Microsoft announced that it is disabling the MSIX ms-appinstaller protocol handler that was used in an attack to install a malicious app directly from a website using a Windows AppX installer spoofing vulnerability
We have been notified that the MSIX ms-appinstaller protocol may be used in a malicious manner. Specifically, it is possible for an attacker to impersonate the App Installer and install packages that the user is not intended to install. This spoofing vulnerability is being tracked by the Microsoft Security Resource Center (MSRC), and details of the current status can be found in CVE-2021-43890.
This decision was made on Patch Tuesday, December 2021, to release a security update that addresses this vulnerability (tracked as CVE-2021-43890) and disables the MSIX scheme without deploying a patch.
The reason for disabling this protocol completely seems to be to protect all Windows users, including those who have not yet installed the December security update or applied the workaround.
We are currently actively working on addressing this vulnerability. For now, we are disabling the ms-appinstaller scheme (protocol). This means that the App Installer will not be able to install apps directly from the web server. Instead, users must first download the app to their device and then install the package with the App Installer
We recognize the importance of this feature to many companies and have taken the time to do thorough testing to ensure that the protocol
We know that this feature is important to many companies, and we have taken the time to do thorough testing to make sure that the protocol can be re-enabled in a secure manner.
We are considering implementing a group policy that would allow IT administrators to re-enable the protocol and control its use within the organization
Threats exploit ms-appinstaller to send malware
Emotet began spreading and infecting Windows 10 and Windows 11 systems in early December using a malicious Windows AppX installer package disguised as Adobe PDF software.
Emotet’s phishing email uses a stolen reply chain email to instruct the victim to open a PDF related to a previous conversation.
When the recipient clicks on the link embedded in the email, instead of opening the PDF, they are redirected to a page that launches the Windows App Installer program and asks them to install the “Adobe PDF Component”.
The “App Installer” looks like a legitimate Adobe app, but when the user clicks the “Install” button, it downloads and installs a malicious “appxbundle” hosted on Microsoft Azure! The appxbundle is hosted on Microsoft Azure.
This AppX installer spoofing vulnerability was also used to distribute the BazarLoader malware via a malicious package hosted in Microsoft Azure using the *.web.core.windows.net URL.
Comments