Microsoft revealed that it is temporarily disabling an app installer protocol in Windows 10/11 to address a newly discovered vulnerability while it works on a more permanent fix.
“We were recently notified that the ms-appinstaller protocol for MSIX can be used in a malicious way,” Microsoft’s Dian Hartono writes in a blog post describing the action the firm took. “Specifically, an attacker could spoof App Installer to install a package that the user did not intend to install.”
The Microsoft Security Resource Center (MSRC) is tracking this spoofing vulnerability, and you can read more about its current status in CVE-2021-43890. According to that alert, the vulnerability requires only basic user privileges and could result in “a complete loss of protection” by which “the attacker is able to modify any/all files protected by the impacted component.” The good news? “Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited.” And while an exploit is possible, Microsoft is unaware of any exploit code or active exploits.
To address this issue ahead of a formal fix, Microsoft has temporarily disabled the ms-appinstaller scheme (protocol) in Windows 10 and 11.
“This means that App Installer will not be able to install an app directly from a web server,” Hartono explains. “Instead, users will need to first download the app to their device, and then install the package with App Installer. This may increase the download size for some packages.”
The App Installer uses the common MSIX app packaging format and is used by Win32, Windows Forms, and Windows Presentation Foundation (WPF) developers.
Tagged with Security