Headline
Microsoft addresses App Installer abuse
Summary In recent months, Microsoft Threat Intelligence has observed threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. We have addressed and mitigated this malicious activity by turning off ms-appinstaller by default. Additionally, Microsoft has coordinated with Certificate Authorities to revoke the abused code signing certificates utilized by malware samples we have identified.
Summary
In recent months, Microsoft Threat Intelligence has observed threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. We have addressed and mitigated this malicious activity by turning off ms-appinstaller by default. Additionally, Microsoft has coordinated with Certificate Authorities to revoke the abused code signing certificates utilized by malware samples we have identified.
Upon detection of this attack vector, Microsoft launched an investigation to ensure proper detections existed within Microsoft Defender for Endpoint and Microsoft Defender for Office to protect our customers.
Background
Microsoft initially introduced the ms-appinstaller URI scheme handler in App Installer v1.0.12271.0 to improve the installation experience for MSIX and MSIXBundles.
Recently, malicious activity was observed where bad actors are now using the ms-appinstaller URI scheme handler to trick users into installing malicious software. We highly recommend customers do not install apps from unknown websites.
Mitigations
On December 28th, 2023, Microsoft updated CVE-2021-43890 to disable ms-appinstaller URI scheme (protocol) by default, as a security response to protect customers from attackers’ evolving techniques against previous safeguards. This means that users will no longer be able to install an app directly from a web page using the MSIX package installer. Instead, users will be required to download the MSIX package first in order to install it, which ensures that locally installed antivirus protections will run.
We will continue to monitor future malicious activity and make ongoing improvements to prevent fraud, phishing, and a range of other persistent threats. Microsoft will remain vigilant as attackers continue evolving their techniques. Please refer to the Microsoft Threat Intelligence Blog: Financially motivated threat actors misusing App Installer for additional details and guidance.
To address this issue
Microsoft has disabled the ms-appinstaller URI scheme handler by default in App Installer version 1.21.3421.0 or higher and if you have not specifically enabled the EnableMSAppInstallerProtocol, no further action is needed.
- Customers can check which version of App Installer is installed on their system by running the following PowerShell command: (Get-AppxPackage Microsoft.DesktopAppInstaller).Version
- For information on how to update your App Installer, see Install and update the App Installer.
How to determine whether you may be at risk
The EnableMSAppInstallerProtocol group policy is set to “Not Configured” (blank) or “Enabled”
The version of App Installer installed on your PC is between v1.18.2691 and v1.21.3421
Windows OS updates listed below between October 2022 and March 2023 contained a previous (vulnerable) version of the AppInstaller.
March 21, 2023—KB5023773 (OS Builds 19042.2788, 19044.2788, and 19045.2788) Preview - Microsoft Support
July 11, 2023—KB5028171 (OS Build 20348.1850) - Microsoft Support
March 28, 2023—KB5023774 (OS Build 22000.1761) Preview - Microsoft Support
October 25, 2022—KB5018496 (OS Build 22621.755) Preview - Microsoft Support
Also, customers using builds v1.22.3452-preview or lower also contained vulnerable versions of AppInstaller.
Note: (not recommended) Customers that must use the ms-appinstaller protocol can still use the App Installer by setting the Group Policy EnableMSAppInstallerProtocol to Disabled. See Policy CSP – DesktopAppInstaller for additional information.
References
- Installing Windows 10 apps from a web page - MSIX | Microsoft Learn
- CVE Link
- Financially motivated threat actors misusing App Installer
Related news
By Deeba Ahmed According to the Microsoft Threat Intelligence Team, threat actors labeled as 'financially motivated' utilize the ms-appinstaller URI scheme for malware distribution. This is a post from HackRead.com Read the original post: Microsoft Disables App Installer After Feature is Abused for Malware