Microsoft has formally announced today that it has disabled the MSIX app-installer protocol in order to prevent malicious attacks. This protocol allowed a user to install various applications directly from a web server skipping the need to download them first to local storage. The idea was that this method would save space for users since the entire MSIX package did not need to be downloaded.
However, it was noticed that such Windows App Installer packages were being used to distribute malicious PDFs like those from Emotet and BazarLoader malware. Hence the protocol was disabled last year with the formal announcement coming today. This Windows AppX Installer spoofing vulnerability was assigned the ID CVE-2021-43890.
The announcement post says:
We were recently notified that the ms-appinstaller protocol for MSIX can be used in a malicious way. Specifically, an attacker could spoof App Installer to install a package that the user did not intend to install.
[..] For now, we have disabled the ms-appinstaller scheme (protocol). This means that App Installer will not be able to install an app directly from a web server. Instead, users will need to first download the app to their device, and then install the package with App Installer. This may increase the download size for some packages.
Here's how you can disable the protocol on your website:
If you utilize the ms-appinstaller protocol on your website, we recommend that you update the link to your application, removing 'ms-appinstaller:?source=' so that the MSIX package or App Installer file will be downloaded to user's machine.
Microsoft has also said that it is working on ways to re-enable the protocol in a secure way sometime in the future, like adding certain group policies. But for now, the aforementioned workaround is a temporary solution to prevent malicious attacks. The company noted that:
We are taking the time to conduct thorough testing to ensure that re-enabling the protocol can be done in a secure manner. We are looking into introducing a Group Policy that would allow IT administrators to re-enable the protocol and control usage of it within their organizations.
You may find more details in the official announcement post.
8 Comments - Add comment