A now-patched safety flaw within the Microsoft Edge internet browser may have been abused to put in arbitrary extensions on customers’ programs and perform malicious actions.
“This flaw may have allowed an attacker to use a non-public API, initially supposed for advertising and marketing functions, to covertly set up further browser extensions with broad permissions with out the consumer’s information,” Guardio Labs safety researcher Oleg Zaytsev mentioned in a brand new report shared with The Hacker Information.
Tracked as CVE-2024-21388 (CVSS rating: 6.5), it was addressed by Microsoft in Edge secure model 121.0.2277.83 launched on January 25, 2024, following accountable disclosure in November 2023. The Home windows maker credited each Zaytsev and Jun Kokatsu for reporting the problem.
“An attacker who efficiently exploited this vulnerability may acquire the privileges wanted to put in an extension,” Microsoft mentioned in an advisory for the flaw, including it “may result in a browser sandbox escape.”
Describing it as a privilege escalation flaw, the tech large additionally emphasised {that a} profitable exploitation of the bug requires an attacker to “take further actions previous to exploitation to arrange the goal surroundings.”
In keeping with Guardio’s findings, CVE-2024-21388 permits a nasty actor with the power to run JavaScript on bing[.]com or microsoft[.]com pages to put in any extensions from the Edge Add-ons retailer sans requiring consumer’s consent or interplay.
That is made attainable by the truth that the browser comes with privileged entry to sure personal APIs that make it attainable to put in an add-on so long as it is from the seller’s personal extension market.
One such API within the Chromium-based Edge browser is edgeMarketingPagePrivate, which is accessible from a set of allowlisted web sites that belong to Microsoft, together with bing[.]com, microsoft[.]com, microsoftedgewelcome.microsoft[.]com, and microsoftedgetips.microsoft[.]com, amongst others.
The API additionally packs in a technique referred to as installTheme() that, because the title implies, is designed to put in a theme from the Edge Add-ons retailer by passing a singular theme identifier (“themeId”) and its manifest file as enter.
The bug recognized by Guardio is basically a case of inadequate validation, thereby enabling an attacker to supply any extension identifier from the storefront (versus the themeId) and get it stealthily put in.
“As an added bonus, as this extension set up is just not achieved fairly within the method it was initially designed for, there will probably be no want for any interplay or consent from the consumer,” Zaytsev defined.
In a hypothetical assault situation leveraging CVE-2024-21388, a menace actor may publish a seemingly innocent extension to the add-ons retailer and use it to inject a bit of malicious JavaScript code into bing[.]com – or any of the websites which can be allowed to entry the API – and set up an arbitrary extension of their alternative by invoking the API utilizing the extension identifier.
Put in a different way, executing the specifically crafted extension on the Edge browser and going to bing[.]com will routinely set up the focused extension with out the sufferer’s permission.
Guardio advised The Hacker Information that whereas there is no such thing as a proof of this bug being exploited within the wild, it highlights the necessity for balancing consumer comfort and safety, and the way browser customizations can inadvertently defeat safety mechanisms and introduce a number of new assault vectors.
“It is comparatively simple for attackers to trick customers into putting in an extension that seems innocent, not realizing it serves because the preliminary step in a extra advanced assault,” Zaytsev mentioned. “This vulnerability may very well be exploited to facilitate the set up of further extensions, probably for financial acquire.”