A now-patched security flaw within the Microsoft Edge internet browser might have been abused to put in arbitrary extensions on customers’ programs and perform malicious actions.
“This flaw might have allowed an attacker to use a non-public API, initially supposed for advertising and marketing functions, to covertly set up extra browser extensions with broad permissions with out the person’s data,” Guardio Labs security researcher Oleg Zaytsev stated in a brand new report shared with The Hacker Information.
Tracked as CVE-2024-21388 (CVSS rating: 6.5), it was addressed by Microsoft in Edge secure model 121.0.2277.83 launched on January 25, 2024, following accountable disclosure in November 2023. The Home windows maker credited each Zaytsev and Jun Kokatsu for reporting the problem.
“An attacker who efficiently exploited this vulnerability might acquire the privileges wanted to put in an extension,” Microsoft stated in an advisory for the flaw, including it “might result in a browser sandbox escape.”
Describing it as a privilege escalation flaw, the tech big additionally emphasised {that a} profitable exploitation of the bug requires an attacker to “take extra actions previous to exploitation to arrange the goal atmosphere.”
Based on Guardio’s findings, CVE-2024-21388 permits a foul actor with the flexibility to run JavaScript on bing[.]com or microsoft[.]com pages to put in any extensions from the Edge Add-ons retailer sans requiring person’s consent or interplay.
That is made potential by the truth that the browser comes with privileged entry to sure non-public APIs that make it potential to put in an add-on so long as it is from the seller’s personal extension market.
One such API within the Chromium-based Edge browser is edgeMarketingPagePrivate, which is accessible from a set of allowlisted web sites that belong to Microsoft, together with bing[.]com, microsoft[.]com, microsoftedgewelcome.microsoft[.]com, and microsoftedgetips.microsoft[.]com, amongst others.
The API additionally packs in a way referred to as installTheme() that, because the title implies, is designed to put in a theme from the Edge Add-ons retailer by passing a singular theme identifier (“themeId”) and its manifest file as enter.
The bug recognized by Guardio is basically a case of inadequate validation, thereby enabling an attacker to offer any extension identifier from the storefront (versus the themeId) and get it stealthily put in.
“As an added bonus, as this extension set up is just not performed fairly within the method it was initially designed for, there will probably be no want for any interplay or consent from the person,” Zaytsev defined.
In a hypothetical assault situation leveraging CVE-2024-21388, a menace actor might publish a seemingly innocent extension to the add-ons retailer and use it to inject a chunk of malicious JavaScript code into bing[.]com – or any of the websites which can be allowed to entry the API – and set up an arbitrary extension of their alternative by invoking the API utilizing the extension identifier.
Put in a different way, executing the specifically crafted extension on the Edge browser and going to bing[.]com will routinely set up the focused extension with out the sufferer’s permission.
Guardio informed The Hacker Information that whereas there isn’t a proof of this bug being exploited within the wild, it highlights the necessity for balancing person comfort and security, and the way browser customizations can inadvertently defeat security mechanisms and introduce a number of new assault vectors.
“It is comparatively simple for attackers to trick customers into putting in an extension that seems innocent, not realizing it serves because the preliminary step in a extra advanced assault,” Zaytsev stated. “This vulnerability could possibly be exploited to facilitate the set up of extra extensions, doubtlessly for financial acquire.”
