Microsoft announced about disabling the ms-appinstaller protocol of the MSIX App Installer on Windows 10 and Windows 11 to prevent the proliferation of malicious software such as BazarLoader and Emotet. In the future, the software giant plans to integrate group policies into operating systems, which will allow network administrators to enable the mentioned protocol and control its operation.
Image source: Neowin
The ms-appinstaller protocol allows you to install various applications directly from a website without first downloading the MSIX file to local media. The idea is to help users save disk space by not having to download the entire MSIX package. It turned out that MSIX packages are used by attackers to proliferate malware. Although the mentioned protocol was actually deactivated last year, it has only now been officially announced. The vulnerability that allows malware to proliferate in this way is tracked as CVE-2021-43890.
“Recently, we were made aware that the ms-appinstaller protocol can be used maliciously in MSIX. For example, attackers can spoof an app installer to download a package the user didn’t want to install <…> We have disabled the ms-appinstaller log for now. This means that the app installer cannot download apps directly from websites. Instead, users must first download and then install the app on their device.” Microsoft announced this in a statement.
According to reports, Microsoft developers are now testing the problematic protocol to ensure that it is completely safe for users after reactivation. For enterprise customers, Microsoft will create a special group policy that allows administrators to control how ms-appinstaller works.
.
Add Comment