Mar 27, 2024NewsroomVulnerability / API Security

A now-patched security flaw in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users’ systems and carry out malicious actions.

“This flaw could have allowed an attacker to exploit a private API, initially intended for marketing purposes, to covertly install additional browser extensions with broad permissions without the user’s knowledge,” Guardio Labs security researcher Oleg Zaytsev said in a new report shared with The Hacker News.

Tracked as CVE-2024-21388 (CVSS score: 6.5), it was addressed by Microsoft in Edge stable version 121.0.2277.83 released on January 25, 2024, following responsible disclosure in November 2023. The Windows maker credited both Zaytsev and Jun Kokatsu for reporting the issue.

“An attacker who successfully exploited this vulnerability could gain the privileges needed to install an extension,” Microsoft said in an advisory for the flaw, adding it “could lead to a browser sandbox escape.”

Describing it as a privilege escalation flaw, the tech giant also emphasized that a successful exploitation of the bug requires an attacker to “take additional actions prior to exploitation to prepare the target environment.”

According to Guardio’s findings, CVE-2024-21388 allows a bad actor with the ability to run JavaScript on bing[.]com or microsoft[.]com pages to install any extensions from the Edge Add-ons store sans requiring user’s consent or interaction.

This is made possible by the fact that the browser comes with privileged access to certain private APIs that make it possible to install an add-on as long as it’s from the vendor’s own extension marketplace.

One such API in the Chromium-based Edge browser is edgeMarketingPagePrivate, which is accessible from a set of allowlisted websites that belong to Microsoft, including bing[.]com, microsoft[.]com, microsoftedgewelcome.microsoft[.]com, and microsoftedgetips.microsoft[.]com, among others.

The API also packs in a method called installTheme() that, as the name implies, is designed to install a theme from the Edge Add-ons store by passing a unique theme identifier (“themeId”) and its manifest file as input.

The bug identified by Guardio is essentially a case of insufficient validation, thereby enabling an attacker to provide any extension identifier from the storefront (as opposed to the themeId) and get it stealthily installed.

“As an added bonus, as this extension installation is not done quite in the manner it was originally designed for, there will be no need for any interaction or consent from the user,” Zaytsev explained.

In a hypothetical attack scenario leveraging CVE-2024-21388, a threat actor could publish a seemingly harmless extension to the add-ons store and use it to inject a piece of malicious JavaScript code into bing[.]com – or any of the sites that are allowed to access the API – and install an arbitrary extension of their choice by invoking the API using the extension identifier.

Put differently, executing the specially crafted extension on the Edge browser and going to bing[.]com will automatically install the targeted extension without the victim’s permission.

Guardio told The Hacker News that while there is no evidence of this bug being exploited in the wild, it highlights the need for balancing user convenience and security, and how browser customizations can inadvertently defeat security mechanisms and introduce several new attack vectors.

“It’s relatively easy for attackers to trick users into installing an extension that appears harmless, not realizing it serves as the initial step in a more complex attack,” Zaytsev said. “This vulnerability could be exploited to facilitate the installation of additional extensions, potentially for monetary gain.”

Mar 27, 2024The Hacker NewsData Protection / Browser Security

As SaaS applications dominate the business landscape, organizations need optimized network speed and robust security measures. Many of them have been turning to SASE, a product category that offers cloud-based network protection while enhancing network infrastructure performance.

However, a new report: “Better Together: SASE and Enterprise Browser Extension for the SaaS-First Enterprise” (Download here), challenges SASE’s ability to deliver comprehensive security against web-borne cyber threats on its own. From phishing attacks to malicious extensions and account takeovers, traditional network traffic analysis and security falls short. The report sheds light on these limitations and introduces the role of secure browser extensions as an essential component in a comprehensive security strategy.

SASE Advantages and Limitations

SASE takes on a dual role in addressing both infrastructure and security. However, while SASE offers clear advantages in security, it may not entirely cover the expanse of the web-borne threat landscape. SWG, CASB, and NGFW are not a silver bullet to all the security needs of the SaaS-first organization, even when they are packaged as SASE.

The modern threat landscape is shaped by the centrality of the browser as a main working space. These new threats leverage the browser as a bridge between the device and organizational resources and aim to gain malicious access to the organization through phishing, malicious extensions, and account takeover, to name a few. While SASE is designed to protect the perimeter from threats that attempt to enter it, this new threat landscape relies on traffic from the browser to a SaaS app or website, which SASE does not entirely cover.

Bridging the Gap with Secure Browser Extensions

Secure browser extensions complement SASE’s network security measures. Through deep session analysis and proactive threat prevention, these extensions provide granular visibility and real-time protection against sophisticated web-borne threats, effectively addressing the gaps left by SASE.

SASE vs. Secure Browser Extensions: 3 Use Cases

How do the differences between SASE and secure browser extensions play out when it comes to actual threats? The report provides three use cases.

1. Phishing

• SASE limitations: SASE’s NGFW or SWG lacks visibility into the actual session, leaving it to rely on known malicious addresses or emulate the session in a virtual environment. As a result, SASE misses ~60% of malicious web pages. It also is unable to detect pages that disable their phishing activity when executed in a virtual environment.
• The solution: A secure browser extension provides granular visibility into the live session, enabling the tracking of malicious components in the phishing web page and disabling them in real time.

2. Malicious Extensions

• SASE limitations: SASE’s NGFW or SWG lacks the ability to detect and block outbound traffic generated by any malicious extensions.
• The solution: The secure browser extension provides visibility into the browser and detects and disables all extensions that introduce a data exfiltration risk.

3. Account Takeover

• SASE limitations: SASE’s CASB lacks visibility into complex, modern web apps and depends on the app’s API, limiting protection to sanctioned apps.
• The solution: The secure browser extension integrates with the organizational identity provider and acts as an additional authentication factor. Access is possible only from a browser that has the extension.

With SaaS app usage becoming dominant, the more important the role of the browser becomes – and the threat landscape it encounters will increase. Can organizations ignore the risks that derive from the modern browser? According to LayerX, network security is insufficient on its own, and they call for complementary measures that can address SASE’s gaps.

To read more about how to gain real-time protection against this evolving risk with a secure browser extension, read the entire report.