In addition to showing pop-ups telling Chrome users to switch to Microsoft Edge, the company appears to be working to fix known bugs and security flaws in the browser and its associated systems. The tech giant has just fixed an earlier flawed update to its Edge browser that was causing numerous issues for users. But it turns out there’s more to it than just this, and this particular one can be serious.
A recently patched bug in Microsoft Edge could have allowed potential attackers to install extensions on users’ systems. And this can happen without any user interaction. In particular, it may be exploited for financial gain or other purposes.
The vulnerability, tracked as CVE-2024-21388, was first disclosed by Guardio Labs security researcher Oleg Zaytsev, who highlighted its potential for malicious exploitation.
A bug in Microsoft Edge allowed attackers to install extensions by exploiting private APIs.
Researchers addressed a security flaw in Microsoft Edge stable version 121.0.2277.83, released on January 25, 2024. Malicious actors may have exploited the flaw to leverage a private API originally intended for marketing purposes. This API could allow attackers to install browser extensions with extensive permissions, which could result in a browser sandbox escape.
If this vulnerability is successfully exploited, an attacker could gain the necessary privileges to install extensions on the user’s system without the user’s consent. An attacker can achieve this by exploiting private APIs in the Chromium-based Edge browser. This reportedly granted privileged access to a list of websites including Bing and Microsoft.
By executing JavaScript on this page, an attacker could install extensions from the Edge Add-ons Store. No user interaction is required. Bugs in Microsoft Edge essentially stem from insufficient verification. This allows an attacker to provide an extension identifier from the store and install it covertly.
The potential impact of this vulnerability is significant as it could facilitate the installation of additional malicious extensions. In a hypothetical attack scenario, a threat actor could not only publish seemingly harmless extensions to the add-on store, but could also leverage them to inject malicious JavaScript code into legitimate sites. As a result, users who visit these sites unknowingly install targeted extensions on their browsers without their consent.
Fortunately, there are no records of successful exploitation.
Fortunately, there is no evidence that this security flaw has been successfully exploited. Browser customization aims to improve user experience. However, it is possible to inadvertently introduce new attack vectors, and the documented security flaws are a perfect example of this. As Guardio Labs’ Oleg Zaytsev highlights, attackers can easily trick users into installing seemingly innocuous extensions, which can serve as an initial step in more complex attacks.