Advertisement
The discovery of a privilege escalation flaw in Microsoft Edge, tracked as CVE-2024-21388, posed a significant security risk as it allowed threat actors to install malicious extensions on the browser without the user’s knowledge or consent. This vulnerability, discovered by security researchers from Guardio Labs, exploited Edge’s privileged access to private APIs, particularly the edgeMarketingPagePrivate API, which was intended for installing themes from the Edge Add-ons store.
The flaw enabled threat actors to create seemingly benign add-ons that injected malicious JavaScript code on specific websites, such as bing.com, triggering the silent installation of malicious extensions instead of themes. While there was no evidence of the flaw being exploited in the wild, its discovery raised concerns about the potential for widespread security incidents, as malicious extensions could capture screenshots, store sensitive user data, and perform other malicious activities.
Fortunately, Microsoft patched the vulnerability earlier this year, mitigating the risk for Edge users. However, the incident underscored the importance of balancing user experience with security in browser development. While browser customization enhances user experience, it can inadvertently introduce new attack vectors and defeat security mechanisms. As such, browser makers must remain vigilant in addressing vulnerabilities and securing their platforms to protect users from evolving threats.