Last Updated on 05/02/2022 by Nidhi Khandelwal
The MSIX ms-appinstaller protocol handler, which was used in malware attacks to install malicious software straight from a website via a Windows AppX Installer spoofing vulnerability, has been deactivated by Microsoft.
The business made the decision today after releasing security upgrades to remedy the problem (identified as CVE-2021-43890) during Patch Tuesday in December 2021 and providing workarounds to disable the MSIX scheme without installing the patches.
The decision to disable the protocol completely is most likely to protect all Windows users, including those who haven’t yet received the December security upgrades or used the workarounds.
“We’re working hard to address this vulnerability.” For the time being, the ms-appinstaller scheme has been deactivated (protocol). App Installer will not be able to install an app directly from a web server as a result of this. Instead, customers will need to download the software to their device first, then utilize App Installer to install the bundle,” said Microsoft Program Manager Dian Hartono.
“We understand how important this capability is for many enterprise firms. We’re taking the time to do extensive testing to verify that re-enabling the protocol is done safely.
“We’re considering establishing a Group Policy that would allow IT administrators to re-enable the protocol and restrict its use within their businesses,” says the company.
Emotet began spreading and infecting Windows 10 and Windows 11 devices in early December, according to BleepingComputer, by employing malicious Windows AppX Installer packages disguised as Adobe PDF applications.