Full Report
Chromium, the underlining browser engine that powers Edge, is highly customizable. For instance, there is a file called _api_features.json that stores permissions for vendor-specific APIs. Additionally, the resources.pak contains resources for the vendor-specific APIs as well. By comparing this file with the standard Chrome, they found various custom added APIs. While browsing through these, they found the edgeMarketingPagePrivate API. This API was only accessible from a list of websites belonging to Microsoft, according to the permission model. It was designed to integrate marketing campaigns. How did it do this? It adds in a custom hidden theme, which is similar to an extension. However, they found that, by chance, it also accepted extensions! To add the theme or extension, the private API had to be called with a specific ID. Since the extension is hidden and permissioned, there is no explicit check from the user that this change is okay. To exploit this, the authors give a few hypothetical. First, an XSS on any of these domains would lead to the installation of an arbitrary extension that was very, very highly permissioned. The other method was that another extension could add the JS snippet to one of the domains to trigger the update. This would go from a low to a high privilege extension, just with a little JavaScript. To fix the issue, extension IDs and only themes are allowed to be provided. To me, this feels like the underlying Chrome API to add this extension shares functionality between the themes and extensions but just an assumption. The authors mention that a simply domain based restriction on sensitive functionality is not enough to restrict bad things from happening, which I tend to agree with. Good find!
Analysis Summary
# Vulnerability: Microsoft Edge Private Marketing API Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2024-21388
- **CVSS Score:** 6.5 (Moderate)
- **CWE:** CWE-269 (Improper Privilege Management) / Elevation of Privilege
## Affected Systems
- **Products:** Microsoft Edge (Chromium-based)
- **Versions:** All versions prior to the February 2024 security update.
- **Configurations:** Systems where the browser accesses specific Microsoft-owned domains (e.g., `bing.com`, `microsoft.com`) which are granted access to private internal APIs.
## Vulnerability Description
Microsoft Edge implements a custom private API called `edgeMarketingPagePrivate`, defined via Chromium's `_api_features.json` and `resources.pak` infrastructure. This API was designed to allow specific Microsoft marketing websites to programmatically install hidden "themes" to enhance user experience during campaigns.
The flaw exists because the underlying implementation failed to validate the type of resource being installed. While intended only for themes, the API accepted Extension IDs from the Edge Add-ons Store. Because the API was designed for seamless marketing integration, it bypassed the standard user confirmation prompts required for extension installation.
## Exploitation
- **Status:** PoC available; disclosed by Guardio Labs and patched.
- **Complexity:** Low to Medium (Requires the ability to execute JavaScript in the context of a privileged Microsoft domain).
- **Attack Vector:** Network (Web-based via XSS or a low-privileged malicious extension).
## Impact
- **Confidentiality:** High (Malicious extensions can access all user data, history, and cookies).
- **Integrity:** High (Extensions can modify web content and browser behavior).
- **Availability:** Low (Standard browser functionality remains, though control is compromised).
## Remediation
### Patches
- **Microsoft Edge Update:** This vulnerability was resolved in the **February 2024** stable channel release. Users should ensure they are running the latest version of Edge (check `edge://settings/help`).
### Workarounds
- No practical manual workaround exists other than updating the browser software.
## Detection
- **Indicators of Compromise:** Presence of unexpected or unauthorized extensions in `edge://extensions` that the user does not recall installing.
- **Detection Methods:** Security teams can monitor for unauthorized JavaScript execution on sensitive Microsoft domains or audit installed extension IDs against known-good baselines within enterprise environments.
## References
- **Vendor Advisory:** [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21388](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21388)
- **Technical Analysis:** [https://guard.io/labs/cve-2024-21388-microsoft-edges-marketing-api-exploited-for-covert-extension-installation](https://guard.io/labs/cve-2024-21388-microsoft-edges-marketing-api-exploited-for-covert-extension-installation)