msrc.microsoft.com
Open in
urlscan Pro
2620:1ec:46::45
Public Scan
URL:
https://msrc.microsoft.com/blog/2023/12/microsoft-addresses-app-installer-abuse/
Submission: On February 27 via api from SA — Scanned from DE
Submission: On February 27 via api from SA — Scanned from DE
Form analysis 2 forms found in the DOM
Name: searchForm — GET https://www.microsoft.com/en-us/search/explore
<form class="c-search" autocomplete="off" id="searchForm" name="searchForm" role="search" action="https://www.microsoft.com/en-us/search/explore" method="GET"
data-seautosuggest="{"queryParams":{"market":"en-us","clientId":"7F27B536-CF6B-4C65-8638-A0F8CBDFCA65","sources":"Iris-Products,DCatAll-Products,Microsoft-Terms","filter":"+ClientType:StoreWeb","counts":"1,5,5"},"familyNames":{"Apps":"App","Books":"Book","Bundles":"Bundle","Devices":"Device","Fees":"Fee","Games":"Game","MusicAlbums":"Album","MusicTracks":"Song","MusicVideos":"Video","MusicArtists":"Artist","OperatingSystem":"Operating System","Software":"Software","Movies":"Movie","TV":"TV","CSV":"Gift Card","VideoActor":"Actor"}}"
data-seautosuggestapi="https://www.microsoft.com/msstoreapiprod/api/autosuggest"
data-m="{"cN":"GlobalNav_Search_cont","cT":"Container","id":"c3c1c9c2m1r1a1","sN":3,"aN":"c1c9c2m1r1a1"}" aria-expanded="false" style="overflow-x: visible;">
<div class="x-screen-reader" aria-live="assertive"></div>
<input id="cli_shellHeaderSearchInput" aria-label="Search Expanded" aria-autocomplete="list" aria-expanded="false" aria-controls="universal-header-search-auto-suggest-transparent" aria-owns="universal-header-search-auto-suggest-ul" type="search"
name="q" role="combobox" placeholder="Search Microsoft.com" data-m="{"cN":"SearchBox_nav","id":"n1c3c1c9c2m1r1a1","sN":1,"aN":"c3c1c9c2m1r1a1"}" data-toggle="tooltip"
data-placement="right" title="Search Microsoft.com" style="overflow-x: visible;">
<button id="search" aria-label="Search Microsoft.com" class="c-glyph" data-m="{"cN":"Search_nav","id":"n2c3c1c9c2m1r1a1","sN":2,"aN":"c3c1c9c2m1r1a1"}" data-bi-mto="true"
aria-expanded="false" style="overflow-x: visible;">
<span role="presentation" style="overflow-x: visible;">Search</span>
<span role="tooltip" class="c-uhf-tooltip c-uhf-search-tooltip" style="overflow-x: visible;">Search Microsoft.com</span>
</button>
<div class="m-auto-suggest" id="universal-header-search-auto-suggest-transparent" role="group" style="overflow-x: visible;">
<ul class="c-menu" id="universal-header-search-auto-suggest-ul" aria-label="Search Suggestions" aria-hidden="true" data-bi-dnt="true" data-bi-mto="true" data-js-auto-suggest-position="default" role="listbox" data-tel="jsll"
data-m="{"cN":"search suggestions_cont","cT":"Container","id":"c3c3c1c9c2m1r1a1","sN":3,"aN":"c3c1c9c2m1r1a1"}" style="overflow-x: visible;">
</ul>
<ul class="c-menu f-auto-suggest-no-results" aria-hidden="true" data-js-auto-suggest-postion="default" data-js-auto-suggest-position="default" role="listbox" style="overflow-x: visible;">
<li class="c-menu-item" style="overflow-x: visible;">
<span tabindex="-1" style="overflow-x: visible;">No results</span>
</li>
</ul>
</div>
</form>GET /blog/search/
<form action="/blog/search/" method="GET" role="search">
<div class="input-group">
<input class="form-control border-right-0" type="search" name="query" id="search-query" placeholder="Search blog posts">
<div class="input-group-append">
<button class="btn glyph-append glyph-append-search border-left-0 pl-2 border-neutral-400 bg-body" type="submit" aria-label="Search"></button>
</div>
</div>
</form>Text Content
Skip to main content
Microsoft
MSRC
MSRC
MSRC
* Home
* Report an issue
* Report Security Vulnerability
* Report Abuse
* Report Infringement
* Submission FAQs
* Customer guidance
* Security Update Guide
* Exploitability index
* Developer API documentation
* Frequently Asked Questions
* Technical Security Notifications
* Engage
* Microsoft Bug Bounty Programs
