Описание
Windows AppX Installer Spoofing Vulnerability
We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.
An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Please see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section.
Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability.
December 27 2023 Update:
In recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme.
To address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.
Меры по смягчению последствий
Install the latest App Installer
The best mitigation is to install the latest App Installer build 1.21.3421.0 or greater. The ms-appinstaller URI scheme handler has been disabled by default in the latest build of the App. For more information on how to upgrade the App Installer, please see: Install and update the App Installer.
Disable the protocol
If you have version 1.17.10633.0 or greater of the App Installer, you can disable the protocol immediately in your enterprise environment, by setting the Group Policy EnableMSAppInstallerProtocol to Disabled. See Policy CSP – DesktopAppInstaller for additional information. Customers who require a version of the App Installer prior to 1.17.10633.0 should employ the workarounds described in the Workarounds section of this CVE.
Обходное решение
Customers who are unable to install the updates for the Microsoft App Installer can apply the following workarounds to be protected from the vulnerability:
Enable the following GPO to prevent non-admins from installing any Windows App packages
| Policy I Description | |
|---|---|
| BlockNonAdminUserInstall | This policy setting manages the ability of non-administrator users to install (signed) Windows app packages. When enabled (value: 1), non-administrator users will be unable to initiate the installation of (signed) Windows app packages. Administrator users will still be able to initiate the installation of (signed) Windows app packages in Administrator-context. When disabled (value: 0), or not configured, all users will be able to initiate the installation of (signed) Windows app packages. |
Enable this GPO to prevent installing apps from outside the Microsoft Store
| Policy | Description |
|---|---|
| AllowAllTrustedAppToInstall | This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps. If you enable this policy setting, you can install any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer). If you disable or do not configure this policy setting, you cannot install LOB or developer-signed Windows Store apps in Administrator-context. When disabled (value: 0), or not configured, all users will be able to initiate the installation of (signed) Windows app packages. |
Use Windows Defender Application Control or AppLocker to block the Desktop App Installer app (Microsoft.DesktopAppInstaller_8wekyb3d8bbwe), or create policies to limit the apps installed in your environment
Disable the ms-appinstaller protocol to install apps directly from a website
Enterprise Administrators can also use Group Policy to prevent users from invoking any protocol handler within the browser.
For Edge browser, add a policy rule for
ms-appinstaller:*
This will block all attempts to invoke the protocol from the browser. Specifically, how that looks to the user will depend on the construction of the page that tries to launch the protocol.
If the page tries to invoke the protocol by navigating a hidden/tiny subframe, the block will appear to be silent.
FAQ
How do I update the installer?
Customers who are running Windows 10, version 1809 and newer versions, or any version of Windows 11 can download and install the following:
Latest App Installer Microsoft Desktop Installer 1.16
Customers running Windows 10, version 1709 or Windows 10, version 1803 can download and install the following:
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
DOS
EPSS
7.1 High
CVSS3
Связанные уязвимости
We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader. An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Please see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section. Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability. December 27 2023 Update: In recent months, Microsoft Threat Inte
Уязвимость установщика Microsoft App Installer, связанная с обходом аутентификации посредством спуфинга, позволяющая нарушителю проводить спуфинг-атаки
EPSS
7.1 High
CVSS3