more information about the outside world (the os) from the browser, which is supposed to be a sandbox, isolated place. IT IS NOT SUPPOSED TO DO THIS AT ALL. From there, it is trivial to stream this back to malware servers to determine what you are looking at and what you are doing.

• Anonymous
  December 14, 2012
  Some points:

1. Each person has a unique mouse dexterity.
2. Moving mouse to position, then stopping is not the same a click.
3. Computers have different resolutions and window sizes - content is placed differently.
4. Applications that let Windows position themselves are placed on screen "almost at random".
5. Toolbars and ActiveX can already monitor everything on the computer, no need for JavaScript exploits.
6. Repeated letters cannot be captured. This is a bug, yes, but it is not a security bug. Finally, this bug is also CONSENSUAL. I am certain that Microsoft's terms state, that they are not resposible for any damage, bla bla bla. Lee, you must have accepted these terms when you installed Windows and IE. ;)

• Anonymous
  December 14, 2012
  That is not what I mean by consensual. Not at all. :) I don't mean consent as a waiver of liability. I mean consent as in giving this information away to 3rd parties is NOT BY DESIGN. In any case, let me counter with other points:

• The uniqueness can be tracked. Which actually makes this vulnerability worse.
• Don't downplay a vulnerability by saying there are many other vulnerabilities on the operating system. That doesn't inspire confidence in Microsoft. :)
• Windows cascade and display in known ways. If someone were monitoring the overall aggregate data acquired by mouse movements, one could determine the normal layout of your screen and the sizes of the windows that you interact with on a daily basis. Got ya.
• Any time information leaks, it is an issue. Splitting hairs by calling it not a 'security bug' is not important. IT CAN BE USED TO COMPROMISE SECURITY, period.

• Anonymous
  December 14, 2012
  I saw this on HackerNews. Apparently IE even leaks mouse position through events that are totally unrelated to the mouse. marquee onbounce (!!!) is the example given: news.ycombinator.com/item

• Anonymous
  December 14, 2012
  I'm disgusted Dean - you have a wide open security breach with example code publicly available and you are blaming advertisers. You should not have posted anything about a security breach until you have a patch available! As for this post now that you've made it you need to correct it ASAP. REMOVE the word ALLEGED immediately! You have clearly indicated as has anyone that has viewed the exploit code that this is NOT alleged, we've seen the exploit in action and all witnessed it first hand! Next add an addendum to this post indicating that it was extremely unprofessional to use this blog to point fingers at an ad network and That Dean & Microsoft should be solely focused on fixing the security breach ASAP and you expect to have a patch available as fast as possible. I'm switching from IIS to apache Monday morning this type of behavior from Microsoft on web security is absolutely disgusting. Alternatively if you are unfit your resignation Dean will also be accepted.

• Anonymous
  December 14, 2012
  Well that was easy. Open google.com and bing.com in two tabs. Type the same keyword in both and hit search button. Now, in both results pages hover with your mouse on different result links and observe the URL in status bar at the bottom of browser window. Bing will show you the direct URL to resource. With Google, you will get URL to Google server. When you click, they will take you to their server first, then redirect you to the original resource. Q: Why would they do that? A: They are collecting information. Q: Why would they do that? A: They want to make money. Q: How will they make money? A: (read the above comments again to find out)

• Anonymous
  December 14, 2012
  @Lee First of all, stop shouting and no one is "deflecting" the blame. Its because Google has the biggest stake in advertising world and no wonder if this so called "exploit" exhibition all over the Internet is funded by them. More people using Chrome means more money starting to flow in their pocket without user consent. Secondly, the mouse movement tracking is not a security bug. You cannot capture anything besides dummy coordinates with no underlying content and no real-time page-state to "guess" what was on the page. Even on virtual keyboard, the click on keyboard cannot be captured. You cannot tell remotely, which key was clicked on the keyboard. And by the way who use virtual keyboard with mouse when touch is there? And touch events are different than that of mouse. Finally, the "behavior bug" fix is coming so don't cry about it.

• Anonymous
  December 14, 2012
  The comment has been removed

• Anonymous
  December 14, 2012
  @Victor, don't be naive. Bing does it too. They do it through JavaScript though. @Lee, www.cs.wm.edu/.../ccs11.pdf. Point being, mouse movement is quite unique from person to person.

• Anonymous
  December 14, 2012
  @Security, NAIVE? I don't understand where are you getting those "hypertheticals"... be realistic willya? Bing does NOT collect click information via JavaScript. You can check using fiddler, network monitor or any network sniffer?  No XMLHTTPRequest packet will sent back to Bing when you click a result link on Bing result page.   With Bing its a straight deal. With Google its a betrayal.

• Anonymous
  December 14, 2012
  @Lee: the point you keep missing is that for the mouse data to be useful, you actually have to have at least some idea of what is on screen. And that simply isn't possible to determine using this alone. The images of mouse cursor activity overlaid on a webpage falls apart if you overlay the data over completely random webpages instead. The so-called demonstration of being able to read a Skype phone number could only work if Skype is open and located at a known position on screen, which again is impossible to determine. You could argue that heuristics could be used to determine certain application targets, but it's very much grasping at straws, the sheer number of combinations and behaviours leads to a signal to noise ratio that would be deeply unfavourable to malware attempting to use the data.

• Anonymous
  December 14, 2012
  @Victor Go to Bing, search. Open IE dev tools and turn on network inspection. Click on a search result without releasing the mouse (otherwise you will be taken to the page). Observe in dev tool that Bing downloads an image from this url: /fd/ls/GLinkPing.aspx?IG=ebed87486be644048edabb29866355cd&CID=2B01F2B8EB956AB207C6F68FEA926A1A&PM=Y&&ID=SERP,5097.1 What do you think this extremly detailed url is for? Or look at the name, LinkPing!