* Microsoft Active Protections Program
* BlueHat Security Conference
* Researcher Recognition Program
* Windows Security Servicing Criteria
* Who we are
* Mission
* Cyber Defense Operations Center
* Coordinated Vulnerability Disclosure
* Social
* Blogs
* Microsoft Security Response Center
* Security Research &Defense
* BlueHat Conference Blog
* Acknowledgments
* Security Researcher Acknowledgments
* Online Services Researcher Acknowledgments
* Security Researcher Leaderboard
* More
* All Microsoft
* GLOBAL
* Microsoft 365
* Teams
* Copilot
* Windows
* Surface
* Xbox
* Deals
* Small Business
* Support
* Software Software
* Windows Apps
* AI
* Outlook
* OneDrive
* Microsoft Teams
* OneNote
* Microsoft Edge
* Skype
* PCs &Devices PCs &Devices
* Computers
* Shop Xbox
* Accessories
* VR &mixed reality
* Certified Refurbished
* Trade-in for cash
* Entertainment Entertainment
* Xbox Game Pass Ultimate
* PC Game Pass
* Xbox games
* PC and Windows games
* Movies &TV
* Business Business
* Microsoft Cloud
* Microsoft Security
* Dynamics 365
* Microsoft 365 for business
* Microsoft Power Platform
* Windows 365
* Microsoft Industry
* Small Business
* Developer &IT Developer &IT
* Azure
* Developer Center
* Documentation
* Microsoft Learn
* Microsoft Tech Community
* Azure Marketplace
* AppSource
* Visual Studio
* Other Other
* Microsoft Rewards
* Free downloads &security
* Education
* Gift cards
* Holiday gifts
* Licensing
* Unlocked stories
* View Sitemap
Search Search Microsoft.com
* No results
Cancel
* blog
* 2023
* 12
* microsoft-addresses-app-installer-abuse/
MICROSOFT ADDRESSES APP INSTALLER ABUSE
MSRC
/ By MSRC / December 28, 2023 / 2 min read
SUMMARY
In recent months, Microsoft Threat Intelligence has observed threat actors
leveraging social engineering and phishing techniques to target Windows OS users
and utilizing the ms-appinstaller URI scheme. We have addressed and mitigated
this malicious activity by turning off ms-appinstaller by default. Additionally,
Microsoft has coordinated with Certificate Authorities to revoke the abused code
signing certificates utilized by malware samples we have identified.
Upon detection of this attack vector, Microsoft launched an investigation to
ensure proper detections existed within Microsoft Defender for Endpoint and
Microsoft Defender for Office to protect our customers.
BACKGROUND
Microsoft initially introduced the ms-appinstaller URI scheme handler in App
Installer v1.0.12271.0 to improve the installation experience for MSIX and
MSIXBundles.
Recently, malicious activity was observed where bad actors are now using
the ms-appinstaller URI scheme handler to trick users into installing malicious
software. We highly recommend customers do not install apps from unknown
websites.
MITIGATIONS
On December 28th, 2023, Microsoft updated CVE-2021-43890 to disable
ms-appinstaller URI scheme (protocol) by default, as a security response to
protect customers from attackers’ evolving techniques against previous
safeguards. This means that users will no longer be able to install an app
directly from a web page using the MSIX package installer. Instead, users will
be required to download the MSIX package first in order to install it, which
ensures that locally installed antivirus protections will run.
We will continue to monitor future malicious activity and make ongoing
improvements to prevent fraud, phishing, and a range of other persistent
threats. Microsoft will remain vigilant as attackers continue evolving their
techniques. Please refer to the Microsoft Threat Intelligence Blog: Financially
motivated threat actors misusing App Installer for additional details and
guidance.
TO ADDRESS THIS ISSUE
1. Microsoft has disabled the ms-appinstaller URI scheme handler by default in
App Installer version 1.21.3421.0 or higher and if you have not specifically
enabled the EnableMSAppInstallerProtocol, no further action is needed.
