Microsoft Windows App Installer Spoofing Vulnerability Allowing Malware Distribution

A spoofing vulnerability has been identified in the AppX installer for Microsoft Windows. This vulnerability allows attackers to craft malicious packages that can bypass standard security measures and deliver malware, including families like Emotet, TrickBot, and BazarLoader. The vulnerability is particularly concerning because it can be exploited through social engineering tactics, convincing users to open harmful attachments. While users with lower privileges may face reduced risk, those with administrative rights are more vulnerable.

Impact

Exploitation of this vulnerability can lead to the distribution of malware, with observed cases involving ransomware. The vulnerability has been linked to several financially motivated threat groups.

Remediation

Users can update to the latest version of the App Installer, version 1.21.3421.0 or greater, which disables the ms-appinstaller protocol by default. For enterprise environments, the Group Policy 'EnableMSAppInstallerProtocol' can be set to 'Disabled' to prevent the protocol from being used. Customers who cannot immediately update the App Installer can apply workarounds, such as blocking non-admin users from installing Windows App packages or using Windows Defender Application Control or AppLocker to block the Desktop App Installer.