Search This Blog

Showing posts with label Microsoft Edge. Show all posts

Microsoft Edge’s Security Bypass Vulnerability Fixed

 

Microsoft released Edge browser upgrades last week that addressed two security flaws, one of which is a security bypass flaw that may be used to inject and execute arbitrary code in the context of any website. The flaw, dubbed CVE-2021-34506 (CVSS score: 5.4), is caused by a universal cross-site scripting (UXSS) bug that occurs while using Microsoft Translator to automatically translate web pages using the browser's built-in feature.

Microsoft Edge is a cross-platform web browser that was created by the company. It was first released in 2015 for Windows 10 and Xbox One, followed by Android and iOS in 2017, macOS in 2019, and Linux in October 2020 as a preview. Edge was originally designed with Microsoft's proprietary EdgeHTML and Chakra JavaScript engines, resulting in a version known as Microsoft Edge Legacy. 

On January 15, 2020, Microsoft announced the public release of the new Edge. Microsoft began rolling out the new version via Windows Update in June 2020 for Windows 7, 8.1, and Windows 10 versions released between 2003 and 2004. From March 9, 2021, Microsoft stopped issuing security fixes for Edge Legacy, and on April 13, 2021, Microsoft delivered a security upgrade that replaced Edge Legacy with Chromium-based Edge. 

Ignacio Laurence, Vansh Devgan, and Shivam Kumar Singh of CyberXplore Private Limited are credited with finding and reporting CVE-2021-34506. "Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code," CyberXplore researchers said. "When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled."

The researchers discovered that the translation feature contained a flaw in the code that failed to sanitise input, allowing an attacker to potentially inject malicious JavaScript code anywhere on the webpage, which is then executed when the user clicks the prompt in the address bar to translate the page. The researchers demonstrated that adding a comment to a YouTube video written in a language other than English, together with an XSS payload, may activate the attack as a proof-of-concept (PoC) exploit. 

In a similar vein, a Facebook friend request with other language content and the XSS payload was discovered to run the code as soon as the recipient checked out the user's profile. Following a responsible disclosure on June 3, Microsoft corrected the problem on June 24 and gave the researchers $20,000 as part of its bug bounty programme.

Windows 10 New Feature Hunts and Thwarts PUAs/PUPs


Per reports, Microsoft has hinted that the next main version of Windows 10 will come stacked with a fresh security feature that would allow the users to facilitate the Windows Defender’s secret feature that helps hunt and bar the installation of known PUAs (Potentially Unwanted Applications).

PUA’s are also widely known as PUPs that stands for Potentially Unwanted Programs. These aren’t as well known by the users in the cyber-crime world as all the other major threats but are a valid threat nevertheless.

Per sources, these are software that is installed on devices via fooling the targets. The term for which the PUP/PUA stands is self-explanatory with regards to applications or programs that your device may not really need.

PUPs/PUAs go around with tactics like either by employing “silent installs” to dodge user permissions or by “bundling” an unrequired application with the installer of an authentic program.

Sources mention that PUAs most commonly contain applications that alter browser history, hinder security controls, install root certificates, track users and sell their data, and display invasive ads.

As per reports, the May 2020 update is to be rolled out to the users in the last week of this month. Microsoft mentioned that it has added a fresh new feature in its setting panel that would allow users to bar the installation of any unwanted applications or programs in the form of known PUAs/PUPs.

As it turns out, researchers mention that the feature has been available in the Windows Defender for quite a lot of time, but for it to kick start it would need group policies and not the usual Windows user interface.

As per sources, to enable the feature a user must go to ‘Start’, ‘Settings’, ‘Update & Security’, ‘Windows Security’, ‘App & Browser Control’, and finally 'Reputation-based Protection Settings’. Once updated, the feature would show two settings, the above-mentioned feature is disabled by default and would need to be enabled manually. However, Microsoft suggests, enabling both the settings.

Reports mention, that the “Block Apps” feature will scan for PUAs that have already been downloaded or installed, so if the user’s using a different browser Windows Security would intercept it after it’s downloaded. However, the “Block Downloads” feature hunts the PUAs while they are being downloaded.