Microsoft officially announced today that in order to prevent malicious attacks, it has disabled the MSIX application installer (installer) protocol link. This protocol allows users to install various applications directly from web servers without first downloading them to local storage. The thinking at the time was that this approach would save space for the user since the entire MSIX package would not need to be downloaded.
However, it has been noticed that this Windows application installer is used to distribute malicious PDF files, such as the Emotet and BazarLoader malware. As such, the protocol was disabled last year and was only officially announced today. This Windows AppX installer spoofing vulnerability has been assigned ID CVE-2021-43890.
The announcement post said,
We were recently informed that MSIX’s ms-app installer protocol could be used maliciously. Specifically, an attacker could trick the App Installer into installing a package that the user did not intend to install.
[…] Currently, we have disabled the ms-app installer scheme (protocol). This means that App Installer will not be able to install an application directly from a web server. Instead, users will need to first download the app to their device and then install the package with the App Installer. This may increase the download size of some packages.
Here’s how you can disable the protocol on your website.
“If you utilize the ms-app installer protocol on your website, we recommend that you update your application’s links to remove ‘ms-app installer:?source=’ so that the MSIX package or App Installer file will be downloaded to the user’s device.”
Microsoft also said it was looking into how to re-enable the protocol sometime in the future in a secure manner, such as adding certain group policies. But for now, the above workarounds are temporary solutions to prevent malicious attacks. The company noted that,
“We are taking the time to conduct thorough testing to ensure that the protocol can be re-enabled in a secure manner. We are looking into introducing a group policy that would allow IT administrators to re-enable the protocol and control its use within the organization.”