Microsoft disables MSIX protocol handler abused in Emotet attacks

silversurfer

Level 85
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,661
Microsoft has disabled the MSIX ms-appinstaller protocol handler exploited in malware attacks to install malicious apps directly from a website via a Windows AppX Installer spoofing vulnerability.
Today's decision comes after the company released security updates to address the flaw (tracked as CVE-2021-43890) during the December 2021 Patch Tuesday and provided workarounds to disable the MSIX scheme without deploying the patches.
The likely reason for disabling the protocol altogether is to protect all Windows customers, including those who haven't yet installed the December security updates or applied the workarounds.

"We are actively working to address this vulnerability. For now, we have disabled the ms-appinstaller scheme (protocol). This means that App Installer will not be able to install an app directly from a web server. Instead, users will need to first download the app to their device, and then install the package with App Installer," said Microsoft Program Manager Dian Hartono.
"We recognize that this feature is critical for many enterprise organizations. We are taking the time to conduct thorough testing to ensure that re-enabling the protocol can be done in a secure manner.
"We are looking into introducing a Group Policy that would allow IT administrators to re-enable the protocol and control usage of it within their organizations."