Microsoft disables the ms-appinstaller protocol because it was abused to spread malware

Pierluigi Paganini February 07, 2022

Microsoft temporarily disabled the ms-appinstaller protocol for MSIX because it was abused by malware, such as Emotet.

Microsoft announced to have temporarily disabled the ms-appinstaller protocol for MSIX because it was abused by malware, such as Emotet.

In December, Microsoft addressed a vulnerability, tracked as CVE-2021-43890, in AppX installer that affects Microsoft Windows which is under active exploitation.

“We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.” reads the advisory published by Microsoft.

An attacker could exploit the vulnerability by tricking the victims into opening a specially crafted attachment sent via phishing messages.

Microsoft reported that the issue was exploited by threat actors to deliver Emotet, TrickBot, and BazarLoader malware.

MSIX is a new packaging format based on the .msi installer, .appx, installer, App-V, and ClickOnce installers. MSIX keeps the functionality of the existing app installer packages and installation files while enabling new and modern packaging and deployment features to Win32, WPF, and WinForm apps.

The ms-appinstaller protocol handler allows users to simply install an application by clicking a link on a website, it doesn’t require downloading the full MSIX package.

Due to this capability, threat actors started abusing the protocol in malspam campaigns.

The IT giant opted out to temporarily disable the protocol to prevent these malware campaigns.

“We were recently notified that the ms-appinstaller protocol for MSIX can be used in a malicious way. Specifically, an attacker could spoof App Installer to install a package that the user did not intend to install.” reads the advisory published by Microsoft. “For now, we have disabled the ms-appinstaller scheme (protocol). This means that App Installer will not be able to install an app directly from a web server. Instead, users will need to first download the app to their device, and then install the package with App Installer. This may increase the download size for some packages.”

Microsoft is conducting testing to securely re-enable the protocol, the company planning to introduce a Group Policy that would allow IT administrators to re-enable the protocol and control usage of it within their organizations.

Users that utilize the ms-appinstaller protocol on their website are recommended to update the link to their application, removing ‘ms-appinstaller:?source=’ so that the MSIX package or App Installer file will be downloaded to user’s machine.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment