Microsoft: We've switched off this 'critical' MSIX protocol handler but we're working to bring it back

Microsoft has disabled a Windows App Installer feature after its December Patch Tuesday disclosure that it was being actively exploited to install unwanted apps.   

The flaw was bad news for Windows domains, with Microsoft confirming that attackers were using this vulnerability to install specially crafted packages and spread the Emotet/Trickbot/Bazaloader malware families. 

The Windows AppX Installer is a Windows 10 feature that allows users to install .appx packages. 

In a blogpost explaining why it’s switched off the ms-appinstaller protocol for the MSIX Windows app package format, Microsoft says that an attacker can use that protocol to “spoof App Installer to install a package that the user did not intend to install”. 

For now, it appears Microsoft hasn’t fully addressed the vulnerability detailed in its December advisory for CVE-2021-43890. With  protocol disabled, admins could see the download size for some app packages grow, and create a block for for enterprises that distribute apps directly from a web page versus, say, the Microsoft Store. 

“We are actively working to address this vulnerability,” Microsoft says in a blogpost. “For now, we have disabled the ms-appinstaller scheme (protocol). This means that App Installer will not be able to install an app directly from a web server. Instead, users

Read More: