A newly-announced exploit designed to exploit keyboard shortcuts provides yet another potential means for unwanted software to install itself onto your computer with a method known as keyjacking. The good news? The vulnerability is highly specific to one browser and hard to use efficiently.
Keyboard picture from Shutterstock
How might you persuade someone to type R? The obvious tactic is to produce a graphic with a fake CAPTCHA starting with the letter R, while keeping the focus on the window below.
While that sounds like a potentially clever approach, in practice it might not work so well. Sophos security guru Paul Ducklin tried it out and found that IE blocked the download automatically with a security bar, which meant all the careful concealment amounted to zero.
Keyboard shortcuts are becoming less of a focus in browser development — most of the attention in recent versions of IE has been on touch development — so these tricks are going to be increasingly difficult to pull off. Nonetheless, it’s a reminder that potential risks exist everywhere.