We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,721 News Articles

Microsoft mulls Internet Explorer information disclosure leak

Microsoft says the impact of the issue has been exaggerated by a company seeking to portray its competitors in a bad light

Microsoft refuted claims on Thursday that an information disclosure leak in its Internet Explorer browser poses a privacy risk, arguing that the company publicizing the issue is seeking to put its competitors in an unfavorable light.

Spider.io, a U.K. based company in the advertising analytics field, alleged that two unnamed companies are improperly using a flaw that allows them to track whether display advertisements, sometimes buried far down in web pages, are actually viewed by users.

The information disclosure leak in IE versions 6 through 10 is said to allow a display advertisement rigged with JavaScript to find out the position of a mouse cursor, which combined with other data can reveal whether a display advertisement is within the "viewport," or the window of the browser in which a person sees content.

Spider.io charged in a video that using such a flaw is improper, and that it uses a different method to collect the same data on display ad visibility.

Microsoft disagrees with Spider.io. "The underlying issue has more to do with competition between analytics companies than consumer safety or privacy," wrote Dean Hachamovitch, corporate vice president for Internet Explorer.

Spider.io's CEO, Douglas de Jager, said via email that it is a notable data leak and that Microsoft's accusation is an attack on his company. He said in an interview that at least one other ad analytics company was aware of the flaw but deliberately decided not to use it to gather display ad statistics.

Spider.io also alleged the issue could be used by an attacker to figure out what keys a person is clicking on a virtual keyboard, which are sometimes displayed in software products to avoid using the physical keyboard, which could be monitored with malicious software. Microsoft rejected the allegation, saying there's no way for an attacker to know what kind of content is below a cursor.

It's not uncommon for the security community to be somewhat in flux about whether to call a problematic issue in software a security vulnerability or not, and debate often ensues on how to classify an issue.

Still, Microsoft said it is contacting companies that are using the information leak as part of their ad-tracking metrics. It appears Microsoft does regard it as a minor issue that could be remedied in some way.

"We are actively working to adjust this behavior in IE and will provide more information when it is available," Hachamovitch said in an email.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


IDG UK Sites

Motorola Moto G2 release date, price and specs: Best budget smartphone gets upgrades

IDG UK Sites

How to join Apple's OS X Beta Seed Program: Get OS X Yosemite on your Mac before public release

IDG UK Sites

Why the BBC iPlayer outage was caused by a DDoS attack: Topsy and Tim isn't *that* popular

IDG UK Sites

How to make an 'Apple iWatch' using an iPod nano and a 3D printer