Subj : This Microsoft Edge security flaw could have allowed hackers to i
To   : All
From : TechnologyDaily
Date : Thu Mar 28 2024 14:15:05

This Microsoft Edge security flaw could have allowed hackers to install all 
kinds of malicious extras - but there's good news

Date:
Thu, 28 Mar 2024 14:02:32 +0000

Description:
What if simply visiting the Bing website installed malware? It was a 
possibility, so make sure you're protected.

FULL STORY
======================================================================

Microsoft Edge was vulnerable to a unique flaw that allowed threat actors to 
install malicious extensions on the browser , without the victims knowledge, 
or consent. This could lead to a wide array of security incidents, as 
extensions can grab screenshots, store sensitive user data, and more. 

The good news is that the flaw was discovered last year, and patched earlier 
this year - so if youre using Edge, chances are youre already protected 
against this vulnerability. 

As per a report on The Hacker News , security researchers from Guardio Labs 
discovered a privilege escalation flaw, which is now tracked as 
CVE-2024-21388. It carries a severity score of 6.5, and revolves around the 
fact that Edge was designed to have privileged access to some private APIs. 
This access makes it possible for the browser to install add-ons in the 
background, as long as theyre from the vendors extensions store. Abusing 
legitimate APIs 

One of the APIs is called edgeMarketingPagePrivate which can, among other 
things, install themes from the Edge Add-ons store. In theory, threat actors 
could trick this API to install a malicious extension instead of a theme. 

The process would look like this: a threat actor would first need to create a 
seemingly benign add-on for Edge, which would inject malicious JavaScript 
code on a site that allows access to the API (for example, bing[.]com). This 
JavaScript would, consequently, trigger the installation of the malicious 
add-on, in complete silence. 

The edgeMarketingPagePrivate API was initially intended for marketing 
purposes, Guardio Labs researchers said. 

Speaking to the publication, Guardios researchers said that they found no 
evidence of the flaw being abused in the wild, but added that browser makers 
need to find a delicate balance between user experience and security. Browser 
customization, they warned, can inadvertently defeat security mechanisms and 
introduce new attack vectors, they concluded. More from TechRadar Pro If 
you're one of the millions who installed these malicious Google Chrome 
extensions, delete them now Here's a list of the best firewalls around today 
These are the best endpoint security tools right now



======================================================================
Link to news story:
https://www.techradar.com/pro/security/this-microsoft-edge-security-flaw-could
-have-allowed-hackers-to-install-all-kinds-of-malicious-extras-but-theres-good
-news


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.