Microsoft Temporarily Addresses New Windows Vulnerability with a Workaround

Microsoft revealed that it is temporarily disabling an app installer protocol in Windows 10/11 to address a newly discovered vulnerability while it works on a more permanent fix.

“We were recently notified that the ms-appinstaller protocol for MSIX can be used in a malicious way,” Microsoft’s Dian Hartono writes in a blog post describing the action the firm took. “Specifically, an attacker could spoof App Installer to install a package that the user did not intend to install.”

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

The Microsoft Security Resource Center (MSRC) is tracking this spoofing vulnerability, and you can read more about its current status in CVE-2021-43890. According to that alert, the vulnerability requires only basic user privileges and could result in “a complete loss of protection” by which “the attacker is able to modify any/all files protected by the impacted component.” The good news? “Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited.” And while an exploit is possible, Microsoft is unaware of any exploit code or active exploits.

To address this issue ahead of a formal fix, Microsoft has temporarily disabled the ms-appinstaller scheme (protocol) in Windows 10 and 11.

“This means that App Installer will not be able to install an app directly from a web server,” Hartono explains. “Instead, users will need to first download the app to their device, and then install the package with App Installer. This may increase the download size for some packages.”

The App Installer uses the common MSIX app packaging format and is used by Win32, Windows Forms, and Windows Presentation Foundation (WPF) developers.

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 8 comments

  • jimchamplin

    Premium Member
    07 February, 2022 - 3:38 pm

    <p>Does it affect Windows Store links, or are they safe since it opens the Store application to perform the installation?</p>

    • dftf

      09 February, 2022 - 6:52 am

      <p>Assuming that the app it opens in the <em>Microsoft Store</em> isn’t itself dodgy, then no: if you download an MSIX file, it opens in the "App Installer", app, not the <em>Store</em> app. (It’s not like on some <em>Linux </em>distros, like <em>Ubuntu</em>, where DEB files get installed within the <em>Store </em>app, so confusion could arise as to whether it’s an app actually hosted in the <em>Store</em> or not.)</p><p><br></p><p>Though, if you’ve seen some of the stuff in the <em>Microsoft Store</em> lately, that’s a big assumption to assume they’re not dodgy — users looking for <em>Google Chrome </em>and downloading some free PDF guide with a similar name and logo, for example. I’m sure that won’t be a virus! ;)</p>

  • hrlngrv

    Premium Member
    07 February, 2022 - 5:44 pm

    <p>Cynicism warning: can’t ANYTHING be used in a malicious way?</p><p><br></p><p>Even more cynical: with well over 1 billion users, it doesn’t seem much of a stretch to figure there are <strong><em>hundreds of millions</em></strong> of dirt ignorant Windows users. Windows 11 and UAC are unlikely to be adequate to protect those people from themselves much less malicious 3rd parties. There’s a reason there are so many sweat shops in India cold-calling for <em>Windows Technical Support</em> and obviously making enough $$$ for it to be worthwhile.</p><p><br></p><p>OTOH, amusing that MSFT’s <em>security work-around</em> is how dpkg-based and rpm-based Linux distributions handle installing packages all the time.</p>

    • dftf

      09 February, 2022 - 6:57 am

      <p>Well, yeah… I mean, if the risk here is "user could install something without fully being-sure what it is, and randomly just click Yes or enter their admin password", then by that logic we should block <em>EXE</em> and <em>MSI</em> files on <em>Windows</em>, too! ;)</p><p><br></p><p>And likewise, <em>DEB</em> and <em>RPM</em> on Linux; <em>APK</em> on Android; and <em>DMG</em> and <em>PKG</em> on macOS. Oh, and all extensions for the major web-browsers too, as they’re becoming an increasing source of malware thesedays.</p>

  • maktaba

    08 February, 2022 - 2:15 am

    <p>What’s the use of the whole TPM requirement when Windows 11 is still vulnerable?</p>

    • IanYates82

      Premium Member
      08 February, 2022 - 3:58 pm

      <p>TPM is to protect secrets and secure the boot process from the very start – the boot code being signed shows it hasn’t been modified, it can then verify the next stage before executing, and so on</p><p><br></p><p>This article describes a bug leading to a security vulnerability. TPM isn’t involved. </p>

      • hrlngrv

        Premium Member
        08 February, 2022 - 7:01 pm

        <p>Is the boot process code in firmware or on disk? Is there no way to upgrade boot process code in firmware? If there is, then presumably the signature in TPM could be change. If so, then couldn’t malware change TPM signatures?</p><p><br></p><p>I’m hopelessly skeptical any PC could be secured as long as there’s a relatively ignorant human using it.</p>

        • Greg Green

          11 February, 2022 - 9:20 am

          <p>I’ve mentioned the story before, but I read of an IT guy who briefed the small company employees on the danger of phishing and clicking on unknown links. The day after the class he sent fake phishing mail to the employees and most of them clicked on it.</p><p><br></p><p>people gonna do what people gonna do.</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC