Recent developments have shed light on a critical vulnerability found in Microsoft Edge, which, although patched, posed significant risks to users. This flaw had the potential to allow attackers to covertly install unauthorized browser extensions on users’ systems, facilitating various malicious activities without their consent.
Oleg Zaytsev, a security researcher at Guardio Labs, disclosed that the vulnerability exploited a private API originally designed for marketing. This API could be manipulated by a malicious entity to install extensions with extensive permissions, circumventing user awareness and approval. Zaytsev emphasized the severity of this issue in a report provided to The Hacker News, outlining its implications for user security.
The vulnerability, identified as CVE-2024-21388 and assigned a CVSS score of 6.5, was promptly addressed by Microsoft in Edge’s stable version 121.0.2277.83, released on January 25, 2024. This action followed responsible disclosure of the flaw in November 2023. Microsoft acknowledged Zaytsev and Jun Kokatsu for their role in highlighting the risk.
According to Microsoft, successful exploitation of this vulnerability could grant an attacker the necessary privileges to install extensions, raising concerns regarding potential browser sandbox escapes. Zaytsev elaborated on how the exploit works, noting that an attacker could leverage the ability to execute JavaScript on specific Microsoft webpages to install any desired extension from the Edge Add-ons store without requiring user interaction.
The underlying mechanism facilitating this vulnerability stems from Edge’s access to certain private APIs that facilitate add-on installation, provided these are sourced from Microsoft’s own marketplace. The edgeMarketingPagePrivate API is one such tool available to a series of allowlisted sites, including bing.com and microsoft.com. This access includes methods like installTheme(), which can be exploited to install add-ons without proper validation of user consent.
Zaytsev stressed that this vulnerability represents a significant case of insufficient validation, allowing attackers to manipulate extension identifiers and install them seamlessly. Intriguingly, the nature of this installation process negated the need for user involvement or consent altogether.
In a theoretical scenario, an attacker could distribute a seemingly innocuous extension through the Edge Add-ons store. This extension could then inject malicious JavaScript into the browsable sites, using the API to install any arbitrary extension. Thus, users could unwittingly install harmful software simply by visiting a compromised site.
Guardio Labs noted that, as of now, there is no evidence indicating that this vulnerability has been exploited in real-world scenarios. However, it underscores the vital balance between user convenience and security. Zaytsev highlighted the ease with which attackers could deceive users into installing extensions that may seem benign but play a role in more complex attack strategies. The potential for exploiting this vulnerability for financial gain through the installation of unapproved extensions remains a pressing concern for business owners.
This incident serves as a reminder for organizations to prioritize security measures related to browser extensions and stay informed of vulnerabilities impacting their technologies. Leveraging the MITRE ATT&CK Matrix can enhance understanding of the tactics involved, particularly regarding privilege escalation and initial access techniques that could be employed by adversaries. As cybersecurity threats continue to evolve, vigilance remains paramount for safeguarding sensitive information and maintaining organizational integrity.
