This Microsoft Edge security flaw could have allowed hackers to install all kinds of malicious extras - but there's good news

As per a report on The Hacker News, security researchers from Guardio Labs discovered a privilege escalation flaw, which is now tracked as CVE-2024-21388. It carries a severity score of 6.5, and revolves around the fact that Edge was designed to have privileged access to some private APIs. This access makes it possible for the browser to install add-ons in the background, as long as they’re from the vendor’s extensions store.

Abusing legitimate APIs

One of the APIs is called edgeMarketingPagePrivate which can, among other things, install themes from the Edge Add-ons store. In theory, threat actors could trick this API to install a malicious extension instead of a theme.

The process would look like this: a threat actor would first need to create a seemingly benign add-on for Edge, which would inject malicious JavaScript code on a site that allows access to the API (for example, bing[.]com). This JavaScript would, consequently, trigger the installation of the malicious add-on, in complete silence.

The edgeMarketingPagePrivate API was initially intended for marketing purposes, Guardio Labs’ researchers said.

Speaking to the publication, Guardio’s researchers said that they found no evidence of the flaw being abused in the wild, but added that browser makers need to find a delicate balance between user experience and security. Browser customization, they warned, can inadvertently defeat security mechanisms and introduce new attack vectors, they concluded.

More from TechRadar Pro

• If you're one of the millions who installed these malicious Google Chrome extensions, delete them now
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now