CVE-2021-43844

Name of the Vulnerable Software and Affected Versions: MSEdgeRedirect versions prior to 0.5.0.1

Description: MSEdgeRedirect is a tool to redirect news, search, widgets, weather, and more to a user's default browser. The issue requires user interaction and the acceptance of a prompt. There are two possible scenarios in which an attacker can do more than a minor annoyance. In the first scenario, a user visits an attacker-controlled webpage, downloads an executable payload, and accepts a crafted URL prompt, which can execute the previously downloaded payload if the download path is successfully guessed. In the second scenario, a user visits an attacker-controlled webpage, accepts a crafted URL prompt, and a payload on a remote, attacker-controlled, SMB server is executed. The issue was found in the DecodeAndRun() function. There is no currently known exploitation of this issue in the wild.

Recommendations: For MSEdgeRedirect versions prior to 0.5.0.1, update to version 0.5.0.1, which checks for and denies the crafted URLs. Users are advised not to accept any unexpected prompts from web pages. As a temporary workaround, consider avoiding the use of MSEdgeRedirect until the update is applied.