Microsoft Edge Security Bypass Vulnerability Fixed
Microsoft released Edge browser upgrades last week that addressed two security flaws, one of which is a security bypass flaw that may be used to inject and execute arbitrary code in the context of any website. The flaw, dubbed CVE-2021-34506 (CVSS score: 5.4), is caused by a universal cross-site scripting (UXSS) bug that occurs while using Microsoft Translator to automatically translate web pages using the browser’s built-in feature.
On January 15, 2020, Microsoft announced the public release of the new Edge. Microsoft began rolling out the new version via Windows Update in June 2020 for Windows 7, 8.1, and Windows 10 versions released between 2003 and 2004. From March 9, 2021, Microsoft stopped issuing security fixes for Edge Legacy, and on April 13, 2021, Microsoft delivered a security upgrade that replaced Edge Legacy with Chromium-based Edge.
Ignacio Laurence, Vansh Devgan, and Shivam Kumar Singh of CyberXplore Private Limited are credited with finding and reporting CVE-2021-34506. “Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code,” CyberXplore researchers said. “When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled.”
In a similar vein, a Facebook friend request with other language content and the XSS payload was discovered to run the code as soon as the recipient checked out the user’s profile. Following a responsible disclosure on June 3, Microsoft corrected the problem on June 24 and gave the researchers $20,000 as part of its bug bounty programme.