Aside from showing Chrome users a popup to switch to Microsoft Edge, it turns out that the company is also striving to fix known bugs and security flaws of the browser, and the system associated with it. The tech giant has just fixed a prior glitchy update to its Edge browser, which was causing numerous problems for users. However, it turns out that there’s more and this particular one could be severe.
A recently patched bug in Microsoft Edge allowed potential attackers to install extensions on the user’s system. And it could happen without any interaction from the user. Notably, it could be exploited for financial gain or other purposes.
Tracked as CVE-2024-21388, this vulnerability was at first revealed by Guardio Labs security researcher Oleg Zaytsev, who highlighted its potential for malicious exploitation.
Attackers could have used the Microsoft Edge bug to install an extension by exploiting a private API
Researchers addressed the security flaw in Microsoft Edge stable version 121.0.2277.83 released on January 25, 2024. Bad actors could have exploited the flaw to leverage a private API originally intended for marketing purposes. This API could enable attackers to install browser extensions with broad permissions, which could lead to a browser sandbox escape.
The vulnerability, if successfully exploited, could have allowed attackers to gain the privileges needed to install extensions on users’ systems without their consent. An attacker could make it happen by exploiting a private API in the Chromium-based Edge browser. It reportedly granted privileged access to a list of websites, including Bing and Microsoft.
By running JavaScript on these pages, attackers could install extensions from the Edge Add-ons store. It won’t require any interaction from the user. The bug in Microsoft Edge essentially stemmed from insufficient validation. It could allow attackers to provide any extension identifier from the storefront and stealthily install it.
The potential impact of this vulnerability is significant, as it could have facilitated the installation of additional malicious extensions. In a hypothetical attack scenario, threat actors could not only publish seemingly harmless extensions to the add-on store but also leverage them to inject malicious JavaScript code into legitimate sites. Subsequently, users visiting these sites would unknowingly have the targeted extensions installed on their browsers without their consent.
Thankfully, there’s no record of a successful exploitation
Thankfully, there’s no evidence of a successful exploitation of this security flaw. Browser customizations aim to uplift the user experience. However, they can inadvertently introduce new attack vectors and this recorded security flaw is a perfect example of that. As Guardio Labs’ Oleg Zaytsev emphasized, attackers can easily trick users into installing seemingly harmless extensions, which could serve as the initial step in a more complex attack.
