Microsoft Temporarily Addresses New Windows Vulnerability with a Workaround

Posted on February 7, 2022 by Paul Thurrott in Dev, Windows 10, Windows 11 with 8 Comments

Microsoft revealed that it is temporarily disabling an app installer protocol in Windows 10/11 to address a newly discovered vulnerability while it works on a more permanent fix.

“We were recently notified that the ms-appinstaller protocol for MSIX can be used in a malicious way,” Microsoft’s Dian Hartono writes in a blog post describing the action the firm took. “Specifically, an attacker could spoof App Installer to install a package that the user did not intend to install.”

The Microsoft Security Resource Center (MSRC) is tracking this spoofing vulnerability, and you can read more about its current status in CVE-2021-43890. According to that alert, the vulnerability requires only basic user privileges and could result in “a complete loss of protection” by which “the attacker is able to modify any/all files protected by the impacted component.” The good news? “Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited.” And while an exploit is possible, Microsoft is unaware of any exploit code or active exploits.

To address this issue ahead of a formal fix, Microsoft has temporarily disabled the ms-appinstaller scheme (protocol) in Windows 10 and 11.

“This means that App Installer will not be able to install an app directly from a web server,” Hartono explains. “Instead, users will need to first download the app to their device, and then install the package with App Installer. This may increase the download size for some packages.”

The App Installer uses the common MSIX app packaging format and is used by Win32, Windows Forms, and Windows Presentation Foundation (WPF) developers.

Tagged with

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (8)

8 responses to “Microsoft Temporarily Addresses New Windows Vulnerability with a Workaround”

  1. jimchamplin

    Does it affect Windows Store links, or are they safe since it opens the Store application to perform the installation?

    • dftf

      Assuming that the app it opens in the Microsoft Store isn't itself dodgy, then no: if you download an MSIX file, it opens in the "App Installer", app, not the Store app. (It's not like on some Linux distros, like Ubuntu, where DEB files get installed within the Store app, so confusion could arise as to whether it's an app actually hosted in the Store or not.)

      Though, if you've seen some of the stuff in the Microsoft Store lately, that's a big assumption to assume they're not dodgy -- users looking for Google Chrome and downloading some free PDF guide with a similar name and logo, for example. I'm sure that won't be a virus! ;)

  2. hrlngrv

    Cynicism warning: can't ANYTHING be used in a malicious way?

    Even more cynical: with well over 1 billion users, it doesn't seem much of a stretch to figure there are hundreds of millions of dirt ignorant Windows users. Windows 11 and UAC are unlikely to be adequate to protect those people from themselves much less malicious 3rd parties. There's a reason there are so many sweat shops in India cold-calling for Windows Technical Support and obviously making enough $$$ for it to be worthwhile.

    OTOH, amusing that MSFT's security work-around is how dpkg-based and rpm-based Linux distributions handle installing packages all the time.

    • dftf

      Well, yeah... I mean, if the risk here is "user could install something without fully being-sure what it is, and randomly just click Yes or enter their admin password", then by that logic we should block EXE and MSI files on Windows, too! ;)

      And likewise, DEB and RPM on Linux; APK on Android; and DMG and PKG on macOS. Oh, and all extensions for the major web-browsers too, as they're becoming an increasing source of malware thesedays.

  3. maktaba

    What’s the use of the whole TPM requirement when Windows 11 is still vulnerable?

    • IanYates82

      TPM is to protect secrets and secure the boot process from the very start - the boot code being signed shows it hasn't been modified, it can then verify the next stage before executing, and so on

      This article describes a bug leading to a security vulnerability. TPM isn't involved.

      • hrlngrv

        Is the boot process code in firmware or on disk? Is there no way to upgrade boot process code in firmware? If there is, then presumably the signature in TPM could be change. If so, then couldn't malware change TPM signatures?

        I'm hopelessly skeptical any PC could be secured as long as there's a relatively ignorant human using it.

        • Greg Green

          I’ve mentioned the story before, but I read of an IT guy who briefed the small company employees on the danger of phishing and clicking on unknown links. The day after the class he sent fake phishing mail to the employees and most of them clicked on it.

          people gonna do what people gonna do.