Microsoft has disabled the MSIX protocol handler to stop existing malicious campaigns, including Emotet, which used a vulnerability to spread malware.
A big problem with large software environments, such as Windows, is that change takes a long time to disseminate, and that’s especially obvious for patches. It’s not uncommon to see companies with unpatched systems even two years after Microsoft publishes a fix for a vulnerability.
Just because the developers were aware of the problem and quickly issued a fix, it doesn’t mean that users and enterprises will hurry up and install it. Something similar is happening regarding a vulnerability tracked as CVE-2021-43890. The company already deployed a fix and released some mitigations for users, who didn’t patch their systems.
Basically, the MSIX protocol lets users click a link on a website and trigger the software’s installation. Malware operators found a way to abuse this behavior so Microsoft was forced to pull the plug until they could adequately repair the vulnerability.
“We were recently notified that the ms-appinstaller protocol for MSIX can be used in a malicious way,” said Microsoft’s Dian Hartono. “Specifically, an attacker could spoof App Installer to install a package that the user did not intend to install.”
“We are actively working to address this vulnerability,” she added.” For now, we have disabled the ms-appinstaller scheme (protocol). This means that App Installer will not be able to install an app directly from a web server. Instead, users will need to first download the app to their device, and then install the package with App Installer.”
Microsoft has yet to say when it may re-enable MSIX, but the bigger immediate problem is that some companies still rely on this protocol. Microsoft is likely to offer soon a Group Policy that lets IT administrators re-enable the protocol and control its use within their organizations.