Spider.io reported today that Microsoft has no "immediate plans" to fix the potential Internet Explorer vulnerability which allows any website operator (or advertiser, hacker etc...) to track a visitor's mouse cursor movements. Microsoft's security team has acknowledged the issue but it is unclear if it will ever be resolved.
It was a few months ago that Spider.io first uncovered the interesting Internet Explorer flaw (feature?). Most disturbingly though, the flaw isn't isolated to just the browser window: it extends beyond IE's viewport to anywhere on a user's screen -- it even continues to work while the browser window is minimized. This bug affects IE6, IE7, IE8, IE9 and yes -- you guessed it -- IE10.
Proponents of squashing this bug believe the flaw has obvious privacy implications, but also presents a security risk -- this is particularly for virtual keyboard and keypad users. Physically disabled and security-minded visitors who may use virtual keyboards as a way to preempt keyloggers should be the most concerned. For everyone else though, well... it's just creepy.
One thing that is not mentioned though -- and I'm very curious about this -- is whether or not the flaw extends to Windows touchscreen PCs and tablets. When a user touches an element within Internet Explorer on Windows 8 or RT, for example, can the location of those touches be recorded like the movements of a mouse? If so, this could be a huge security issue for Windows touchscreen users who rely upon an on-screen keyboard, potentially providing a way to expose their passwords and other sensitive information.
Here is Spider.io's demo which demonstrates the potential vulnerability for IE users. Any Surface (or Windows touchscreen) users out there care to give it a shot? Let us know what you find.