Guardio Labs has uncovered a significant vulnerability, designated CVE-2024–21388, in the Microsoft Edge browser, allowing attackers to exploit a private API to install browser extensions without user consent. Initially intended for marketing purposes, this flaw could enable the covert installation of extensions with broad permissions, posing serious security risks. The vulnerability, promptly disclosed to Microsoft in November 2023, was swiftly addressed, leading to a resolution in February 2024. Guardio Labs detailed the exploit process, showcasing a Proof of Concept (POC) code and emphasizing the broader security implications. This incident underscores the ongoing challenge of balancing user experience with cybersecurity, highlighting the importance of collaborative security efforts. The vulnerability stemmed from the utilization of the open-source Chromium engine by Microsoft Edge since April 2021. By analyzing configuration files and customized code within Edge's resources, Guardio Labs identified a private API accessible from Microsoft-affiliated websites. This API, designed to integrate marketing features seamlessly, inadvertently allowed the silent installation of browser extensions. Exploitation of the vulnerability could occur through cross-site scripting (XSS) attacks or the deployment of minimal privileged extensions, enabling adversaries to install malicious extensions silently. While Microsoft swiftly addressed the issue, Guardio Labs stresses the need for ongoing vigilance and proactive vulnerability management in the Chromium framework.
Zscaler ThreatLabz researchers have uncovered a surge in fraudulent websites hosted on popular web hosting and blogging platforms, part of an elaborate strategy to spread malware t...
The Federal Trade Commission (FTC) has announced that it will distribute $5.6 million in refunds to Ring users affected by privacy and security issues. The refunds come as part of ...
In the summer of 2023, the Lazarus Group, a threat actor linked to North Korea, employed its well-known fabricated job lures to deliver a new remote access trojan (RAT) named Kaoli...