Security update for the browser automation component in Microsoft Power Automate for desktop
Summary
A potential security vulnerability is identified in the browser automation component in Power Automate for desktop versions 2.51 and earlier.
The Launch automation browser option in the Launch new Internet Explorer action might navigate to a potentially malicious URL or compromised website, thus allowing an attacker to execute arbitrary code on the affected system. Microsoft has issued a CVE for this issue.
Important
The issue affects only flows that use the Launch automation browser option in the Launch new Internet Explorer action.
Flows that use the Launch automation browser option for public or untrusted websites are most vulnerable to this issue.
Mitigation
To mitigate the issue, update your Power Automate for desktop to the following patched versions as soon as possible.
Note
Starting with release 2.52, all future versions will include the security fix.
Impact of the patch
In the updated versions, when browser automation attempts to navigate to a potentially malicious URL, it will display a warning dialog with relevant details. The user can choose to continue or stop the navigation.
If this dialog disrupts a flow and the navigation is considered legitimate, you can mitigate the issue by disabling the warning dialog for specific categories of URLs by adding their protocols to the allowlist in the UI Automation configuration file. The key to add in this case is AutomationBrowser.ProtocolAllowList, and the value is the protocols that you want to allow, separated by commas. For example:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<!-- Other configurations -->
<add key="AutomationBrowser.ProtocolAllowList" value="http,https" />
</appSettings>
</configuration>
With this configuration, if navigating to a URL causes the dialog to appear and the URL uses the http or https protocol, the dialog will be suppressed.