Microsoft responds to IE mouse tracking vulnerability

<i>Getting all the pieces to line up in order to take advantage of this behavior – serving an ad to a site that asks for a logon, the user using an on screen (or virtual) keyboard, knowing how that onscreen keyboard works – is hard to imagine.</i><p>ORLY? The imagination of a Microsoft engineer quite clearly is no equal to the imagination of a creative exploiter. After all, nobody could imagine the Morris Worm, or Word Macro viruses, or even SQL Slammer.<p>Attacks come through exploitable vectors. Lining up those exploitable vectors may <i>seem</i> tricky, but that hasn't stopped this from happening. And frankly, this particular attack vector seems to be one of the more exploitable ones.

Nothing to see here; move along...<p>Interesting wording of the message. Microsoft tries to lead the attention from the real problem to an analytics company that can't stand the heat of competition.<p>We learn something new every day.

Those pesky spokespeople. Microsoft should fire them all, they're damaging the already damaged Microsoft image. Just take a look at this statement:<p>"There are similar capabilities available in other browsers. Analytics firms can expect to do viewpoint detection in IE similarly to how they do this in other browsers."<p>Aren't they just throwing their hands up in defense and telling us "We're not the only ones! Everyone else is doing it too!" That's slimy.

To highlight the ridiculousness of this vulnerability: you don't even need to use `fireEvent("onmousemove")` to gain access to this information. You can use events that have <i>absolutely nothing to do with the mouse</i>, such as onbounce* on a hidden &#60;marquee&#62; element (seriously).<p>* "Fires when the behavior property of the marquee object is set to "alternate" and the contents of the marquee reach one side of the window." -- <a href="http://msdn.microsoft.com/en-us/library/ie/ms536910(v=vs.85).aspx" rel="nofollow">http://msdn.microsoft.com/en-us/library/ie/ms536910(v=vs.85)...</a>

Whoever Gillian is, she just rocked my world with that comment.

Why the hell they issue statements instead of patches? Is it hard to fix? If yes, let us know. If no, just fix it.

Heh, happy to note that "There are similar capabilities available in other browsers" - but then nicely ignores the fact that the crux of this issue is mouse position can be read even when mouse is out of browser window focus.

I find Microsoft's explanation of the facts to be quite logical. How many users are actually going to interact with an onscreen keyboard using the mouse cursor? It's already been stated that the supposed exploit doesn't affect the touch keyboard on Win8.

I have the feeling Windows 8 will become a better attack target than Windows 7 was, because of all the new (and exploitable) stuff Microsoft introduced through the Metro stuff and through the Windows store, that are still very much untested.

'Redmond is (still) evil' it seems :-)