Tried Microsoft Defender Vulnerability Management's "Evaluate Browser Extensions"

The "Browser Extension Evaluation" for Microsoft Defender Vulnerability Management Premium is now available, so I tried it out. ## Browser Extensions are a Management Blind Spot When most people think of endpoint vulnerability management, they think of vulnerabilities in operating systems (windows/macOS) or installed software (Zoom apps, Teams apps...), but we should not be too careless when it comes to browser extensions. Of course, browser extensions provide a user experience that cannot be realized on a website, and are indispensable in today's world where many tasks are performed in the browser, but they also tend to be a security blind spot. First of all, browser extensions are programs, so it is impossible to eliminate vulnerabilities. There have been many cases of vulnerabilities even in extensions created by major vendors with well-developed development systems[1]. Even if an extension was harmless when it was first installed, the browser extension may be acquired and updated with malicious features (e.g., information-stealing processes). Furthermore, since browser extensions are often not explicitly mentioned in international standards or authoritative documents (e.g., ISO27001), countermeasures are often not taken. (Strictly speaking, it is too specific to be included in the granularity of the international standards, and it is natural to assume that it is actually included in items such as software vulnerability management. Therefore, it is not an omission in the international standard.) ## Challenges with Current Management Methods Of course, there is nothing that can be done about the threat of browser extensions; MDM and some managed browser functions can be used to limit the browser extensions used and to display reports of browser extensions in use [2~5]. On the other hand, however, current management methods have the following issues - Naturally, reporting and control in a managed browser (e.g., Chrome Enterprise, etc.) only scopes a single browser, and measures for other browsers (Edge, Firefox) are left out. For various reasons, there are cases where "I can't (or don't want to) use anything but Firefox," so it is not possible to cover those cases. - While it is possible to operate a white list using MDM, etc., it is difficult to continuously determine whether or not to white list in the first place. - Even in the evaluation at the time of initial download, there are fewer indicators to determine the risk that browser extensions pose in the first place compared to OS or software vulnerabilities, so the difficulty is high from the start. - As mentioned above, even browser extensions that are harmless at the time of installation rarely have malicious updates planted in them, so it is very important to be able to easily perform "ongoing" evaluations. - Browser extensions certainly have risks, but in some cases they can improve operational efficiency even more, so it is ideal to manage them flexibly rather than prohibit them uniformly. However, in some cases, implementing such a system requires a large amount of management man-hours. In addition, there are cases where user convenience is reduced if white-list operations are used. - Browser extensions are often not in the scope of existing vulnerability management tools. (Of course, we have not checked the support status of all the tools out there.) ## Using MDE's "Browser Extension Evaluation With the above background, I personally thought that it would be difficult to manage browsers in pursuit of all user convenience, security, and operability (management efficiency). It was against this backdrop that Microsoft Defender Vulnerability Management Premium's "Assessment of Browser Extensions" appeared, a tool that assists in the risk assessment of browser extensions. We will use this to verify how much the issues we have faced so far can be improved. ## Prererequisite Knowledge ### About Microsoft Defender for Endpoint Vulnerability Management Microsoft Defender for Endpoint has a feature called TVM that helps manage vulnerabilities in endpoints (OS/software, etc.) using information collected from the device as input. Microsoft Defender for Endpoint provides a function to help manage endpoint (OS/software, etc.) vulnerabilities (commonly known as TVM) using information collected