* Customers can check which version of App Installer is installed on their
system by running the following PowerShell command: (Get-AppxPackage
Microsoft.DesktopAppInstaller).Version
* For information on how to update your App Installer, see Install and
update the App Installer.
HOW TO DETERMINE WHETHER YOU MAY BE AT RISK
1. The EnableMSAppInstallerProtocol group policy is set to “Not Configured”
(blank) or “Enabled”
2. The version of App Installer installed on your PC is between v1.18.2691 and
v1.21.3421
3. Windows OS updates listed below between October 2022 and March 2023
contained a previous (vulnerable) version of the AppInstaller.
* March 21, 2023—KB5023773 (OS Builds 19042.2788, 19044.2788, and
19045.2788) Preview - Microsoft Support
* July 11, 2023—KB5028171 (OS Build 20348.1850) - Microsoft Support
* March 28, 2023—KB5023774 (OS Build 22000.1761) Preview - Microsoft Support
* October 25, 2022—KB5018496 (OS Build 22621.755) Preview - Microsoft
Support
* Also, customers using builds v1.22.3452-preview or lower also contained
vulnerable versions of AppInstaller.
Note: (not recommended) Customers that must use the ms-appinstaller protocol can
still use the App Installer by setting the Group Policy
EnableMSAppInstallerProtocol to Disabled. See Policy CSP – DesktopAppInstaller
for additional information.
REFERENCES
* Installing Windows 10 apps from a web page - MSIX | Microsoft Learn
* CVE Link
* Financially motivated threat actors misusing App Installer
* Attack
* Malware
* Windows
--------------------------------------------------------------------------------
Previous Post
Next Post
RELATED POSTS
* Microsoftは アプリ インストーラー の悪用に対処します
* Microsoft Response to Distributed Denial of Service (DDoS) Attacks against
HTTP/2
* Announcing the Microsoft Machine Learning Membership Inference Competition
(MICO)
Subscribe
CATEGORIES
* MSRC (1062)
* Japan Security Team (1024)
* Security Research & Defense (380)
* BlueHat (190)
* Bug Bounty Programs (5)
* Microsoft Threat Hunting (5)
TAGS
* セキュリティ情報 (465)
* 脆弱性 (248)
* アドバイザリ (175)
* Internet Explorer (IE) (156)
* Security Update (140)
* Security Advisory (135)
* Security Bulletin (133)
* Mitigations (128)
* Community-based Defense (109)
* Microsoft Windows (106)
* View all Tags
RECENT POSTS
* From Indiana Jones to Cybersecurity: The Inspiring Journey of Devin
* An Obsession With Impact: The Inspiring Journey of a Dreamer That Led to a
Career at Microsoft
* New Security Advisory Tab Added to the Microsoft Security Update Guide
* Congratulations to the Top MSRC 2023 Q4 Security Researchers!
* Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard
ARCHIVES
* February 2024 (5)
* January 2024 (6)
* December 2023 (3)
* November 2023 (10)
* October 2023 (9)
* View full Archive
What 's new
* Surface Laptop Studio 2
* Surface Laptop Go 3
* Surface Pro 9
* Surface Laptop 5
* Surface Studio 2+
* Copilot in Windows
* Microsoft 365
* Windows 11 apps
Microsoft Store
* Account profile
* Download Center
* Microsoft Store support
* Returns
* Order tracking
* Certified Refurbished
* Microsoft Store Promise
* Flexible Payments
Education
* Microsoft in education
* Devices for education
* Microsoft Teams for Education
* Microsoft 365 Education
* How to buy for your school
* Educator training and development
* Deals for students and parents
* Azure for students
Business
* Microsoft Cloud
* Microsoft Security
* Dynamics 365
* Microsoft 365
* Microsoft Power Platform
* Microsoft Teams
* Microsoft Industry
* Small Business
Developer &IT
* Azure
* Developer Center
* Documentation
* Microsoft Learn
* Microsoft Tech Community
* Azure Marketplace
* AppSource
* Visual Studio
Company
* Careers
* About Microsoft
* Company news
* Privacy at Microsoft
* Investors
* Diversity and inclusion
* Accessibility
* Sustainability
English (United States) California Consumer Privacy Act (CCPA) Opt-Out Icon Your
Privacy Choices California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy
Choices
* Sitemap
* Contact Microsoft
* Privacy
* Manage cookies
* Terms of use
* Trademarks
* Safety &eco
* Recycling
* About our ads
* ©Microsoft 2024