Microsoft Translation Bugs Open Edge Browser to Trivial UXSS Attacks
#1
Information 
Quote:Microsoft patched two bugs in its Chromium-based Edge browser last week, one of which could be used by an attacker to bypass security and to remotely inject and execute arbitrary code on any website just by sending a message.
 
That security-bypassing bug, CVE-2021-34506, is rated CVSS 5.4, or important. Its complexity is low, and an attacker could pull it off without needing any privileges, Microsoft said when it released the fixes on Thursday. An exploit would require user interaction, though.
 
Microsoft said there are no known exploits, however researchers have published a working proof-of-concept attack.
 
The flaw stems from a universal cross-site scripting (UXSS) issue that’s triggered when automatically translating web pages using the Edge browser’s built-in Microsoft Translator feature: a feature through which the browser automatically prompts users to translate a webpage when the page is in a language other than those listed under the user’s preferred languages in settings.
 
As explained by the analysts who found and reported the bug, an UXSS is unlike your more run-of-the-mill XSS attacks in that it “exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition” and to execute malicious code. “When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled,” they said in a posting earlier this month.
 
Researchers credited for the bug’s discovery are Ignacio Laurence, Vansh Devgan and Shivam Kumar Singh, with CyberXplore Private Limited.

Read more: Microsoft Translation Bugs Open Edge Browser to Trivial UXSS Attacks | Threatpost
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
uBOLite_2024.12.23.23
uBOLite_2024.12.23...harlan4096 — 10:29
You found a seed phrase from someone els...
Scammers have inve...harlan4096 — 09:58
Google files remedies proposal in DOJ's ...
The U.S. Departmen...harlan4096 — 09:48
PowerToys 0.87.1
PowerToys 0.87.1 ...harlan4096 — 09:46
GFYI [Official] EaseUS Christmas 2024 B...
Merry Christmas and ...zevish — 08:07

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
harlan4096's profile harlan4096
Administrator

>