Last week, Microsoft announced that it has temporarily disabled the MSIX protocol handler to prevent malicious attacks on Windows 10 and 11. The company says this change aims to address a newly discovered Windows AppX Installer spoofing vulnerability, which was discovered in December 2021.
For those unfamiliar with the Windows AppX Installer, it’s a Windows feature that was introduced back in 2016. It enables users to install a Windows app directly from a web server without downloading .appx packages. The Windows AppX Installer offers a simplified experience for sideloading app packages.
As it turns out, threat actors took advantage of a security vulnerability in the Windows App Installer packages to install malicious apps on targetted machines. “We were recently notified that the ms-appinstaller protocol for MSIX can be used in a malicious way. Specifically, an attacker could spoof App Installer to install a package that the user did not intend to install,” Microsoft’s Dian Hartono explained in a blog post.
Fortunately, Microsoft has temporarily addressed this issue by disabling the ms-appinstaller scheme (protocol) on Windows 10 and 11 PCs. Currently, the company is working on a fix for the issue, and it plans to create a group policy to allow IT admins to re-enable the ms-appinstaller protocol securely within their organizations.
In the meantime, Microsoft has provided a workaround to help customers prevent malicious attacks. “For now, we have disabled the ms-appinstaller scheme (protocol). This means that App Installer will not be able to install an app directly from a web server. Instead, users will need to first download the app to their device, and then install the package with App Installer. This may increase the download size for some packages,” Hartono added.
Microsoft also encourages developers to remove “ms-appinstaller:?source=” schemes from the app download links available on their websites. This should help to ensure that the App Installer or the MSIX package will be downloaded directly on Windows PCs. If you’re interested, we invite you to read more about the current status of the Windows AppX Installer spoofing vulnerability on the Microsoft Security Resource Center.