Everything is remote to last week. On the 24th, Microsoft decided to release a new update for its Edge browser, which includes corrections for two security problems. One of them concerns a security bypass vulnerability that could be exploited to insert and execute arbitrary code on any website. This failure was recorded as CVE-2021-34506 and it brings with it a universal cross-site scripting (UXSS) problem. This script is activated when we use the Microsoft Translator application from the browser.
New localized bug in universal cross-site (UXSS)
Behind the discovery of this new vulnerability are researchers Ignacio Ignacio Laurence, Vansh Devgan and Shivam Kumar Singh belonging to CyberXplore Private Limited. This discovery is known as a Universal Cross Site Scripting (UXSS) vulnerability. This means that attackers use to access our private browser data from the “X” website while we are browsing the malicious “Y” website. According to these researchers, this UXSS attack exploits user vulnerabilities in browser extensions in order to execute malicious code, unlike what happens with a common XSS attack. Subsequently, the browser is affected once this vulnerability is exploited, which ends up causing the deactivation of its security functions.
Specifically, the researchers discovered a piece of code capable of being breached within a translation function from the Microsoft Translator page. This fact allowed any hacker or malicious user to insert a malicious JavaScript code inside the web page, so that the user would unknowingly execute it by clicking on the message in the address bar of Microsoft Translator.
The aforementioned researchers also demonstrated other vulnerabilities. On the one hand, it is possible to carry out an attack simply by adding a comment to a YouTube video or by making a friend request from a Facebook profile. In both cases, content in a language other than English was included which, together with a load of the XSS extension, caused the code to be executed immediately.
Update Edge to fix the problem
Fortunately, this problem has already been solved by Microsoft in its latest available update, whose version is 91.0.864.59. That is why, as we always say, it is highly recommended to keep our applications updated and in this case the browser to the latest version, since this always corrects errors and vulnerabilities such as the one we have discussed.
To keep Microsoft Edge updated to the latest version, we must open the browser and click on the three points in the upper right. Here we click on the section of “Setting”. This will open a new window and in the left column click on “About Microsoft Edge”. On the right side we can see the latest version we have available and in case there is a download to be able to do it.