from terminals as input. This is not a simple list of vulnerabilities, but a summary of the number of critical and zero-day vulnerabilities and the presence of exploit code for each vulnerability at a glance. The vulnerabilities are prioritized to support decision making, as it is not realistic to eliminate all vulnerabilities in an organization. ### About Microsoft Defender Vulnerability Management add-on The Microsoft Defender Vulnerability Management add-on extends the functionality described above, including the ability to evaluate digital certificates and security baselines. The ability to manage browser extensions is among its features. ### **Note**. - The license required to use the Browser Extension Evaluation is as follows - If you already have Defender for Endpoint P2, you can get the <a href="https://learn.microsoft.com/ja-jp/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management?view=o365-worldwide#try-defender-vulnerability-management-add-on-trial-for-defender-for-endpoint-plan-2-customers:~:text=Microsoft%20Defender%20%E8%84%86%E5%BC%B1%E6%80%A7%E3%81%AE%E7%AE%A1%E7%90%86%E3%82%A2%E3%83%89%E3%82%AA%E3%83%B3%E8%A9%A6%E7%94%A8%E7%89%88%E3%81%AB%E9%96%A2%E3%81%99%E3%82%8B%E3%83%9A%E3%83%BC%E3%82%B8%E3%82%92%E5%8F%82%E7%85%A7%E3%81%97%E3%81%A6%E3%81%8F%E3%81%A0%E3%81%95%E3%81%84" target="_blank">Defender Vulnerability Management Add-on Trial</a>. - If you do not have Defender for Endpoint P2, try <a href="https://learn.microsoft.com/ja-jp/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management?view=o365-worldwide#try-defender-vulnerability-management-add-on-trial-for-defender-for-endpoint-plan-2-customers:~:text=%E3%83%91%E3%83%96%E3%83%AA%E3%83%83%E3%82%AF%20%E3%83%97%E3%83%AC%E3%83%93%E3%83%A5%E3%83%BC%E8%A9%A6%E7%94%A8%E7%89%88Microsoft%20Defender%20%E8%84%86%E5%BC%B1%E6%80%A7%E3%81%AE%E7%AE%A1%E7%90%86" target="_blank">Defender Vulnerability Management Standalone Trial</a>. - The license used in my verification is Defender for Endpoint P2 + Defender Vulnerability Management Add-on Trial. - The Browser Extensions evaluation can only be used on Windows devices. Also, supported browsers are Edge, Chrome, and Firefox. ### Preconfiguration - Purchase the necessary licenses as described above. (Trial is acceptable) [6] - Onboard Microsoft Defender for Endpoint. [7] ### Displaying Browser Extensions First, let's take a look at the whole experience: from the left navigation bar of the Microsoft 365 Defender portal, select [Vulnerability management] > [Inventory] > [Browser extensions]. I was able to view the name of the extension, the browser, the number of devices the extension is installed on, and how many are enabled. <div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggQNLtcxWwPUQA4yFLv0QetsKPlm1zBjsrF6VCGQ0cDIoE4EXHFHjihLpbXp5l7F9LBTDRevx7hPi-d52NMcdGCttwhIoi0md8f6io3heXndKZDUbnAzTPVUO-LhT11uBs8rUw4DNm8Agtr8srkTT9prRYXfFOfbVvqVHyJ7KUHVb10QbzEjdVwTBP/s1600/01.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="658" data-original-width="1200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggQNLtcxWwPUQA4yFLv0QetsKPlm1zBjsrF6VCGQ0cDIoE4EXHFHjihLpbXp5l7F9LBTDRevx7hPi-d52NMcdGCttwhIoi0md8f6io3heXndKZDUbnAzTPVUO-LhT11uBs8rUw4DNm8Agtr8srkTT9prRYXfFOfbVvqVHyJ7KUHVb10QbzEjdVwTBP/s1600/01.png"/></a></div> Incidentally, if you directly select any device from the Assets > Device page from the left navigation bar of the Microsoft 365 Defender portal and select the Browser extensions tab, a list of extensions installed on that device will be displayed. <div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuXSQFNag0jwexuJKe6vm-7dCrONSMHTchwQRIVU2-i_l2gev9f1uKcUTh0DugXdHKFSv1S5rz8U02RNZ3RJmMUmQ8Ystcm7tB5FFLilhDaaVmQEPARb-TZzmW-wEeNpdTx-5Ty6cIr8xDjr3pAZmAWsd4AWz8FF5W0oNrR7yWo-4sZeip2LOMBHk-/s1600/02.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="658" data-original-width="1200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuXSQFNag0jwexuJKe6vm-7dCrONSMHTchwQRIVU2-i_l2gev9f1uKcUTh0DugXdHKFSv1S5rz8U02RNZ3RJmMUmQ8Ystcm7tB5FFLilhDaaVmQEPARb-TZzmW-wEeNpdTx-5Ty6cIr8xDjr3pAZmAWsd4AWz8FF5W0oNrR7yWo-4sZeip2LOMBHk-/s1600/02.png"/></a></div> The above is a personal test machine, so I have installed various tools all over the place. You can also use Advanced hunting to get information by querying. The following is a sample of finding a browser extension with a Permission risk of Critical.

