Microsoft addresses App Installer abuse


  • Staff

 MSRC Blog:

Summary​

In recent months, Microsoft Threat Intelligence has observed threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. We have addressed and mitigated this malicious activity by turning off ms-appinstaller by default. Additionally, Microsoft has coordinated with Certificate Authorities to revoke the abused code signing certificates utilized by malware samples we have identified.

Upon detection of this attack vector, Microsoft launched an investigation to ensure proper detections existed within Microsoft Defender for Endpoint and Microsoft Defender for Office to protect our customers.

Background​

Microsoft initially introduced the ms-appinstaller URI scheme handler in App Installer v1.0.12271.0 to improve the installation experience for MSIX and MSIXBundles.

Recently, malicious activity was observed where bad actors are now using the ms-appinstaller URI scheme handler to trick users into installing malicious software. We highly recommend customers do not install apps from unknown websites.

Mitigations​

On December 28th, 2023, Microsoft updated CVE-2021-43890 to disable ms-appinstaller URI scheme (protocol) by default, as a security response to protect customers from attackers’ evolving techniques against previous safeguards. This means that users will no longer be able to install an app directly from a web page using the MSIX package installer. Instead, users will be required to download the MSIX package first in order to install it, which ensures that locally installed antivirus protections will run.

We will continue to monitor future malicious activity and make ongoing improvements to prevent fraud, phishing, and a range of other persistent threats. Microsoft will remain vigilant as attackers continue evolving their techniques. Please refer to the Microsoft Threat Intelligence Blog: Financially motivated threat actors misusing App Installer for additional details and guidance.

To address this issue​

  1. Microsoft has disabled the ms-appinstaller URI scheme handler by default in App Installer version 1.21.3421.0 or higher and if you have not specifically enabled the EnableMSAppInstallerProtocol, no further action is needed.
    • Customers can check which version of App Installer is installed on their system by running the following PowerShell command: (Get-AppxPackage Microsoft.DesktopAppInstaller).Version
    • For information on how to update your App Installer, see Install and update the App Installer.

How to determine whether you may be at risk​

  1. The EnableMSAppInstallerProtocol group policy is set to “Not Configured” (blank) or “Enabled”
  2. The version of App Installer installed on your PC is between v1.18.2691 and v1.21.3421
  3. Windows OS updates listed below between October 2022 and March 2023 contained a previous (vulnerable) version of the AppInstaller.
Note: (not recommended) Customers that must use the ms-appinstaller protocol can still use the App Installer by setting the Group Policy EnableMSAppInstallerProtocol to Disabled. See Policy CSP – DesktopAppInstaller for additional information.

References​



 Source:

Microsoft addresses App Installer abuse | MSRC Blog | Microsoft Security Response Center

Microsoft addresses App Installer abuse
msrc.microsoft.com
 

Attachments

  • msrc.jpg
    msrc.jpg
    8 KB · Views: 1
Last edited:
Click to expand...
BamaInArk said:
I've noticed on multiple PCs running Win11 that App Installer was updated via the Microsoft Store.
Click to expand...
When I tried to update, I found mine was already updated to the latest version.
 

My Computers

System One System Two

  • OS
    Windows 11 23H2 22631.2861
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP Envy TE01-1xxx
    CPU
    Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz 2.90 GHz
    Motherboard
    16.0GB Dual-Channel Unknown @ 1463MHz (21-21-21-47)
    Memory
    16384 MBytes
    Graphics Card(s)
    Intel UHD Graphics 630
    Sound Card
    Realtek High Definition Audio
    Monitor(s) Displays
    Monitor 1 - Acer 27" Monitor 2 - Acer 27"
    Screen Resolution
    1920 x 1080
    Hard Drives
    WDC PC SN530 SDBPNPZ-512G-1006 (SSD)
    Seagate ST1000DM003-1SB102
    Seagate BUP Slim SCSI Disk Device (SSD)
    PSU
    HP
    Case
    HP
    Cooling
    Standard
    Keyboard
    Logitech Wave K350
    Mouse
    Logitech M705
    Internet Speed
    500 mbps
    Browser
    Firefox
    Antivirus
    Windows Defender
    Other Info
    That's all Folks!
  • Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP
    CPU
    Intel Core i7 (10th gen) 10700
    Motherboard
    Intel
    Memory
    16 GB
    Graphics card(s)
    Intel UHD Graphics 630
    Sound Card
    Built-in
    Monitor(s) Displays
    Acer 27" & Samsung 24"
    Screen Resolution
    1920 x
    Hard Drives
    SSD (512 GB)
    HDD (1 TB)
    Seagate
    PSU
    Intel i7 10th Generation
    Case
    HP
    Cooling
    HP/Intel?
    Mouse
    Logitech M705
    Keyboard
    Logitech Wave K350
    Internet Speed
    50 mbps
    Browser
    Firefox 90.2
    Antivirus
    Windows Defender
    Other Info
    Headphone/Microphone Combo
    SuperSpeed USB Type-A (4 on front)
    HP 3-in-One Card Readr
    SuperSpeed USB Type-C
    DVD Writer
BamaInArk said:
I've noticed on multiple PCs running Win11 that App Installer was updated via the Microsoft Store.
Click to expand...



