[German]After ransomware like Emotet or BazarLoader abused the MSIX ms-appinstaller protocol handler, Microsoft has now reacted again. The entire MSIX ms-appinstaller protocol handler has been disabled in Windows for the time being – more or less as protection against Emotet, BazarLoader or similar malware. This is now the second measure after being patched in December 2021.
Advertising
AppX Installer Vulnerability CVE-2021-43890
The AppX installer used in Windows 10 and Windows 11 to install applications and apps had a serious design flaw. This allowed malware like Emotet or BazarLoader to trick users into installing malware. The screenshot below shows the issue with the AppX Installer vulnerability CVE-2021-43890.
An infected Emotet payload is displayed as Trusted App in the installer dialog. The Trusted App statement was based solely on information in a manifest, without any digital signature being evaluated. Only when the user clicks on the Trusted App link did they get the Publisher Identity check notice visible in the above tweet with the app's true publisher. The Emotet group exploits this to distribute the dropper to install the ransomware as a trusted Windows app in mail attachments. I had addressed this on December 2, 2021 in the blog post Windows 10/11: The risky "trusted" Apps-Installer – abused by Emotot gang.
Fix for CVE-2021-43890 in December 2021
As early as December 14, 2021, Microsoft locked the URI of ms-appinstaller: via update and published the security advisory Windows AppX Installer Spoofing Vulnerability CVE-2021-43890. It states that Microsoft has investigated reports of a spoofing vulnerability in the Windows AppX installer. Microsoft is aware of attacks that attempt to exploit this vulnerability with specially crafted packages containing the malware family known as Emotet/Trickbot/Bazaloader.
In the article on CVE-2021-43890, Microsoft recommends installing Windows App packages for standard users and for apps outside the Microsoft Store as a countermeasure. I had picked up details including download links for the affected AppX installers (desktop installers) in the blog post Update fixes Windows AppX installer 0-day vulnerability CVE-2021-43890 (used by Emotet).
Advertising
Microsoft disables MSIX protocol handler
It looks like many administrators did not react and did not install the update for the AppX installer (desktop installer). Anyway, Microsoft has now reacted and disabled the MSIX ms-appinstaller protocol handler in Windows. The following tweet points to the corresponding Techcommunity post Disabling the MSIX ms-appinstaller protocol handler.
There, Microsoft mentions the above issue that they have recently been informed that the ms-appinstaller protocol for MSIX can be used in a malicious way. This spoofing vulnerability CVE-2021-43890 could be used by an attacker to impersonate a secure App Installer and trick the user into installing the malware package.
Microsoft says it is actively working to fix this vulnerability. To do so, the ms-appinstaller scheme (protocol) has been disabled. This means that App Installer will not be able to install an app directly from a web server. Instead, users must first download the app to their device and then install the package using App Installer. This may increase the download size for some packages.
That has consequences for vendors who use ms-appinstaller protocol on their website, as this will no longer work. Microsoft recommends updating the link to your application and removing "ms-appinstaller:?source=" so that the MSIX package or App Installer file can be downloaded to the user's computer. Further explanation can be found in the Techcommunity article. (via)
Advertising