Posted on June 30, 2021 at 4:24 PM
Last week, Microsoft released updates for the Edge browser, providing fixes for two vulnerabilities. One of the bugs is a security bypass that threat actors could exploit to plant and execute arbitrary code on any website.
According to reports, the vulnerability has been given the name CVE-2021-34506, with a score of 5.4. The bug has a universal cross-site scripting weakness which is triggered when web pages are automatically translated via Microsoft Translator in the browsers’ built-in feature.
Shivam Kumar Singh and Vansh Devgan of cybersecurity firm, CyberXplore Private Limited, are credited for discovering and reporting the vulnerability.
UXSS attack exploits a client-side vulnerability
The researchers noted that the UXSS type of attack does not function like the XSS attacks, as it exploits client-side vulnerability either in the browser extensions or the browser itself when generating an XSS condition.
When the vulnerability is discovered and exploited, the browser behaves differently and the threat actors may disable or bypass its security infrastructure.
It is a proof-of-concept (PoC) exploit, which means the threat actors can start the attack by only placing a comment on a YouTube video, according to the researchers.
Similarly, the researchers noticed that a Facebook profile had a friend request which contains other language content and the XSS payload. They discovered that it executed the code soon after the recipient of the request looked at the user’s profile.
Microsoft has fixed the vulnerability
When Microsoft was notified of the bug on June 3, it fixed the issue three weeks later and awarded the researchers $20,000 as part of its bug bounty program.
According to a Singh, several vulnerabilities were discovered in Microsoft’s products. His colleague, Devgan, noted that they reported the problem to the tech giant who confirmed the bug and fixed it.
He added that they both began their analysis of the vulnerability on June 3 when the issue was reported. They made use of Microsoft Edge browser and discovered that it has XSS payloads.
“We got so many pop-ups on Microsoft Edge,” Devgan said, adding that it felt bizarre. They checkout out the issue on Chrome and follow the same analysis but did not find any pop-up, the researcher noted.
After such discovery, Devgan said they both began to dig into the platform and saw that the pre-installed Microsoft Edge have been vulnerable for some time. It takes html tage without converting the payload or sanitizing the input while translating.
Devgan also noted that three more researchers tried the exploit the vulnerability in YouTube and Google and both attempts via the platforms were successful.
Security issues lately with Microsoft
The researchers have become the latest beneficiaries of Microsoft’s bug bounty program, which rewards security researchers for their efforts to discover vulnerabilities before threat actors do. Other companies also have their bug bounty program, as it’s a way of making sure their systems and networks are free from any bug that could be exploited by ransomware gangs and hackers.
Microsoft has been in the news lately for the wrong reasons. Earlier this week, the tech giant revealed that it uncovered another breach from the SolarWinds hack.
The threat actors also infiltrated three entities with brute-force and password-spraying techniques to gain unauthorized access to accounts. The company’s security has been questioned recently, for a network that is known to be solid over the years.