Microsoft Disables Key Windows App Install Tech Used to Distribute Malware
- Paul Thurrott
- Dec 29, 2023
-
7
Microsoft announced today that it was forced to disable a key component of its Windows app installer technologies because it detected multiple instances of financially motivated threat actors using these technologies to distribute malware. It also worked with Certificate Authorities to revoke the abused code-signing certificates that were subverted to deliver malware.
“Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors, utilizing the App Installer to distribute malware,” the software giant explained. “In addition to ensuring that customers are protected from observed attacker activity, Microsoft investigated the use of App Installer in these attacks. In response to this activity, Microsoft has disabled the [App Installer] protocol handler by default.”
Windows Intelligence In Your Inbox
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
The App Installer is used by developers to install a packaged Microsoft Store app in MSIX format from the web, a process that used to be described as “side-loading” because it bypasses the Store. But this episode casts doubt on whether Microsoft can guarantee that packaged apps installed from outside its Store can ever be considered safe: As Microsoft notes, the hackers that attacked the App Installer protocol were able to impersonate legitimate software installers that were indistinguishable from the real thing.
What this means in practical terms is that it is no longer possible to install packaged Windows apps from the web. Instead, users will need to download the app package before installing it, which Microsoft says will give locally installed antivirus and anti-malware services a chance to test their integrity. Microsoft says that its Defender-based products and services have been updated to address this need, including handling post-compromise scenarios.
“We will continue to monitor future malicious activity and make ongoing improvements to prevent fraud, phishing, and a range of other persistent threats,” the Microsoft Security Response team promises. “Microsoft will remain vigilant as attackers continue evolving their techniques.”