Edge of Vulnerability: Uncovering a Stealth Extension Installation Flaw in Microsoft Edge
Charles M. Walls | March 27, 2024 | Views: 285
In a recent development that caught the attention of cybersecurity enthusiasts, a vulnerability within the Microsoft Edge browser was discovered, posing a significant threat by potentially allowing malicious actors to install unauthorized extensions on a user's device. Oleg Zaytsev, a security expert at Guardio Labs, brought this issue to light, highlighting how the flaw exploited a private API originally created for marketing purposes. This could lead to the stealth installation of extensions without any input from the unsuspecting user.
Dubbed CVE-2024-21388 and assigned a severity score of 6.5, Microsoft swiftly addressed the issue in the Edge stable version 121.0.2277.83, released on January 25, 2024. The fix came after the responsible reporting of the flaw in November 2023 by both Zaytsev and Jun Kokatsu, underscoring Microsoft's commitment to user security. Microsoft's advisory shed light on the potential risks associated with the flaw, including a breach of the browser's sandbox security.
Described as a privilege escalation issue, the flaw's exploitation required preparatory steps, making it a sophisticated attack vector. Guardio's analysis revealed that attackers could leverage the ability to run JavaScript on specific Microsoft-owned pages to install any extension from the Edge Add-ons store without user interaction. This was made possible through privileged access to certain APIs, one of which was the edgeMarketingPagePrivate, accessible from a select list of Microsoft-associated domains.
The crux of the vulnerability lay in the insufficient validation mechanisms of this API, which allowed attackers to use any extension identifier for installation, bypassing the intended themeId requirement. This loophole meant that the installation process circumvented the need for user consent, making it a potent tool for stealthy attacks.
A theoretical attack scenario envisioned by Guardio involved the publication of a benign-looking extension to the add-ons store, which could then be used to inject malicious JavaScript into allowed sites, leading to the automatic installation of a chosen harmful extension. Although there was no evidence of this vulnerability being exploited in the wild, its discovery underscores the delicate balance between user convenience and security. It also highlights how browser customizations, while enhancing user experience, can open up new avenues for cyber threats.
This incident serves as a stark reminder of the continuous cat-and-mouse game between cybersecurity professionals and attackers. It also emphasizes the importance of vigilance in the digital age, where seemingly innocuous features can be twisted for malicious purposes.