In recent months, Microsoft Threat Intelligence has observed threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. We have addressed and mitigated this malicious activity by turning off ms-appinstaller by default. Additionally, Microsoft has coordinated with Certificate Authorities to revoke the abused code signing certificates utilized by malware samples we have identified.
Upon detection of this attack vector, Microsoft launched an investigation to ensure proper detections existed within Microsoft Defender for Endpoint and Microsoft Defender for Office to protect our customers.
Microsoft initially introduced the ms-appinstaller URI scheme handler in App Installer v1.0.12271.0 to improve the installation experience for MSIX and MSIXBundles.
Recently, malicious activity was observed where bad actors are now using the ms-appinstaller URI scheme handler to trick users into installing malicious software. We highly recommend customers do not install apps from unknown websites.
On December 28th, 2023, Microsoft updated CVE-2021-43890 to disable ms-appinstaller URI scheme (protocol) by default, as a security response to protect customers from attackers’ evolving techniques against previous safeguards. This means that users will no longer be able to install an app directly from a web page using the MSIX package installer. Instead, users will be required to download the MSIX package first in order to install it, which ensures that locally installed antivirus protections will run.
We will continue to monitor future malicious activity and make ongoing improvements to prevent fraud, phishing, and a range of other persistent threats. Microsoft will remain vigilant as attackers continue evolving their techniques. Please refer to the Microsoft Threat Intelligence Blog: Financially motivated threat actors misusing App Installer for additional details and guidance.
Microsoft has disabled the ms-appinstaller URI scheme handler by default in App Installer version 1.21.3421.0 or higher and if you have not specifically enabled the EnableMSAppInstallerProtocol, no further action is needed.
(Get-AppxPackage Microsoft.DesktopAppInstaller).Version
The EnableMSAppInstallerProtocol group policy is set to “Not Configured” (blank) or “Enabled”
The version of App Installer installed on your PC is between v1.18.2691 and v1.21.3421
Windows OS updates listed below between October 2022 and March 2023 contained a previous (vulnerable) version of the AppInstaller.
July 11, 2023—KB5028171 (OS Build 20348.1850) - Microsoft Support
March 28, 2023—KB5023774 (OS Build 22000.1761) Preview - Microsoft Support
October 25, 2022—KB5018496 (OS Build 22621.755) Preview - Microsoft Support
Also, customers using builds v1.22.3452-preview or lower also contained vulnerable versions of AppInstaller.
Note: (not recommended) Customers that must use the ms-appinstaller protocol can still use the App Installer by setting the Group Policy EnableMSAppInstallerProtocol to Disabled. See Policy CSP – DesktopAppInstaller for additional information.