One of the most useful Microsoft Edge features left users open to attack

The Edge bug has now been patched

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Microsofthas acted to fix a vulnerability in the translation feature forweb browserEdge that left users vulnerable to attack.

According to security researchers,thebugcould have allowed attackers to pull off remote code execution attacks whenever the translator was called, either automatically or on demand.

Since the bug existed in the web browser, in essence, attackers could exploit it to remotely inject and execute arbitrary code on virtually any website, including the likes of Facebook,YouTubeand Instagram.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

Click here to start the survey in a new window«

AlthoughMicrosoft admitsthat exploiting the bug isn’t too complex, and that attacks could be conducted without the need of any privileges, the bug was given a rather low severity rating of 5.4/10.

Easy to exploit

In ablog post, the security researchers that discovered the bug describe it as a universal cross-site scripting (uXSS) vulnerability.

Unlike common XSS attacks, uXSS is a type of attack that exploits client-side vulnerabilities in the browser (or usually browser extensions) with the intention of generating the conditions to pull off a XSS attack.

In this case, the researchers discovered that the translation feature in Edge could be used to bypass most of the browser’s security features, and call any malicious function.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

To demonstrate the bug, the researchers ran the exploit on several popular websites. In one of the proof-of-concept videos, they get their malicious script to run simply by adding a comment to a Facebook video written in a language other than English.

The researchers were awarded a $20,000 bounty by Microsoft, which has already patched the vulnerability.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

7 myths about email security everyone should stop believing

Best Usenet client of 2024

5 must-have Android apps