Microsoft disabled the protocol that allows Windows apps to be installed after discovering that bad actors were abusing this mechanism to install malware.
The move comes just before Christmas and was released in December 2021 to address a vulnerability in Windows AppX Installer (CVE-2021-43890) that allowed attackers to spoof App Installer and install malicious software. This appears to be a copy of the issue originally reported.
Microsoft re-enabled the protocol known as the ms-appinstaller URI scheme on August 5, 2022, with the release of Windows 11 Insider Preview Build 25147. This has made the protocol available to some enterprise customers who choose to use it locally. Group policy editor.
The ms-appinstaller URI scheme allows MSIX package installers to install Windows apps from web pages using a local app installer application. This will allow you to install it without requiring local storage. According to Microsoft, this has proven to be a popular feature.
Unfortunately, as the Microsoft Threat Intelligence Group noted last week, bad actors are exploiting the ms-appinstaller URI scheme to distribute malware. This protocol appears to have provided a way to bypass Microsoft’s security checks.
“Threat actors may have chosen the ms-appinstaller protocol handler vector to leverage mechanisms designed to protect users from malware, such as Microsoft Defender SmartScreen and browsers’ built-in warnings for downloading executable file formats. Because it can be bypassed,” Redmond explained.
Microsoft relied on requiring developers to sign app packages with “third-party paid certificates from trusted certificate authorities,” but apparently they don’t trust such certificate authorities. It seems like I was doing it too much.
Following last week’s decision to disable ms-appinstaller (app installer versions 1.21.3421.0 and later) by default, Redmond is working with certification authorities to “improve exploits utilized in malware samples we have identified. The company announced that it is working to revoke its code signing certificates.
EnableMSAppInstallerProtocol group policy set to “Not configured” (blank) or “Enabled” and vulnerable versions of the app installer (v1.18.2691 to v1.21.3421) and Windows OS from October to March 2022 Customers who are also using Update 2023 – We recommend updating your app installer and setting the required policies.
For enterprise customers, it may take some effort to drive policy changes across the network. Also, for users who rely on web-based installations as their app distribution channel, it means a bit more effort to download and install after doing the appropriate checks.
Microsoft did not respond to a request for comment. ®