Microsoft has disabled the MSIX installer protocol in Windows in response to its exploitation in real-world cyberattacks. Hackers discovered a method to abuse the protocol, allowing them to install malicious software and bypass detection by anti-malware software.
MSIX INSTALLER PROTOCOL EXPLOITED
The existence of a malware kit market exploiting the MSIX file format and ms-app installer protocol is not a new phenomenon. In this particular instance, the kit, offered as a service, empowers attackers to exploit vulnerabilities in the protocol for the distribution of malware, including ransomware.
As a reminder, MSIX is a file packaging format tailored for Windows 10, built on the concept of XML manifest files. Developers use these files to define the deployment process, specify required files, and indicate their source. The issue arises from the capability of delivering MSIX-packaged files to the system via the Internet using ms-appinstaller. This opens the door for potential exploitation, as links in the format ms-appinstaller:?source=//website.com/file.appx can trigger the installation of malware.
In their modus operandi, cybercriminals deploy signed malicious MSIX application packages disguised as legitimate software to infiltrate systems.
These packages are distributed through Microsoft Teams and misleading advertisements on popular search engines, enabling attackers to circumvent traditional security measures like Microsoft Defender SmartScreen and browser download warnings, enhancing the difficulty of detection and prevention.
MICROSOFT BLOCKS MSIX INSTALLER
This isn’t the first instance of Microsoft encountering the exploitation of this installation method. In February 2022, Microsoft disabled the vulnerable protocol because it was exploited by Emotet, TrickBot, and BazaLoader malware. Although the vulnerability used at that time was slightly different, it resulted in a similar effect—a drive-by malware installation.
Microsoft recommends installing the patched App Installer version 1.21.3421.0 or later to prevent potential abuse.
The patch defaults to disabling the ms-appinstaller handle, rendering it unusable for exploitation. Additionally, administrators who are unable to immediately install the latest App Installer version are advised to disable the protocol through Group Policy. This can be achieved by setting EnableMSAppInstallerProtocol to Disabled.