Microsoft has taken decisive action to disable a feature that previously permitted Windows applications to be installed directly from the web, a capability hackers were exploiting to introduce malware. The company has identified and disabled the ms-appinstaller URI scheme in App Installer version 1.21.3421.0 and above due to security vulnerabilities.
Malware Distribution Thwarted
With the ms-appinstaller protocol, users have been able to download and install MSIX packaged applications through web pages without having to save the files locally, a convenience that became popular among Windows users. However, malicious actors found a way to bypass the security measures like Microsoft Defender SmartScreen and browser safeguards, which led to a reintroduction of a malware threat similar to the one described in CVE-2021-43890. Microsoft's security team has observed instances where malware authors abused the ms-appinstaller to circumvent trust mechanisms by exploiting digital certificates issued by supposed trusted authorities.
Certificate Authorities Under Scrutiny
Upon discovering the misuse, Microsoft is now coordinating with certificate authorities to revoke the compromised code-signing certificates. Certificates are crucial to the integrity of apps since they provide a digital signature that verifies the identity of the publisher and ensures that the app has not been tampered with after it was signed. Microsoft previously counted on app developers to sign their packages with paid certificates from these authorities, but this recent event has exposed shortcomings in the certificate trust model.
For enterprises that might have used the ms-appinstaller URI scheme after its reintroduction in August 2022 with Windows 11 Insider Preview Build 25147, and prior to the identified threat period, a recommendation has been made to update to the latest version of App Installer and adjust group policies accordingly. These changes may require effort to roll out across networks but are necessary to secure the app distribution channels and ensure that proper security checks are implemented.
Microsoft has not officially commented on the issue. However, the implications of this decision by Microsoft emphasize the ongoing challenges that software giants face in balancing usability features with robust security measures, particularly in an environment where threat actors continuously seek to exploit any available vulnerabilities.