Microsoft Edge's CVE-2024–21388 vulnerability is a privacy threat, lets attackers remotely install extensions

Updating to the latest version of Edge will fix it

News

Reading time icon 2 min. read

Calendar icon Published on

by Kazim Ali Alvi 

published on

Share this article

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

microsoft edge CVE-2024–21388 vulnerability

We often hear about vulnerabilities in a browser, and most of them don’t concern us. But CVE-2024–21388 in Microsoft Edge is alarming!

It allows attackers to exploit a marketing API in Edge, which then lets them discreetly install extensions on your browser without explicit permission or knowledge.

What is CVE-2024–21388 in Microsoft Edge?

As per Guardio’s official blog, the edgeMarketingPagePrivate API was responsible for the CVE-2024–21388 vulnerability. 

"edgeMarketingPagePrivate": {
    "channel": "stable",
    "contexts": [
      "blessed_web_page",
      "web_page",
      "webui",
      "serviceui"
    ],
    "matches": [
      "https://microsoftedgewelcome.microsoft.com/*",
      "https://www.microsoft.com/*",
      "https://microsoftedgetips.microsoft.com/*",
      "https://www.bing.com/*",
      "edge://surf/*",
      "https://localhost.msn.com/*",
      "https://ntp.msn.com/*",
      "https://ntp.msn.cn/*"
    ]
  },

The edgeMarketingPagePrivate API basically allowed the installation of themes from the native Add-ons Store by simply inputting the themeId. So, ideally, the API permitted theme installation, which, in itself, is a small extension.

When the team at Guardio changed this themeId to extensionId, the API facilitated the extension’s installation. While this is surprising, there was some relief in the fact that the API could only be triggered by selected secure websites.

Image Source: Guardio

But this, too, could be bypassed by using XSS, a scripting vulnerability, or an extension with minimal privileges. Subsequently, threat actors could install any extension on your PC without your knowledge or explicit approval.

Vulnerability reported to Microsoft and patched

Guardio reported the vulnerability to Microsoft on Nov 10, 2023, and a fix was released on Jan 26, 2024, in the form of an Edge Security Update.

To update Microsoft Edge, launch the browser > click on the ellipsis near the top right > go to Help & feedback > select About Microsoft Edge > and wait for the latest version to download.

Updating Microsoft Edge

The critical CVE-2024–21388 vulnerability in Microsoft Edge highlights how developers prioritize feature sets and enhanced functionality over the browser’s security, at least until the issue is reported. Although this one was quickly identified and reported, that’s not always the case!

These aspects are all the more important for Edge, a browser still far behind Google Chrome in terms of popularity. But certain new features, like controlling RAM usage, gaming customizations, uploading files from mobile, and AI integration are working in favour of Edge.

What’s your review of Microsoft Edge? Share with our readers in the comments section.

More about the topics: malware, microsoft edge

Kazim Ali Alvi

Kazim Ali Alvi Shield

Windows Hardware Expert

Kazim has always been fond of technology, be it scrolling through the settings on his iPhone, Android device, or Windows PC. He's specialized in hardware devices, always ready to remove a screw or two to find out the real cause of a problem. Long-time Windows user, Kazim is ready to provide a solution for your every software & hardware error on Windows 11, Windows 10 and any previous iteration. He's also one of our experts in Networking & Security.