Microsoft has confirmed to The Verge that the company is currently investigating a possible Internet Explorer "mouse tracking" flaw. Details of the alleged security vulnerability were originally exposed by Spider.io earlier this week after the web analytics firm disclosed the method to Microsoft on October 1st. Spider.io claims that Internet Explorer versions from 6 through to 10 can track mouse cursor movements even when a window is inactive, unfocused, or minimized. "The vulnerability is notable because it compromises the security of virtual keyboards and virtual keypads," says the firm.
Spider.io claims ad analytics companies are using the flaw to track mouse movements. A demonstration shows how it's possible, but it's not entirely clear what type of data third parties would be able to retrieve that could be useful. The flaw works by recording mouse cursor movements, but it's unable to track clicks and cannot determine which applications are running on a PC. Microsoft acknowledged it's investigating the claims, but says "to date there are no reports of active exploits or customers that have been adversely affected."
Update: Microsoft has published a detailed blog post stating that the claims are "more to do with competition between analytics companies than consumer safety or privacy." Microsoft says it's "actively working to adjust this behavior in IE," but the company clearly doesn't consider this a major risk to consumers. "Getting all the pieces to line up in order to take advantage of this behavior...is hard to imagine," says Microsoft's Dean Hachamovitch.