A recently patched security vulnerability in Microsoft Edge could have allowed malicious actors to stealthily install arbitrary extensions on users’ systems, potentially leading to harmful actions.
CVE-2024-21388 Explained
Discovered by Guardio Labs security researcher Oleg Zaytsev and tracked as CVE-2024-21388, this flaw could be exploited by leveraging a private API initially intended for marketing purposes. Through responsible disclosure, Microsoft addressed the issue in Edge stable version 121.0.2277.83 released on January 25, 2024, crediting Zaytsev and Jun Kokatsu for reporting it.
As a privilege escalation flaw, exploitation of CVE-2024-21388 requires attackers to take preparatory actions beforehand, in order to manipulate the target environment. Guardio’s investigation revealed that the vulnerability permits bad actors with JavaScript execution capabilities on certain Microsoft websites to install extensions from the Edge Add-ons store without user consent.
This exploit leverages privileged access to specific private APIs, such as edgeMarketingPagePrivate, accessible from whitelisted Microsoft-owned sites like bing.com and microsoft.com. Notably, the API includes a method called installTheme(), enabling installation of extensions using unique identifiers without user interaction.
The flaw arises from insufficient validation, allowing attackers to bypass restrictions and install extensions stealthily. Zaytsev highlighted the potential for attackers to exploit user trust by disguising harmful extensions as harmless, potentially leading to further exploitation and financial gain.
Although there is no evidence of real-world exploitation, Guardio noted the importance of balancing user convenience with security, stressing on the need for browser security mechanisms to prevent similar vulnerabilities from being exploited in the future.