Security News > 2022 > February > Microsoft disables MSIX protocol handler abused in Emotet attacks
Microsoft has disabled the MSIX ms-appinstaller protocol handler exploited in malware attacks to install malicious apps directly from a website via a Windows AppX Installer spoofing vulnerability.
The likely reason for disabling the protocol altogether is to protect all Windows customers, including those who haven't yet installed the December security updates or applied the workarounds.
"We are actively working to address this vulnerability. For now, we have disabled the ms-appinstaller scheme. This means that App Installer will not be able to install an app directly from a web server. Instead, users will need to first download the app to their device, and then install the package with App Installer," said Microsoft Program Manager Dian Hartono.
As BleepingComputer reported, Emotet started spreading and infecting Windows 10 and Windows 11 systems in early December using malicious Windows AppX Installer packages camouflaged as Adobe PDF software.
While it looks like a legitimate Adobe app, App Installer will download and install a malicious appxbundle hosted on Microsoft Azure when the user clicks the Install button.
You can find more information, including the way Emotet abused the built-in Windows App Installer feature during the campaign, in our previous report.
News URL
Related news
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Week in review: Palo Alto Networks firewalls under attack, Microsoft patches two exploited zero-days (source)
- New Latrodectus malware attacks use Microsoft, Cloudflare themes (source)
- Microsoft warns of "Dirty Stream" attack impacting Android apps (source)
- Microsoft fixes Windows zero-day exploited in QakBot malware attacks (source)
- Microsoft fixes a bug abused in QakBot attacks plus a second under exploit (source)
- Cybercriminals Exploiting Microsoft’s Quick Assist Feature in Ransomware Attacks (source)