Summary

In recent months, Microsoft Threat Intelligence has observed threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. We have addressed and mitigated this malicious activity by turning off ms-appinstaller by default. Additionally, Microsoft has coordinated with Certificate Authorities to revoke the abused code signing certificates utilized by malware samples we have identified.

Upon detection of this attack vector, Microsoft launched an investigation to ensure proper detections existed within Microsoft Defender for Endpoint and Microsoft Defender for Office to protect our customers.

Background

Microsoft initially introduced the ms-appinstaller URI scheme handler in App Installer v1.0.12271.0 to improve the installation experience for MSIX and MSIXBundles.

Recently, malicious activity was observed where bad actors are now using the ms-appinstaller URI scheme handler to trick users into installing malicious software. We highly recommend customers do not install apps from unknown websites.

Mitigations

On December 28th, 2023, Microsoft updated CVE-2021-43890 to disable ms-appinstaller URI scheme (protocol) by default, as a security response to protect customers from attackers’ evolving techniques against previous safeguards. This means that users will no longer be able to install an app directly from a web page using the MSIX package installer. Instead, users will be required to download the MSIX package first in order to install it, which ensures that locally installed antivirus protections will run.

We will continue to monitor future malicious activity and make ongoing improvements to prevent fraud, phishing, and a range of other persistent threats. Microsoft will remain vigilant as attackers continue evolving their techniques. Please refer to the Microsoft Threat Intelligence Blog: Financially motivated threat actors misusing App Installer for additional details and guidance.

To address this issue

1. Microsoft has disabled the ms-appinstaller URI scheme handler by default in App Installer version 1.21.3421.0 or higher and if you have not specifically enabled the EnableMSAppInstallerProtocol, no further action is needed.

   • Customers can check which version of App Installer is installed on their system by running the following PowerShell command: (Get-AppxPackage Microsoft.DesktopAppInstaller).Version
   • For information on how to update your App Installer, see Install and update the App Installer.

How to determine whether you may be at risk

1. The EnableMSAppInstallerProtocol group policy is set to “Not Configured” (blank) or “Enabled”

2. The version of App Installer installed on your PC is between v1.18.2691 and v1.21.3421

3. Windows OS updates listed below between October 2022 and March 2023 contained a previous (vulnerable) version of the AppInstaller.

   • March 21, 2023—KB5023773 (OS Builds 19042.2788, 19044.2788, and 19045.2788) Preview - Microsoft Support

   • July 11, 2023—KB5028171 (OS Build 20348.1850) - Microsoft Support

   • March 28, 2023—KB5023774 (OS Build 22000.1761) Preview - Microsoft Support

   • October 25, 2022—KB5018496 (OS Build 22621.755) Preview - Microsoft Support

   • Also, customers using builds v1.22.3452-preview or lower also contained vulnerable versions of AppInstaller.

Note: (not recommended) Customers that must use the ms-appinstaller protocol can still use the App Installer by setting the Group Policy EnableMSAppInstallerProtocol to Disabled. See Policy CSP – DesktopAppInstaller for additional information.

References

• Installing Windows 10 apps from a web page - MSIX | Microsoft Learn
• CVE Link
• Financially motivated threat actors misusing App Installer