Microsoft Edge (Chromium-based) recently disclosed a significant security vulnerability, identified as CVE-2024-21399, with the potential for remote code execution. Released on February 1, 2024, the vulnerability has been classified with a moderate severity level, emphasizing the critical need for user attention. The Common Vulnerability Scoring System (CVSS) rates it 8.3/7.2, indicating a high risk to confidentiality, integrity, and availability.
Notably, the attack vector requires user interaction, and exploitation is deemed less likely, yet the risk is substantial. A successful attack could lead to a scope change, notably a browser sandbox escape. Despite the higher CVSS score, the severity is downgraded due to the complexity of user interaction or preconditions necessary for exploitation. Microsoft advises users to remain cautious, especially when interacting with websites, emails, or attachments.
The exploitability assessment suggests that an attacker might host a carefully crafted website to exploit the vulnerability through Microsoft Edge. Convincing a user to visit the site or open an attachment remains the key challenge for potential attackers. With a high attack complexity, successful exploitation demands thorough preparation of the target environment, adding an extra layer of security against potential exploits.
