Microsoft Clarifies MSIX App Installer December Security Issue -- Redmondmag.com

Microsoft Clarifies MSIX App Installer December Security Issue

By Kurt Mackie
02/08/2022

Microsoft reiterated on Friday that a flaw in an application installer component used with its MSIX app packager has been abused by malware, and temporary measures should be followed until there's a fix.

The problem concerns the "ms-appinstaller protocol," which lets people install MSIX-packaged apps from a Web site by simply clicking a link at that Web site, "without needing to download the entire MSIX package." Microsoft had originally reported this problem as a "Windows AppX installer spoofing vulnerability" (CVE-2021-43890) as part of its Dec. 14 "update Tuesday" patch release.

Microsoft had described the CVE-2021-43890 vulnerability as having a "high complexity" to be carried out. A "specially crafted attachment" was needed for exploits. The vulnerability, though, was being used to distribute "the malware family known as Emotet/Trickbot/Bazaloader," Microsoft indicated in its CVE-2021-43890 description, which was revised on Dec. 21.

In the Friday announcement, Microsoft explained that the security problem is just associated with the convenience of installing of apps from a Web server, and that it has disabled the ms-appinstaller component that enables such actions for now:

This means that App Installer will not be able to install an app directly from a web server. Instead, users will need to first download the app to their device, and then install the package with App Installer.

In the meantime, before Microsoft finds a way to address the security issue, organizations are being encouraged to update links on their Web sites so that end users will be compelled to download the whole MSIX package or App Installer file.

Here's how Microsoft expressed that notion:

If you utilize the ms-appinstaller protocol on your website, we recommend that you update the link to your application, removing 'ms-appinstaller:?source=' so that the MSIX package or App Installer file will be downloaded to user's machine.

Microsoft added that it is currently working on reenabling the convenience of downloading apps from a Web site in a secure way by addressing the ms-appinstaller vulnerability. It also is "looking into introducing a Group Policy that would allow IT administrators to re-enable the protocol and control usage of it within their organizations."

The issue is also explained in this Microsoft document for Windows 10 users attempting to download apps from Web sites.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.
PowerShell Script Used in Phishing Attack May Be AI-Generated

A PowerShell script being used in a novel malware campaign may have been created by AI, according to security researchers at Proofpoint.
Using Microsoft Office to Build a Network Diagram, Part 1

Keeping documentation is a great way to ease your future hardware refresh and have what you need for insurance purposes.
Microsoft Claims Breakthrough in Quantum Computing Reliability

A new paper details Microsoft's recent progress in quantum computing -- specifically, its development of a system that is both significantly less prone to errors and better at correcting them.