Microsoft Clarifies MSIX App Installer December Security Issue
Microsoft reiterated on Friday that a flaw in an application installer component used with its MSIX app packager has been abused by malware, and temporary measures should be followed until there's a fix.
The problem concerns the "ms-appinstaller protocol," which lets people install MSIX-packaged apps from a Web site by simply clicking a link at that Web site, "without needing to download the entire MSIX package." Microsoft had originally reported this problem as a "Windows AppX installer spoofing vulnerability" (CVE-2021-43890) as part of its Dec. 14 "update Tuesday" patch release.
Microsoft had described the CVE-2021-43890 vulnerability as having a "high complexity" to be carried out. A "specially crafted attachment" was needed for exploits. The vulnerability, though, was being used to distribute "the malware family known as Emotet/Trickbot/Bazaloader," Microsoft indicated in its CVE-2021-43890 description, which was revised on Dec. 21.
In the Friday announcement, Microsoft explained that the security problem is just associated with the convenience of installing of apps from a Web server, and that it has disabled the ms-appinstaller component that enables such actions for now:
This means that App Installer will not be able to install an app directly from a web server. Instead, users will need to first download the app to their device, and then install the package with App Installer.
In the meantime, before Microsoft finds a way to address the security issue, organizations are being encouraged to update links on their Web sites so that end users will be compelled to download the whole MSIX package or App Installer file.
Here's how Microsoft expressed that notion:
If you utilize the ms-appinstaller protocol on your website, we recommend that you update the link to your application, removing 'ms-appinstaller:?source=' so that the MSIX package or App Installer file will be downloaded to user's machine.
Microsoft added that it is currently working on reenabling the convenience of downloading apps from a Web site in a secure way by addressing the ms-appinstaller vulnerability. It also is "looking into introducing a Group Policy that would allow IT administrators to re-enable the protocol and control usage of it within their organizations."
The issue is also explained in this Microsoft document for Windows 10 users attempting to download apps from Web sites.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.