Skip to content Skip to footer

Microsoft Edge Flaw Allowed Covert Installation of Extensions: Guardio Labs

A recently discovered security flaw in Microsoft had the potential to allow cybercriminals to install arbitrary extensions on users' systems and carry out malicious actions. The flaw was found to exploit a private API initially intended for marketing purposes, which could have allowed an attacker to install additional browser extensions with broad permissions without the user's knowledge.

Security researcher Oleg Zaytsev from Guardio Labs reported the , , with a CVSS score of 6.5. Microsoft addressed the issue in the stable version of , 121.0.2277.83, released on January 25, 2024, following responsible disclosure in November 2023. The company credited both Zaytsev and Jun Kokatsu for reporting the issue.

An attacker exploiting this vulnerability could gain the privileges needed to install an extension, leading to a browser sandbox escape. Microsoft described it as a privilege escalation flaw that requires an attacker to take additional actions before exploiting the bug to prepare the target environment.

According to Guardio's findings, allows a bad actor with the ability to run JavaScript on Bing [.]com or Microsoft [.]com pages to install any extensions from the Add-ons store without requiring the user's consent or interaction. The browser comes with privileged access to certain private APIs that enable the installation of an add-on as long as it's from the vendor's extension marketplace. One such API in the Chromium-based browser is edgeMarketingPagePrivate, which is accessible from a set of allowed listed websites that belong to Microsoft, including Bing[.]com, microsoft[.]com, microsoftedgewelcome.microsoft[.]com, and microsoftedgetips.microsoft[.]com, among others.

The API also includes a method called installTheme(), which, as the name implies, is designed to install a theme from the Add-ons store by passing a unique theme identifier (“themeId”) and its manifest file as input. The bug identified by Guardio is essentially a case of insufficient validation, enabling an attacker to provide any extension identifier from the storefront (as opposed to the themeId) and get it stealthily installed.

As a bonus, this extension installation is done differently than it was initially designed for, so the user will not need any interaction or consent. In a hypothetical attack scenario leveraging , a threat actor could publish a seemingly harmless extension to the add-ons store and use it to inject a piece of malicious JavaScript code into bing[.]com or any of the sites that are allowed to access the API. They could then install an arbitrary extension of their choice by invoking the API using the extension identifier.

Executing the specially crafted extension on the browser and going to bing[.]com will automatically install the targeted extension without the victim's permission. While there is no evidence of this bug being exploited in the wild, it highlights the need to balance user convenience and security. It also shows how browser customizations can inadvertently defeat security mechanisms and introduce several new attack vectors.

In conclusion, users should always be wary of suspicious computer activity and take necessary precautions to ensure their devices are secure. They should also keep their browsers updated to the latest version and be mindful of any new updates or security patches released by the company. By being vigilant and proactive, users can protect themselves from cyber-attacks and stay safe online.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

I have photographic memory! It's a curse!Nikon

Deitasoft © 2024. All Rights Reserved.