Security News > 2024 > January > Microsoft kills off Windows app installation from the web, again

Microsoft has disabled a protocol that allowed the installation of Windows apps after finding that miscreants were abusing the mechanism to install malware.

The move came just before Christmas, and seemingly mimicked issues first reported in December 2021, to address a Windows AppX Installer vulnerability in which an attacker could spoof App Installer into installing malicious software.

The ms-appinstaller URI scheme allows the MSIX package installer to install Windows apps from a web page using the local App Installer application.

Microsoft had relied on developers having to sign their app packages with "a third party paid certificate from a trusted certification authority," but evidently it put too much trust in such authorities.

Customers who have EnableMSAppInstallerProtocol group policy set to "Not Configured" or "Enabled" and are also using vulnerable versions of App Installer - from v1.18.2691 up until v1.21.3421, as well as Windows OS updates between October 2022 and March 2023 - are advised to update App Installer and to set the desired policy.

For those who rely on web-based installation as an app distribution channel, the consequence is a bit more friction for downloading and installation after proper checks.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/01/04/microsoft_windows_app_installation/