A now-patched safety flaw within the Microsoft Edge net browser may have been abused to put in arbitrary extensions on customers’ programs and perform malicious actions.
“This flaw may have allowed an attacker to use a personal API, initially supposed for advertising functions, to covertly set up further browser extensions with broad permissions with out the consumer’s data,” Guardio Labs safety researcher Oleg Zaytsev mentioned in a brand new report shared with The Hacker Information.
Tracked as CVE-2024-21388 (CVSS rating: 6.5), it was addressed by Microsoft in Edge secure model 121.0.2277.83 launched on January 25, 2024, following accountable disclosure in November 2023. The Home windows maker credited each Zaytsev and Jun Kokatsu for reporting the problem.
“An attacker who efficiently exploited this vulnerability may achieve the privileges wanted to put in an extension,” Microsoft mentioned in an advisory for the flaw, including it “may result in a browser sandbox escape.”
Describing it as a privilege escalation flaw, the tech big additionally emphasised {that a} profitable exploitation of the bug requires an attacker to “take further actions previous to exploitation to arrange the goal atmosphere.”
Based on Guardio’s findings, CVE-2024-21388 permits a nasty actor with the power to run JavaScript on bing[.]com or microsoft[.]com pages to put in any extensions from the Edge Add-ons retailer sans requiring consumer’s consent or interplay.
That is made doable by the truth that the browser comes with privileged entry to sure personal APIs that make it doable to put in an add-on so long as it is from the seller’s personal extension market.
One such API within the Chromium-based Edge browser is edgeMarketingPagePrivate, which is accessible from a set of allowlisted web sites that belong to Microsoft, together with bing[.]com, microsoft[.]com, microsoftedgewelcome.microsoft[.]com, and microsoftedgetips.microsoft[.]com, amongst others.
The API additionally packs in a technique known as installTheme() that, because the identify implies, is designed to put in a theme from the Edge Add-ons retailer by passing a singular theme identifier (“themeId”) and its manifest file as enter.
The bug recognized by Guardio is actually a case of inadequate validation, thereby enabling an attacker to supply any extension identifier from the storefront (versus the themeId) and get it stealthily put in.
“As an added bonus, as this extension set up shouldn’t be finished fairly within the method it was initially designed for, there will likely be no want for any interplay or consent from the consumer,” Zaytsev defined.
In a hypothetical assault situation leveraging CVE-2024-21388, a menace actor may publish a seemingly innocent extension to the add-ons retailer and use it to inject a bit of malicious JavaScript code into bing[.]com – or any of the websites which might be allowed to entry the API – and set up an arbitrary extension of their selection by invoking the API utilizing the extension identifier.
Put in a different way, executing the specifically crafted extension on the Edge browser and going to bing[.]com will robotically set up the focused extension with out the sufferer’s permission.
Guardio advised The Hacker Information that whereas there isn’t a proof of this bug being exploited within the wild, it highlights the necessity for balancing consumer comfort and safety, and the way browser customizations can inadvertently defeat safety mechanisms and introduce a number of new assault vectors.
“It is comparatively simple for attackers to trick customers into putting in an extension that seems innocent, not realizing it serves because the preliminary step in a extra advanced assault,” Zaytsev mentioned. “This vulnerability might be exploited to facilitate the set up of further extensions, probably for financial achieve.”
