Microsoft Windows Patches Zero-Day Vulnerability Used to Spread Emotet Malware

Bitdefender Family Pack Buy

Yesterday, Microsoft started to roll out Patch Tuesday updates to fix Windows security issues and vulnerabilities, including one being exploited to deliver the TrickBot, Bazaloader, and Emotet malware strains.

The latest batch of updates addresses 67 security flaws in Windows operating systems and other Microsoft software; seven flaws are of Critical severity, while the remaining 60 were marked as Important.

By far, one of the most critical flaws addressed by the latest monthly security updates is CVE-2021-43890, a Windows AppX Installer Spoofing Vulnerability.

This flaw has a High attack complexity and requires Low privileges to execute. These metrics form a dangerous combo in terms of exploitability.

Microsoft identified attempts to exploit the aforementioned vulnerability through “specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader,” according to the executive summary.

In an attack, perpetrators would create and send a malicious attachment to unsuspecting users, then persuade them to open it through methods such as phishing or spear-phishing.

User accounts with fewer privileges on the operating systems may be less impacted by this attack than those with administrative rights.

Desktop App Installer users are advised to hover over the Trusted app text for more details about the signer, which should help determine whether certain apps should be installed or not.

The latest Patch Tuesday updates should patch the exploitable CVE-2021-43890 vulnerability, but Microsoft also offers a few workarounds for users who can’t install the updates for the Microsoft Desktop Installer.

One workaround involves enabling BlockNonAdminUserInstall and AllowAllTrustedAppToInstall Group Policies (GPOs) to prevent non-admins from installing Windows App packages and apps from outside the Microsoft Store.

Another workaround requires system administrators to use either AppLocker or Windows Defender Application Control to restrict the Desktop App Installer.

Last but not least, administrators can disable the ms-appinstaller protocol or add a browser policy rule to prevent it from being invoked from the browser.

These workarounds are meant as temporary measures, as downloading and installing the latest Microsoft security updates is still one of the safest methods to counter cyberattacks on Windows operating systems.