Security News > 2021 > June > Microsoft Translation Bugs Open Edge Browser to Trivial UXSS Attacks

Microsoft patched two bugs in its Chromium-based Edge browser last week, one of which could be used by an attacker to bypass security and to remotely inject and execute arbitrary code on any website just by sending a message.
The flaw stems from a universal cross-site scripting issue that's triggered when automatically translating web pages using the Edge browser's built-in Microsoft Translator feature: a feature through which the browser automatically prompts users to translate a webpage when the page is in a language other than those listed under the user's preferred languages in settings.
As explained by the analysts who found and reported the bug, an UXSS is unlike your more run-of-the-mill XSS attacks in that it "Exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition" and to execute malicious code.
Ru website in Microsoft Edge and to test it one last time, given that Edge had a newly updated Translator By Microsoft feature.
"We found out that as soon as we translated [the] page we got so many popups on Microsoft Edge it looked strange," they explained, so they flipped back over to Google's Chrome browser.
PoC: Just a Facebook Comment & a Dab of XSS Payload. In the proof-of-concept shown below on Facebook, the researchers demonstrated how to trigger the attack simply by adding a comment to a Facebook video that's written in a language other than English, along with an XSS payload. Windows Store applications, such as Instagram, are also vulnerable to the attack, they added, given that the Windows Store uses the same Microsoft Edge Translator that can trigger this UXSS attack.
News URL
https://threatpost.com/microsoft-edge-browser-uxss-attacks/167389/
Related news
- CISA tags Microsoft .NET and Apache OFBiz bugs as exploited in attacks (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- Microsoft Identifies 3,000 Leaked ASP.NET Keys Enabling Code Injection Attacks (source)
- Microsoft Edge update adds AI-powered Scareware Blocker (source)
- Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Microsoft fixes Power Pages zero-day bug exploited in attacks (source)
- Botnet targets Basic Auth in Microsoft 365 password spray attacks (source)
- New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint (source)
- Researchers Expose New Polymorphic Attack That Clones Browser Extensions to Steal Credentials (source)