That may explain why mine wasn't updated. I keep MS Store blocked in my firewall, until I need to use the Store for something.

Then I block it again, right afterwards.
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦22631.3527 ♦♦♦♦♦♦♦23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 4702)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Internet Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Mouse
    Logitech Optical M-BT96a
    Keyboard
    Logitech Classic Keybooard 200
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 13 years?
Uh-huh. I still haven't plugged it in.
 

My Computer

System One

  • OS
    WIN 11, WIN 10, WIN 8.1, WIN 7 U, WIN 7 PRO, WIN 7 HOME (32 Bit), LINUX MINT
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY, ASUS, and DELL
    CPU
    Intel i7 6900K (octocore) / AMD 3800X (8 core)
    Motherboard
    ASUS X99E-WS USB 3.1
    Memory
    128 GB CORSAIR DOMINATOR PLATINUM (B DIE)
    Graphics Card(s)
    NVIDIA 1070
    Sound Card
    Crystal Sound (onboard)
    Monitor(s) Displays
    single Samsung 30" 4K and 8" aux monitor
    Screen Resolution
    4K and something equally attrocious
    Hard Drives
    A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W

    Ports X, Y, and Z are reserved for USB access and removable drives.

    Drive types consist of the following: Various mechanical hard drives bearing the brand names, Seagate, Toshiba, and Western Digital. Various NVMe drives bearing the brand names Kingston, Intel, Silicon Power, Crucial, Western Digital, and Team Group. Various SATA SSDs bearing various different brand names.

    RAID arrays included:

    LSI RAID 10 (WD Velociraptors) 1115.72 GB
    LSI RAID 10 (WD SSDS) 463.80 GB

    INTEL RAID 0 (KINGSTON HYPER X) System 447.14 GB
    INTEL RAID 1 TOSHIBA ENTERPRIZE class Data 2794.52 GB
    INTEL RAID 1 SEAGATE HYBRID 931.51 GB
    PSU
    SEVERAL. I prefer my Corsair Platinum HX1000i but I also like EVGA power supplies
    Case
    ThermalTake Level 10 GT (among others)
    Cooling
    Noctua is my favorite and I use it in my main. I also own various other coolers. Not a fan of liquid cooling.
    Keyboard
    all kinds.
    Mouse
    all kinds
    Internet Speed
    360 mbps - 1 gbps (depending)
    Browser
    FIREFOX
    Antivirus
    KASPERSKY (no apologies)
    Other Info
    I own too many laptops: A Dell touch screen with Windows 11 and 6 others (not counting the other four laptops I bought for this household.) Being a PC builder I own many desktop PCs as well. I am a father of five providing PCs, laptops, and tablets for all my family, most of which I have modified, rebuilt, or simply built from scratch. I do not own a cell phone, never have, never will.
asturias7 said:
If it doesn't show up in Revo Uninstaller or elsewhere and you want to make sure you have the safe version, 1.21.3482.0, copy and paste this in Powershell.


Code: 
(Get-AppxPackage Microsoft.DesktopAppInstaller).Version
Click to expand...
Does show up in BCUninstaller:

2023-12-31_183055.png
:wink:
 

My Computer

System One

  • OS
    Windows 7 SP 16 (or Windows 11 SP 2 or Sun Valley 2)
    Computer type
    Laptop
    CPU
    Intel & AMD
    Memory
    SO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-2666 (2 x 8 GB) 1329MHz (19-19-19-43)
    Graphics Card(s)
    nVidia RTX 2060 6GB Mobile GPU (TU106M)
    Sound Card
    Onbord Realtek ALC1220
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x Samsung PM981 NVMe PCIe M.2 512GB / 1x Seagate Expansion ST1000LM035 1TB
You must log in or register to reply here.

Similar threads

  • Article
Update on Microsoft Actions Following Attack by Midnight Blizzard (NOBELIUM)
Replies
2
Views
796
antspants
antspants
  • Article
Midnight Blizzard: Microsoft Guidance for responders on nation-state attack
Replies
4
Views
2K
Steve C
Steve C
  • Article
Microsoft's approach on combating abusive AI-generated content
Replies
1
Views
419
Haydon
Haydon
  • Article
What is new in MSIX for February 2024
Replies
0
Views
400
Brink
Brink
  • Article
Commercial preview of Microsoft Office LTSC 2024 is now available
Replies
0
Views
550
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom