Microsoft is investigating reports of a "mouse-tracking" flaw that puts virtual keyboards and keypads at risk to remote monitoring.
Spider.io, the Web traffic monitoring company that discovered the flaw, said the bug affects Internet Explorer versions 6 through 10 and cautioned that mouse movements could still be tracked even when the browser window is minimized or inactive.
"An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit," Spider.io wrote on its company blog, "This is not restricted to lowbrow porn and file-sharing sites ... Any site from YouTube to the New York Times is a possible attack vector."
Spider.io said malicious ads are popping up "across billions of webpage impressions each month" and made clear that the bug works even when on not on the infectious tab.
Although the flaw is a security risk for some virtual devices, the bug is unable to log anything but mouse movement — it cannot log clicks or any system or software information. However, other bugs deployed in the same manner may have the potential to collect much more sensitive information, such as passwords and credit card information by logging keystrokes.
"The Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer," Spider.io wrote. "They have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser."
Microsoft also confirmed their investigation into the issue to the Verge.
Follow Ben on Twitter.