30 June 21, 11:04
Quote:Microsoft patched two bugs in its Chromium-based Edge browser last week, one of which could be used by an attacker to bypass security and to remotely inject and execute arbitrary code on any website just by sending a message.
That security-bypassing bug, CVE-2021-34506, is rated CVSS 5.4, or important. Its complexity is low, and an attacker could pull it off without needing any privileges, Microsoft said when it released the fixes on Thursday. An exploit would require user interaction, though.
Microsoft said there are no known exploits, however researchers have published a working proof-of-concept attack.
The flaw stems from a universal cross-site scripting (UXSS) issue that’s triggered when automatically translating web pages using the Edge browser’s built-in Microsoft Translator feature: a feature through which the browser automatically prompts users to translate a webpage when the page is in a language other than those listed under the user’s preferred languages in settings.
As explained by the analysts who found and reported the bug, an UXSS is unlike your more run-of-the-mill XSS attacks in that it “exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition” and to execute malicious code. “When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled,” they said in a posting earlier this month.
Researchers credited for the bug’s discovery are Ignacio Laurence, Vansh Devgan and Shivam Kumar Singh, with CyberXplore Private Limited.
Read more: Microsoft Translation Bugs Open Edge Browser to Trivial UXSS Attacks | Threatpost