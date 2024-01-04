Microsoft has made the decision to disable a protocol that allowed the installation of Windows apps after discovering that cybercriminals were misusing the mechanism to distribute malware. This action was taken to address a vulnerability in the AppX Installer software, which could be exploited to trick the App Installer into installing malicious software. The protocol in question is the ms-appinstaller URI scheme.

The ms-appinstaller URI scheme is used by the MSIX package installer to install Windows apps directly from a web page using the local App Installer application. It eliminates the need for local storage during the installation process, making it a convenient feature. Unfortunately, threat actors have been exploiting this protocol to distribute malware, as it can bypass security mechanisms such as Microsoft Defender SmartScreen and built-in browser warnings for executable downloads.

Previously, Microsoft relied on developers signing their app packages with trusted certificate authorities. However, this approach allowed too much trust in these authorities, leading to the abuse of the ms-appinstaller protocol handler.

As a result, Microsoft has disabled the ms-appinstaller protocol by default, starting with App Installer version 1.21.3421.0. The company is also working with certificate authorities to revoke the abused code signing certificates used by identified malware samples.

Customers who have the EnableMSAppInstallerProtocol group policy set to “Not Configured” or “Enabled” and are using vulnerable versions of App Installer (v1.18.2691 up to v1.21.3421) and Windows OS updates between October 2022 and March 2023 are advised to update App Installer and adjust the policy accordingly.

While this change may present some challenges for enterprise customers who need to implement a network-wide policy change, it is a necessary step to mitigate the risk of malware distribution. Users who rely on web-based installations should be prepared for additional checks and potential delays in the downloading and installation process.

Source: The Register