«

»

Analysis: How Microsoft turned a mouse into a monster

By Simon Davies

The tech press has been buzzing over the past few days about a vulnerability in Internet Explorer that could allow hackers to exploit a mouse tracking feature used by advertisers and analytics companies. This anti fraud process assists advertisers by determining whether a banner click resulted from a human or a bot.

What interests me most is the crude way Microsoft handled the controversy

There are some possible privacy and security issues somewhere in this issue, but what interests me most is the crude way Microsoft handled the controversy – and the opportunities that it lost in the process.

First, some background. This issue first came to light on December 12th when a small UK based analytics company called Spider.io blogged about the vulnerability. The blog stated: “A security vulnerability in Internet Explorer, versions 6–10, allows your mouse cursor to be tracked anywhere on the screen, even if the Internet Explorer window is inactive, unfocused or minimised. The vulnerability is notable because it compromises the security of virtual keyboards and virtual keypads.”

The blog stated that Spider.io had contacted Microsoft in October and noted that whilst the Microsoft Security Research Center had acknowledged the vulnerability in Internet Explorer, they also stated that there are no immediate plans to fix it. Spider.io concluded: “It is important for users of Internet Explorer to be made aware of this vulnerability and its implications.”

Spider.io continued: “The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.”

The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.

Before coming to Microsoft’s bizarre response to this claim let’s be clear about the complainant. Spider.io is an analytics company. Its profits are derived from intrusion, not privacy. Neither is it a security specialist, so its claims tend to emerge from postulation rather than through structured security analysis. This doesn’t make their claim any less valid – it just increases the need for scrutiny of the claim.

From what I can deduce by joining the dots, the company’s key motivation in causing this uproar was to damage competing analytics companies who were using the mouse tracking feature in ways that Spider.io doesn’t or couldn’t. Of course they “may” have been genuinely concerned about the security of IE users, but the marketing spin in the company’s blogs doesn’t inspire confidence

That aside, what the company engineered this week is strategic genius. Maybe Microsoft could do worse than consider buying it for that very reason.

Press reporting of the claim was generally sloppy, with few journalists prepared to ask tough questions about the true level of security threat from this vulnerability. Nonetheless, a blatant gauntlet was thrown down to Microsoft: why did IE not prioritise the problem and fix it?

A blatant gauntlet was thrown down to Microsoft: why did IE not prioritise the problem and fix it?

Regardless of its technical validity – or the underlying motivation – this was a legitimate question. However the next day Dean Hachamovitch, Corporate Vice President for Internet Explorer, published a blog that not only avoided the question, but which also badly inflamed the controversy. It was a case study in negative messaging.

In summary, Hachamovitch made three points. First, this isn’t really an issue, so don’t worry about it. Second, other browsers exhibit similar behaviour, so we’re not solely at fault. Finally, this controversy is motivated by rivalry between analytics companies.

I’m tending to side with the security analysts who believe this issue is theoretical and largely overblown, but the Microsoft response was misjudged at multiple levels. While Hachamovitch did assert that Microsoft was looking into the issue in association with security partners his post came across as defensive and dismissive, devaluing the concerns of users.

I can well understand if Microsoft was annoyed that a largely theoretical and possibly minor risk was blown way out of proportion, but to argue that a risk is low priority just because no-one’s yet been hurt is little better than a politician who dismisses privacy because he hasn’t yet received a letter from a constituent (yes, I know that’s the way busy security labs prioritise issues, but when a a scare explodes publicly you don’t advertise that modus operandi – you take measurable action on the risk).

The company cannot afford to compromise ten years of trust-building on Trustworthy Computing and privacy.

Importantly, the Microsoft blog contributed relatively little detail at a technical level – even though detail was expected in response to a technical concern. Hachamovitch was consequently ripped to pieces by commentators.

I come back to a point I made in a previous blog criticising another Microsoft action: the company cannot afford to compromise ten years of trust-building on Trustworthy Computing and privacy.

While this situation is a travesty, it is not irrecoverable. Mr Hachamovitch needs to square up substantively to the challenge. This is, after all, the same guy who enabled DNT by default on IE and stood up to the mighty ad industry. It’s the same guy who suffered multiple lacerations when the industry came after him.

While I’m yet to be convinced this is an earth-shattering privacy risk it’s important to take engineering decisions as if it was an earth shattering privacy risk. The price of winning the high ground is you have to fight to maintain it. This isn’t just IE’s problem, so this is a perfect moment to put IE into the leadership role and resolve the issue.