• Anonymous
  December 14, 2012
  As Microsoft said at the header, it is not a flaw, it is a behavior. That is, is a deliberate feature of invasion of privacy to analyze where the mouse pointer is on the screen, so that she (microsoft) is not even trying to "fix" this failure.

• Anonymous
  December 14, 2012
  The comment has been removed

• Anonymous
  December 14, 2012
  Does IE 10 use more watt than chrome?

• Anonymous
  December 15, 2012
  @Dead - the word "Alleged" is still in this post title even after its been proven (including by you and Eric Lawrence) to be a bug AND after many people have asked you to be professional and remove it. There's no excuse for ignoring these requests when you've clearly already updated the article once. Current respect for @Dean = zero Current credibility for @Dean = zero @Dean's representation for The Microsoft Internet Explorer Team? = 100%

• Anonymous
  December 15, 2012
  That was meant to be @Dean (there was no spite intended there... Just over zealous auto correct)

• Anonymous
  December 15, 2012
  @Mr. - Do you mean watt as in electric? In that case, no, IE10 use less energie. @Lee - You're seriously missing the point, like everybody here say. Pleas stop boycotting IE on it's own blog, and go back to Google, we want to follow the IE development without stupid reactions, thanks.

• Anonymous
  December 15, 2012
  For developers, how to test IE for Xbox? Is there an emulator?

• Anonymous
  December 15, 2012
  spider.io/.../responsible-disclosure

• Anonymous
  December 15, 2012
  The comment has been removed

• Anonymous
  December 15, 2012
  The comment has been removed

• Anonymous
  December 15, 2012
  The comment has been removed

• Anonymous
  December 16, 2012
  @Marshal @Dwayne What is alleged is that it's a security or information disclosure issue, not that the bug exists. So far there is very little actual evidence that it is exploitable in any way.

• Anonymous
  December 16, 2012
  The comment has been removed

• Anonymous
  December 16, 2012
  The comment has been removed

• Anonymous
  December 16, 2012
  The comment has been removed

• Anonymous
  December 16, 2012
  The comment has been removed

• Anonymous
  December 17, 2012
  The comment has been removed

• Anonymous
  December 17, 2012
  IE 10 is definetely better than IE9.

• Anonymous
  December 17, 2012
  Make IE10 program thing like google chrome frame is... but IE10 frame for windows xp and vista!!! Come on Microsoft don't you care for your customers?

• Anonymous
  December 17, 2012
  Official Confession: We are shameless because we are Google. In last few months, we have made decisions to take care of our annoying competition, Microsoft: ^ we have made IE9 and IE10 users to pay for it by not letting them download the attachments from Gmail (we don't care how well outlook, skydrive, office365 etc. work on our browser). ^ we have made decision to discontinue development for Windows 8 and Windows Phone apps, our excuse is pretty vague, that is; "we are careful about our investment" (although many freelance developers are able to manage their apps singlehandedly on three platforms Android, iOS and Windows Phone). ^  we have decided to discontinue Gmail service for windows phone, by pulling the plug on supporting ActiveSync (its there since the arrival of Windows Phone in Dec 2010). ^ now we are paying our advertising fellow agencies to conspire against Microsoft corporation by these bogus exploits (when Microsoft is shaking hands with us on forums like cppiso and w3c) Look, the idea "really" is to make users stop using Microsoft products and lure them to use our cool looking browser. This way we can collect user information, sell it and make profit. The more users join our "free" ecosystem with "all free" products, the more money we'll make and conspiracy / chaos will prevail with privacy ripping becoming a joke. ^ it has all been told in news in last 2 months. All you need is to "figure out" what's going on you stoopid!!

• Anonymous
  December 18, 2012
  Someone was posting as my name earlier. No registration required == random asshats. My issue was with Microsoft, not Google. Stop playing the blame game and just fix the issue.

• Anonymous
  December 18, 2012
  The comment has been removed

• Anonymous
  December 18, 2012
  The comment has been removed

• Anonymous
  December 18, 2012
  The comment has been removed

• Anonymous
  December 19, 2012
  @Dean we are still waiting for you to adjust your post wording about the confirmed bug in IE. The comments on CNet about this issue are painting you in a bad light not because IE has the bug but because of the lack of clear communication and a lack of estimated timeline. It's Wednesday already but yet we don't even have confirmation that Microsoft is planning to release an out of band patch or even an expected date for it to land so we can patch up our browsers.

• Anonymous
  December 19, 2012
  Did you actually say:"From our conversations with security researchers across the industry, we see very little risk to consumers at this time. "? Unbelievable! Let me just say that. I work in building Internet Banking sites. The virtual keyboard has been a de facto standard to avoid key logging. But since IE now allows tracking the mouse, now any attacker can get the position of the mouse, thus the codes! I'm guessing that you would suggest to scramble in a random way a Querty keyboard. Yeah, right! Great user experience that would result from that.

• Anonymous
  December 20, 2012
  Virtual keyboards are security theatre preying on the naive. Any PC vulnerable to a keylogger is just as vulnerable to a mouse-logger.

• Anonymous
  December 20, 2012
  So is there a fix yet? Seems a bit odd that Microsoft is just sitting on a security bug affecting all shipped versions of IE without an ETA for the fix. Seems even worse that instead of properly admitting to the bug and trying desperately to blame the bug reporter for ulterior motives. No wonder enterprises are moving to non-IE browsers faster than ever. Maybe if Microsoft committed to working with the community and having proper transparency this wouldn't be an issue?!

• Anonymous
  December 20, 2012
  ditto to all of the correspondence....