[German]A now-patched vulnerability in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users' systems and carry out malicious actions. This was revealed by a security researcher to The Hacker News.
Advertising
CVE-2024-21388 in Edge
The Hacker News reportet in this article on information published here by Guardio Labs security researcher Oleg Zaytsev. In a nutshell, a vulnerability in the Edge API allowed any attacker with a method to execute JavaScript on bing.com or microsoft.com pages to install arbitrary extensions from the Edge Add-ons Store without the user's consent or interaction. This is an "Elevation of Privilege" issue that has been classified as moderately severe by the Microsoft Security Response Center (MSRC) (CVSS score: 6.5).
CVE-2024-21388 in Edge, Quelle Guardio Labs
The security researchers informed Microsoft about this problem in November 2023. Microsoft closed the vulnerability in Edge at the beginning of February 2024 with security updates and assigned the CVE code CVE-2024-21388.
"This vulnerability could have allowed an attacker to exploit a private API, originally intended for marketing purposes, to secretly install additional browser extensions with far-reaching permissions without the user's knowledge," The Hacker News quotes security researcher Oleg Zaytsev of Guardio Labs.
The vulnerability CVE-2024-21388 (CVSS score: 6.5) was fixed by Microsoft in Edge Stable version 121.0.2277.83 – the release took place on January 25, 2024. Microsoft confirmed in the release notes that an attacker who successfully exploited this vulnerability could obtain the necessary rights to install an extension. This would make it possible to break out of the browser sandbox.
Advertising
In this German comment, a user wrote that Google Chrome (and other browsers) must be pretty garbage if critical security vulnerabilities have been found practically every week for years. I had pointed out that this is topped by Microsoft with Edge. This is because the Chromium engine with all its bugs and vulnerabilities is being used, 'improved' by Microsoft with some stuff and enriched with other things such as Adobe Acrobat in the near future.
And when I read above that the vulnerable private AP was originally intended for marketing purposes, it makes me really happy. There are evil tongues that claim that those who rely on Microsoft and Edge have lost control of their lives. I thought that was a polemic, but I'm slowly starting to "recognize that's the truth".
