Microsoft patches Edge browser vulnerability that could have led to malicious extension installation

Microsoft has released a critical security patch for its Edge browser, addressing a vulnerability that could have allowed attackers to install malicious extensions without user’s knowledge. Security researchers at Guardio Labs, who discovered the flaw (designated CVE-2024-21388), disclosed it to Microsoft in November 2023, leading to a resolution in February 2024.

Details of the Vulnerability

The vulnerability originated from a private API within the Edge browser intended for integrating marketing features. Attackers could exploit this API to force the browser to install extensions from the Edge Add-ons store without requiring user interaction or approval.

Guardio Labs provided technical details outlining how attackers could utilize a basic JavaScript injection to exploit this vulnerability. This technique would allow attackers to gain control, even if a user simply visited a compromised website or interacted with a malicious link.

Risks Associated with the Exploit

The silent installation of browser extensions introduces significant risks. Malicious extensions can be designed to exfiltrate sensitive user data, such as login credentials and financial information. These extensions can also be used monitor user browsing habits for targeted attacks and more.

Microsoft’s fix for this vulnerability:

The issue was fixed by Microsoft by checking what extension ID and extension type are being sent to this API. Thus, preventing installation of malicious extensions.

Please make sure to update your Edge browser to v121.0.2277.98 and above to prevent yourself from malicious extension installation.