Microsoft Edge Bug CVE-2024-21388 allowed to install arbitrary extensions

Edge[German]A now-patched vulnerability in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users' systems and carry out malicious actions. This was revealed by a security researcher to The Hacker News.


CVE-2024-21388 in Edge

The Hacker News reportet in this article on information published here by Guardio Labs security researcher Oleg Zaytsev. In a nutshell, a vulnerability in the Edge API allowed any attacker with a method to execute JavaScript on or pages to install arbitrary extensions from the Edge Add-ons Store without the user's consent or interaction. This is an "Elevation of Privilege" issue that has been classified as moderately severe by the Microsoft Security Response Center (MSRC) (CVSS score: 6.5).

CVE-2024-21388 im Edge
CVE-2024-21388 in Edge, Quelle Guardio Labs

The security researchers informed Microsoft about this problem in November 2023. Microsoft closed the vulnerability in Edge at the beginning of February 2024 with security updates and assigned the CVE code CVE-2024-21388.

"This vulnerability could have allowed an attacker to exploit a private API, originally intended for marketing purposes, to secretly install additional browser extensions with far-reaching permissions without the user's knowledge," The Hacker News quotes security researcher Oleg Zaytsev of Guardio Labs.

The vulnerability CVE-2024-21388 (CVSS score: 6.5) was fixed by Microsoft in Edge Stable version 121.0.2277.83 – the release took place on January 25, 2024. Microsoft confirmed in the release notes that an attacker who successfully exploited this vulnerability could obtain the necessary rights to install an extension. This would make it possible to break out of the browser sandbox.


In this German comment, a user wrote that Google Chrome (and other browsers) must be pretty garbage if critical security vulnerabilities have been found practically every week for years. I had pointed out that this is topped by Microsoft with Edge. This is because the Chromium engine with all its bugs and vulnerabilities is being used, 'improved' by  Microsoft with some stuff and enriched with other things such as Adobe Acrobat in the near future.

And when I read above that the vulnerable private AP was originally intended for marketing purposes, it makes me really happy. There are evil tongues that claim that those who rely on Microsoft and Edge have lost control of their lives. I thought that was a polemic, but I'm slowly starting to "recognize that's the truth".

Cookies helps to fund this blog: Cookie settings

This entry was posted in browser, issue, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *