Microsoft announced last week that it is temporarily disabling the ms-appinstaller MSIX protocol handler in Windows following evidence that a security vulnerability in the installer component has been exploited by malicious actors to distribute malware such as as Emotet, TrickBot and Bazaloader.
MSIXbased on a combination of .msi, .appx, App-V, and ClickOnce installer technologies, is a universal Windows application package format that allows developers to distribute their applications for the desktop operating system and other platforms. ms-appinstaller, in particular, is designed to help users install a windows app simply by clicking a link on a website.
But a spoofing vulnerability discovered in Windows App Installer (CVE-2021-43890CVSS score: 7.1) meant that it could be tricked into installing a malicious application that was never intended to be installed by the user via a malicious attachment used in phishing campaigns.
Although Microsoft released initial patches to address this flaw as part of its December 2021 Patch Tuesday updates, the company has now disabled the ms-appinstaller scheme while it works to fully close the flaw. security and prevent further exploitation.
“This means that App Installer will not be able to install an application directly from a web server”, Dian Hartono noted. “Instead, users will need to download the app to their device first and then install the package with App Installer. This may increase the download size of some packages.”
With Microsoft’s support for the protocol, the company also recommends that developers update application download links on their websites by removing “ms-appinstaller:?source=” schemes so that the MSIX package or the .appinstaller file can be downloaded.