Microsoft mulls Internet Explorer information disclosure leak

Microsoft says the impact of the issue has been exaggerated by a company seeking to portray its competitors in a bad light

Microsoft refuted claims on Thursday that an information disclosure leak in its Internet Explorer browser poses a privacy risk, arguing that the company publicizing the issue is seeking to put its competitors in an unfavorable light.

Spider.io, a U.K. based company in the advertising analytics field, alleged that two unnamed companies are improperly using a flaw that allows them to track whether display advertisements, sometimes buried far down in web pages, are actually viewed by users.

The information disclosure leak in IE versions 6 through 10 is said to allow a display advertisement rigged with JavaScript to find out the position of a mouse cursor, which combined with other data can reveal whether a display advertisement is within the "viewport," or the window of the browser in which a person sees content.

Spider.io charged in a video that using such a flaw is improper, and that it uses a different method to collect the same data on display ad visibility.

Microsoft disagrees with Spider.io. "The underlying issue has more to do with competition between analytics companies than consumer safety or privacy," wrote Dean Hachamovitch, corporate vice president for Internet Explorer.

Spider.io's CEO, Douglas de Jager, said via email that it is a notable data leak and that Microsoft's accusation is an attack on his company. He said in an interview that at least one other ad analytics company was aware of the flaw but deliberately decided not to use it to gather display ad statistics.

Spider.io also alleged the issue could be used by an attacker to figure out what keys a person is clicking on a virtual keyboard, which are sometimes displayed in software products to avoid using the physical keyboard, which could be monitored with malicious software. Microsoft rejected the allegation, saying there's no way for an attacker to know what kind of content is below a cursor.

It's not uncommon for the security community to be somewhat in flux about whether to call a problematic issue in software a security vulnerability or not, and debate often ensues on how to classify an issue.

Still, Microsoft said it is contacting companies that are using the information leak as part of their ad-tracking metrics. It appears Microsoft does regard it as a minor issue that could be remedied in some way.

"We are actively working to adjust this behavior in IE and will provide more information when it is available," Hachamovitch said in an email.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftbrowserssoftwareapplications

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?