Blog Layout
The Cybersecurity Lair™ • March 27, 2024

Latest News | Edge of Insecurity: Microsoft Edge Bug Exposed Users to Malicious Extensions

Uncovering the Security Flaw Allowing Silent Installation of Malicious Extensions

A security flaw in Microsoft Edge browser, now patched, could have allowed attackers to secretly install malicious extensions on users' systems.


Guardio Labs security researcher Oleg Zaytsev uncovered a security flaw (CVE-2024-21388) in Microsoft Edge, allowing attackers to exploit a private API to install arbitrary extensions without user consent, ultimately leading to privilege escalation. Microsoft addressed the issue in Edge stable version 121.0.2277.83, emphasising the need for users to balance convenience and security in browser customization.

Key points:


  • Security flaw in Microsoft Edge browser (CVE-2024-21388) allowed attackers to install arbitrary extensions without user consent.
  • Exploitation required running JavaScript on specific Microsoft-owned websites like bing.com or microsoft.com.
  • Attackers could abuse the edgeMarketingPagePrivate API to install extensions from the Edge Add-ons store.
  • Insufficient validation in the API allowed for the installation of any extension identifier without user interaction.
  • The bug could lead to privilege escalation and browser sandbox escape.
  • Microsoft released a patch in Edge version 121.0.2277.83 in January 2024, crediting the researchers who reported the issue.
  • No evidence of exploitation in the wild was found, but the vulnerability underscores the potential for complex attacks via seemingly harmless extensions.


Takeaways to avoid such issues:


  • Regularly update browsers to the latest versions to patch security vulnerabilities.
  • Encourage responsible disclosure of security flaws to vendors for timely fixes.
  • Employ strict validation measures in browser APIs to prevent unauthorised access and installation of extensions.
  • Educate users about the risks of installing unfamiliar extensions and encourage caution.
  • Implement browser security features such as sandboxing to mitigate the impact of potential exploits.

Source and further reading.


The Hacker News. (n.d.-b). Microsoft Edge bug could have allowed attackers to silently install malicious extensions. https://thehackernews.com/2024/03/microsoft-edge-bug-could-have-allowed.html


Security Update Guide - Microsoft Security Response Center. (n.d.). https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21388


Guardio. (2024, March 27). “CVE-2024-21388”- Microsoft Edge’s marketing API exploited for covert extension installation. Medium. https://labs.guard.io/cve-2024-21388-microsoft-edges-marketing-api-exploited-for-covert-extension-installation-879fe5ad35ca

Share by: