Microsoft Edge's CVE-2024–21388 vulnerability is a privacy threat, lets attackers remotely install extensions

Updating to the latest version of Edge will fix it

Reading time icon 2 min. read


Readers help support Windows Report. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help Windows Report effortlessly and without spending any money. Read more

microsoft edge CVE-2024–21388 vulnerability

We often hear about vulnerabilities in a browser, and most of them don’t concern us. But CVE-2024–21388 in Microsoft Edge is alarming!

It allows attackers to exploit a marketing API in Edge, which then lets them discreetly install extensions on your browser without explicit permission or knowledge.

What is CVE-2024–21388 in Microsoft Edge?

As per Guardio’s official blog, the edgeMarketingPagePrivate API was responsible for the CVE-2024–21388 vulnerability.

"edgeMarketingPagePrivate": {
    "channel": "stable",
    "contexts": [
      "blessed_web_page",
      "web_page",
      "webui",
      "serviceui"
    ],
    "matches": [
      "https://microsoftedgewelcome.microsoft.com/*",
      "https://www.microsoft.com/*",
      "https://microsoftedgetips.microsoft.com/*",
      "https://www.bing.com/*",
      "edge://surf/*",
      "https://localhost.msn.com/*",
      "https://ntp.msn.com/*",
      "https://ntp.msn.cn/*"
    ]
  },

The edgeMarketingPagePrivate API basically allowed the installation of themes from the native Add-ons Store by simply inputting the themeId. So, ideally, the API permitted theme installation, which, in itself, is a small extension.

When the team at Guardio changed this themeId to extensionId, the API facilitated the extension’s installation. While this is surprising, there was some relief in the fact that the API could only be triggered by selected secure websites.

Image Source: Guardio

But this, too, could be bypassed by using XSS, a scripting vulnerability, or an extension with minimal privileges. Subsequently, threat actors could install any extension on your PC without your knowledge or explicit approval.

Vulnerability reported to Microsoft and patched

Guardio reported the vulnerability to Microsoft on Nov 10, 2023, and a fix was released on Jan 26, 2024, in the form of an Edge Security Update.

To update Microsoft Edge, launch the browser > click on the ellipsis near the top right > go to Help & feedback > select About Microsoft Edge > and wait for the latest version to download.

Updating Microsoft Edge

The critical CVE-2024–21388 vulnerability in Microsoft Edge highlights how developers prioritize feature sets and enhanced functionality over the browser’s security, at least until the issue is reported. Although this one was quickly identified and reported, that’s not always the case!

These aspects are all the more important for Edge, a browser still far behind Google Chrome in terms of popularity. But certain new features, like controlling RAM usage, gaming customizations, uploading files from mobile, and AI integration are working in favour of Edge.

What’s your review of Microsoft Edge? Share with our readers in the comments section.

More about the topics: malware, microsoft edge