Article Details

Microsoft kills off Windows app installation from the web, again. Unpleasant Christmas package lets malware down the chimney. Microsoft has disabled a protocol that allowed the installation of Windows apps after finding that miscreants were abusing the mechanism to install malware. The move came just before Christmas, and seemingly mimicked issues first reported in December 2021, to address a Windows AppX Installer vulnerability (CVE-2021-43890) in which an attacker could spoof App Installer into installing malicious software. Microsoft re-enabled the protocol, known as the ms-appinstaller URI scheme, on August 5, 2022, with the release of Windows 11 Insider Preview Build 25147. It made the protocol available to some enterprise customers who chose to use it via the Local Group Policy Editor. The ms-appinstaller URI scheme allows the MSIX package installer to install Windows apps from a web page using the local App Installer application. Doing so allows installation without the need for local storage. This has proven to be a popular feature, according to Microsoft. Alas, as the Microsoft Threat Intelligence group noted last week, miscreants have been abusing the ms-appinstaller URI scheme to distribute malware. It appears that the protocol provided a way around Microsoft's security checks. "Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats," Redmond explained. Microsoft had relied on developers having to sign their app packages with "a third party paid certificate from a trusted certification authority," but evidently it put too much trust in such authorities. Following its decision to disable ms-appinstaller by default last week (in App Installer version 1.21.3421.0 or higher), Redmond announced it is working with certificate authorities "to revoke the abused code signing certificates utilized by malware samples we have identified." Customers who have EnableMSAppInstallerProtocol group policy set to "Not Configured" (blank) or "Enabled" and are also using vulnerable versions of App Installer – from v1.18.2691 up until v1.21.3421, as well as Windows OS updates between October 2022 and March 2023 – are advised to update App Installer and to set the desired policy. For enterprise customers, pushing out a network-wide policy change may take some effort. And for those who rely on web-based installation as an app distribution channel, the consequence is a bit more friction for downloading and installation after proper checks. Microsoft did not respond to a request for comment.