Security News > 2022 > February > Microsoft blocks web installation of its own App Installer files

Microsoft blocks web installation of its own App Installer files
2022-02-07 19:36

Distribute an App Installer bundle that presented itself as a Trusted App, much like an app from the curated Microsoft Store.

In contrast, the App Installer popup that verifies the digital signature of the App Bundle you're downloading explicitly identifies the software itself as a Trusted App, even though it allows the signer of the app to include entirely bogus vendor data in the app bundle, and then helpfully displays that fraudulent "Identification" directly beneath to the "Trusted App" designator.

Use a web filter, if you have one, to block the download of likely App Installer bundles.

Web dowloads via the App Installer save bandwidth by omitting the parts that aren't required.

Instead, users will need to first download the app to their device, and then install the package with App Installer.

If you use App Bundles to distribute your own software, you will need to change either your software packaging process, or your installation instructions, or both.


News URL

https://nakedsecurity.sophos.com/2022/02/07/microsoft-blocks-web-installation-of-its-own-app-installer-files/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2819 161 4399