DeviceTvmBrowserExtensions
| where ExtensionRisk contains "Critical"

<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUv8nzsvylxyYq6FH35sZeW9hNac7ASS-kD37Z6GX9Xs9LKy38897zVJKjxyARiDMaYZ1SR5I-5jgi3y1wpUAgeRs8VqsbnTS-c23VilPL61jXigZKLK9vtFgrnWbXQl1NiC_y3j4WSMY336DUjuz2SokS9IoHFLtKIffmKdAe8Qe00JKAyjuIxNAq/s1600/03.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="661" data-original-width="1200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUv8nzsvylxyYq6FH35sZeW9hNac7ASS-kD37Z6GX9Xs9LKy38897zVJKjxyARiDMaYZ1SR5I-5jgi3y1wpUAgeRs8VqsbnTS-c23VilPL61jXigZKLK9vtFgrnWbXQl1NiC_y3j4WSMY336DUjuz2SokS9IoHFLtKIffmKdAe8Qe00JKAyjuIxNAq/s1600/03.png"/></a></div> ### Evaluating the Risk of Browser Extensions Next, we will look at the most important part of assisting in the risk assessment of browser extensions. As far as risk is concerned, there is a section called Permission risk on the browser extension list page. Here, Microsoft calculates its own weighted rating based on the Permission range for that browser extension. <div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyNaDGUw2h1HWB24lPgqeI9mOukAd7cudtMMw6518xJsJ5sASi7mXugKaOFhitUBEXpXQM1ynH9ETglWE-lSTHfB63MSbLGakL_NXhZhncdv7NVXkR6KxJg4Aa1kjcHV0ueMPXxfebDGfTKXvdWnDKflKcG1nEV03u5GbANAfBT7pEHI_i04ZoSYAS/s1600/04.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="658" data-original-width="1200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyNaDGUw2h1HWB24lPgqeI9mOukAd7cudtMMw6518xJsJ5sASi7mXugKaOFhitUBEXpXQM1ynH9ETglWE-lSTHfB63MSbLGakL_NXhZhncdv7NVXkR6KxJg4Aa1kjcHV0ueMPXxfebDGfTKXvdWnDKflKcG1nEV03u5GbANAfBT7pEHI_i04ZoSYAS/s1600/04.png"/></a></div> To take a closer look, click on the browser extension in question, and a pop-up window will appear, allowing you to analyze what the browser extension requires permissions for. Browser extensions usually require different types of permissions to achieve their purpose, a list of which is shown here. <div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizTfegw4d3_QmqQe9KnEi2cEhEpZfrKeKYfxarA6KCk-HEDJDlNGQ1qyv-H3ErYnza_qpKMqLpdOweCEph4yfXhfeUgXLlE3WMCEJx4eo-JF7x_kv62FjXhJvLYJPE0kCcIgmrP0ox0V2-WeovSaHCpenCSZIjCUheytgj84cQ56QLjwOgw8Y79rJe/s1600/05.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="661" data-original-width="1200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizTfegw4d3_QmqQe9KnEi2cEhEpZfrKeKYfxarA6KCk-HEDJDlNGQ1qyv-H3ErYnza_qpKMqLpdOweCEph4yfXhfeUgXLlE3WMCEJx4eo-JF7x_kv62FjXhJvLYJPE0kCcIgmrP0ox0V2-WeovSaHCpenCSZIjCUheytgj84cQ56QLjwOgw8Y79rJe/s1600/05.png"/></a></div> It is up to the user to check the list and decide whether the range of permissions is appropriate (is it acceptable to let the user use it, taking into account the risk/reward?) It is up to the user to decide whether or not the permissions are appropriate (i.e., can they be used considering the risk/reward?). Incidentally, <a href="https://support.google.com/chrome/a/answer/9897812?hl=en" target="_blank">Google has issued a white paper on access permissions</a>, so I thought it would be a good idea to check it out based on this white paper. You can also select the [Extension versions] tab from the browser extension pop-up window to view information about the versions of extensions installed in your organization. A possible use case would be if a vulnerability is found in a particular version of a browser extension and it is an article on the Internet, and you want to check if it is being used in your company. ## Good points/concerns ### It would make inventory and evaluation a little easier I have the impression that inventory and management will be easier in that it is possible to check browser extensions installed in Edge, Chrome, and Firefox horizontally and determine risk based on Permission. However, it is a little disappointing that the platform support is limited to Windows only, and I think the scope will expand further when macOS is supported. Also, the current risk assessment indicator is Permission only, but due to the nature of browser extensions, I think some extensions will have to have a wider Permission range. Therefore, it would be better if it is possible to evaluate from multiple perspectives, such as vulnerabilities (CVEs). ### Microsoft 365 Defender administration screen does not allow blocking If you find a browser extension that you do not want people to use, you may want to block its use as a vulnerability response after identifying an alternative. That work cannot be done in the Microsoft 365 Defender administration screen and will require a separate tool. We thought it would be easier to manage this area if it could be managed in Microsoft 365 Defender. Incidentally, the means of blocking may vary depending on the situation in which the organization is placed, but the following method would be helpful if it were to be implemented. -<a href="https://learn.microsoft.com/en-us/deployedge/microsoft-edge-manage-extensions-%20policies" target="_blank"> Use group policies to manage Microsoft Edge extensions</a> - <a href="about:invalid#zSoyz" target="_blank">Manage Microsoft Edge extensions in the enterprise</a> -<a href="https://support.google.com/chrome/a/answer/6177431?hl=en" target="_blank"> Allow or block apps and extensions - Chrome Enterprise and Education Help </a> ### The setting to receive change notifications does not exist by default I thought that it would be very easy to operate if there was a function to notify users when the scope of permissions changes, etc., in order to deal with the risk of malicious updates being planted, but there does not seem to be such a function at this time. I will definitely raise this issue with MS. #### Supplement I also tried using Custom Detection Rules in Advanced hunting, but it was not supported due to the structure of the columns. We are still testing the possibility of extending the columns and using the API for detection. ## CONCLUSION Although it has just been released as a feature, and there are still many issues such as garbled characters and other concerns, and I did not think that "any organization can use it right now," I have the impression that browser vulnerability management, which has been an issue for some time, has moved one step forward. We will continue to monitor updates and consider management methods that pursue all aspects of user convenience, security, and operability (management efficiency). ### Reference - <a href="https://learn.microsoft.com/ja-jp/microsoft-365/security/defender-vulnerability-management/tvm-browser-extensions?view=o365-worldwide" target="_blank">Evaluation of Browser Extensions</a> - <a href="https://techcommunity.microsoft.com/t5/microsoft-defender-vulnerability/premium-capabilities-in-microsoft-defender-vulnerability/ba-p/3754990" target="_blank">Premium capabilities in Microsoft Defender Vulnerability Management are now generally available</a> - <a href="http://www-sop.inria.fr/members/Doliere.Some/papers/empoweb.pdf" target="_blank">EmPoWeb: Empowering Web Applications with Browser Extensions</a> - <a href="https://attack.mitre.org/techniques/T1176/" target="_blank">MITRE ATT&CK - Browser Extensions</a> ### Notes 1. <a href="https://forest.watch.impress.co.jp/docs/news/1207699.html" target="_blank">clickjacking vulnerability in "LastPass" extension for Chrome/Opera - fixed in the latest version</a> 2. <a href="https://cloud.google.com/blog/ja/products/chrome-enterprise/extension-management-enhancements" target="_blank">added a means for Chrome to better manage extensions</a> 3. <a href="https://support.google.com/chrome/a/answer/9902456?hl=ja&ref_topic=9044292" target="_blank">display details of app and extension usage</a> 4. <a href="https://support.google.com/chrome/a/answer/9301421" target="_blank">configure Chrome browser cloud management 3. enable Chrome browser reporting </a> 5. <a href="https://support.google.com/chrome/a/answer/7532015?hl=ja" target="_blank">configure Chrome app and extension policies (Windows) </a> 6.　<a href="https://learn.microsoft.com/ja-jp/microsoft-365/security/defender-vulnerability-management/trial-user-guide-defender-vulnerability-management?view=o365-worldwide" target="_blank"> trial-user-guide: Microsoft Defender Vulnerability Management </a> 7. <a href="https://learn.microsoft.com/ja-jp/microsoft-365/security/defender-endpoint/onboarding?view=o365-worldwide" target="_blank">onboarding to Microsoft Defender for Endpoint service </a>