Microsoft has updated a two-year-old spoofing vulnerability in Windows AppX Installer that affects Microsoft Windows, tracked as CVE-2021-43890. Microsoft has updated the advisory in reference to the reports suggesting an increase in exploitation attempts. Threat actors exploit the vulnerability using social engineering and phishing techniques to target Windows OS users and utilize the ms-appinstaller URI scheme.
Microsoft has also coordinated with the Certificate Authorities to revoke the compromised code signing certificates utilized by malware samples we have identified.
The attackers exploited the vulnerability using specially crafted packages that included the Emotet/Trickbot/Bazaloader malware family.
An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker must then convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those with administrative user rights.
Affected Versions
- Windows 10 version 1809 and later
- Windows 10 version 1709 or Windows 10 version 1803
Mitigation
In the latest updates, Microsoft has updated the App Installer to disable the ms-appinstaller protocol by default. This new update will require users to download the MSIX package first to install an app directly from a web page using the MSIX package installer. This will ensure that locally installed antivirus protections will run during installation.
Updates released by Microsoft to address the vulnerability:
Microsoft has disabled the ms-appinstaller URI scheme handler by default in App Installer version 1.21.3421.0 or higher. No further action is needed if EnableMSAppInstallerProtocol is not specifically enabled.
Customers can check which version of App Installer is installed on their system by running the PowerShell command Get-AppxPackage Microsoft.DesktopAppInstaller.Version. For information on how to update the App Installer, see Install and update the App Installer.
For more information, please refer to the Microsoft Blog.
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
Qualys Policy Compliance’s Out-of-the-Box Mitigation or Compensatory Controls reduce the risk of a vulnerability being exploited because the remediation (fix/patch) cannot be done now; these security controls are not recommended by any industry standards such as CIS, DISA-STIG.
Qualys Policy Compliance team releases these exclusive controls based on vendor-suggested Mitigation/Workaround.
Mitigation refers to a setting, common configuration, or general best-practice existing in a default state that could reduce the severity of the exploitation of a vulnerability.
A workaround is sometimes used temporarily for achieving a task or goal when the usual or planned method isn’t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned.
The following Qualys Policy Compliance Control IDs (CIDs) and System Defined Controls (SDC) have been updated to support Microsoft recommended mitigation(s) for this Patch Tuesday:
- 25903 Status of ‘Enable App Installer ms-appinstaller protocol’ setting
- 19060 Status of the ‘Prevent non-admin users from installing packaged Windows apps’ setting
- 13350 List of executable Rules under AppLocker(whitelisting program)
- 24243 Status of the ‘Block access to a list of URLs’ setting
- 8418 Status of the ‘Allow all trusted apps to install’ setting
Qualys Detection
Qualys customers can scan their devices with QID 91848 to detect vulnerable assets.
Continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-43890
https://msrc.microsoft.com/blog/2023/12/microsoft-addresses-app-installer-abuse/