Microsoft has disabled the MSIX ms-appinstaller protocol handler exploited in malware attacks to install malicious applications directly from a website through a Windows AppX Installer spoofing vulnerability.
Today’s decision comes after the company released security updates to fix the flaw (tracked as CVE-2021-43890) in the December 2021 Patch Tuesday and provided workarounds to disable the MSIX schema without deploying the patches.
“We are actively working to resolve this vulnerability. For now, we have disabled the ms-appinstaller scheme (protocol). This means that App Installer will not be able to install an application directly from a web server. Instead , users will need to download the app on their device first and then install the package with App Installer,” noted Microsoft Program Manager Dian Hartono.
“We recognize that this feature is essential for many businesses. We take the time to perform extensive testing to ensure that re-enabling the protocol can be done in a secure manner.
“We are considering introducing Group Policy that would allow IT administrators to re-enable the protocol and control its use within their organizations.”
How Threat Actors Abused ms-appinstaller to Spread Malware
As reported by BleepingComputer, Emotet began spreading and infecting Windows 10 and Windows 11 systems in early December using malicious Windows AppX Installer packages disguised as Adobe PDF software.
Emotet phishing emails used stolen reply string emails and asked potential victims to open PDFs related to the previous conversation.
However, once clicked, the links embedded in the emails will redirect recipients to pages which, instead of opening the PDF, would launch the Windows App Installer program and ask to install an “Adobe PDF Component”.
Although it looks like a legitimate Adobe application, App Installer downloads and installs a malicious appxbundle hosted on Microsoft Azure when the user clicks on the Install button.
You can find more information, including how Emotet abused the built-in Windows App Installer functionality during the campaign, in our previous report.
This AppX Installer spoofing vulnerability has also been exploited to distribute BazarLoader malware via malicious packages hosted on Microsoft Azure, using *.web.core.windows.net URLs.