[German]Another addendum from the December 2021 patchday regarding the AppX installer used in Windows. Microsoft has closed the Windows AppX Installer spoofing vulnerability CVE-2021-43890 with an update. The Emotet gang has been trying to exploit this vulnerability to infect systems – I had reported about it here on the blog. Here's a brief overview about that issue.
Advertising
AppX installer 0-day vulnerability CVE-2021-43890
I had reported about that within my blog post Windows 10/11: The risky "trusted" Apps-Installer – abused by Emotot gang on December 2, 2021. The AppX-Installer used in Windows 10 and Windows 11 to install applications and apps had a serious design flaw. The screenshot below shows the issue with the AppX Installer 0-day vulnerability CVE-2021-43890.
An infected Emotet payload is displayed as Trusted App in the installer dialog. The Trusted App statement was based solely on information in a manifest, without any digital signature being evaluated. Only when the user clicks on the Trusted App link did they get the Publisher Identity check notice visible in the above tweet with the app's true publisher. The Emotet group exploits this to distribute the dropper to install the ransomware as a trusted Windows app in mail attachments.
Things are in progress with the AppX installer …
As early as December 14, 2021, security researcher Will Dormann published the following tweet, which contains the note that the URI of ms-appinstaller: has been blocked by Microsoft via update.
Advertising
Dormann has published the issue in a series of tweets since December 1, 2021. If Windows users log in as administrators, this could be abused. This is because ms-appinstaller: is a URL protocol via which the AppX installation can be started from almost anywhere. Even opening a Microsoft Office document was enough.
Dormann recommended enabling the group policy "Prevent non-admin users from installing packaged Windows apps" or disabling the ms-appinstaller via reg file for all users.
Fix for CVE-2021-43890 in AppX Installer
As of December 14, 2021, Microsoft has published the security advisory Windows AppX Installer Spoofing Vulnerability CVE-2021-43890, which confirms the above facts while disclosing the CVE. It states that Microsoft has been investigating reports of a spoofing vulnerability in the Windows AppX installer. Microsoft is aware of attacks that attempt to exploit this vulnerability with specially crafted packages containing the malware family known as Emotet/Trickbot/Bazaloader.
Microsoft says that an attacker could create a malicious attachment that would be used in phishing campaigns. The attacker would then have to trick the user into opening the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
In the article on CVE-2021-43890, Microsoft recommends blocking the installation of Windows app packages for standard users and for apps outside the Microsoft Store via group policies (BlockNonAdminUserInstall and AllowAllTrustedApps, the policy AllowAllTrustedAppToInstall mentioned at Microsoft's advisory doesn't exists) as a countermeasure. In addition, the ms-appinstaller protocol should be disabled to install apps directly from a website.
If the Microsoft store isn't blocked by group policy, the AppX Installer (Desktop Installer) will be updated automatically. Furthermore, Microsoft has updated the AppX Installer (Desktop Installer) as of December 14, 2021.
- Microsoft Desktop Installer 1.16 for Windows 10 version version 1809 and higher
- Microsoft Desktop Installer 1.11 for Windows 10 version 1709 or Windows 10 version 1803
Administrators should install the updated Desktop Installer promptly, which the security vendors at FortiGuard Labsin the following tweet linking to this article report that the just-patched Windows vulnerability CVE-2021-43890 is being exploited to deliver malware. However, this is ultimately confirmation of what I said in the section above or in the linked article.
Similar articles:
Windows 10/11: The risky "trusted" Apps-Installer – abused by Emotot gang
Microsoft Security Update Summary (December 14, 2021)
Patchday: Windows 10 Updates (December 14, 2021))
Patchday: Windows 11-Updates (December 14, 2021)
Patchday: Windows 8.1/Server 2012-Updates (December 14, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (December 14, 2021)
Patchday: Microsoft Office December 2021 updates (14.12.2021) causes Access issues
