Share this article
Latest news
With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low
Copilot in Outlook will generate personalized themes for you to customize the app
Microsoft will raise the price of its 365 Suite to include AI capabilities
Death Stranding Director’s Cut is now Xbox X|S at a huge discount
Outlook will let users create custom account icons so they can tell their accounts apart easier
Microsoft Edge’s CVE-2024–21388 vulnerability is a privacy threat, lets attackers remotely install extensions
Updating to the latest version of Edge will fix it
2 min. read
Published onMarch 28, 2024
published onMarch 28, 2024
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
We often hear about vulnerabilities in a browser, and most of them don’t concern us. ButCVE-2024–21388in Microsoft Edge is alarming!
It allows attackers to exploit a marketing API in Edge, which then lets them discreetly install extensions on your browser without explicit permission or knowledge.
What is CVE-2024–21388 in Microsoft Edge?
As perGuardio’sofficial blog, theedgeMarketingPagePrivateAPI was responsible for theCVE-2024–21388vulnerability.
TheedgeMarketingPagePrivateAPI basically allowed the installation of themes from the nativeAdd-ons Storeby simply inputting thethemeId. So, ideally, the API permitted theme installation, which, in itself, is a small extension.
When the team at Guardio changed thisthemeIdtoextensionId, the API facilitated the extension’s installation. While this is surprising, there was some relief in the fact that the API could only be triggered by selected secure websites.
But this, too, could be bypassed by using XSS, a scripting vulnerability, or an extension with minimal privileges. Subsequently, threat actors could install any extension on your PC without your knowledge or explicit approval.
Vulnerability reported to Microsoft and patched
Guardio reported the vulnerability to Microsoft onNov 10, 2023, and a fix was released onJan 26, 2024, in the form of anEdge Security Update.
To updateMicrosoft Edge, launch the browser > click on the ellipsis near the top right > go toHelp & feedback> selectAbout Microsoft Edge> and wait for the latest version to download.
The critical CVE-2024–21388 vulnerability in Microsoft Edge highlights how developers prioritize feature sets and enhanced functionality over the browser’s security, at least until the issue is reported. Although this one was quickly identified and reported, that’s not always the case!
These aspects are all the more important for Edge, a browser still far behind Google Chrome in terms of popularity. But certain new features, likecontrolling RAM usage, gaming customizations,uploading files from mobile, and AI integration are working in favour of Edge.
What’s your review of Microsoft Edge? Share with our readers in the comments section.
More about the topics:malware,microsoft edge
Kazim Ali Alvi
Windows Hardware Expert
Kazim has always been fond of technology, be it scrolling through the settings on his iPhone, Android device, or Windows PC. He’s specialized in hardware devices, always ready to remove a screw or two to find out the real cause of a problem.
Long-time Windows user, Kazim is ready to provide a solution for your every software & hardware error on Windows 11, Windows 10 and any previous iteration. He’s also one of our experts in Networking & Security.
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Kazim Ali Alvi
Windows Hardware Expert
Kazim is specialized in hardware devices, always ready to remove a screw or two to find out the real cause of a problem.
