Security News > 2024 > January > Microsoft kills off Windows app installation from the web, again
Microsoft has disabled a protocol that allowed the installation of Windows apps after finding that miscreants were abusing the mechanism to install malware.
The move came just before Christmas, and seemingly mimicked issues first reported in December 2021, to address a Windows AppX Installer vulnerability in which an attacker could spoof App Installer into installing malicious software.
The ms-appinstaller URI scheme allows the MSIX package installer to install Windows apps from a web page using the local App Installer application.
Microsoft had relied on developers having to sign their app packages with "a third party paid certificate from a trusted certification authority," but evidently it put too much trust in such authorities.
Customers who have EnableMSAppInstallerProtocol group policy set to "Not Configured" or "Enabled" and are also using vulnerable versions of App Installer - from v1.18.2691 up until v1.21.3421, as well as Windows OS updates between October 2022 and March 2023 - are advised to update App Installer and to set the desired policy.
For those who rely on web-based installation as an app distribution channel, the consequence is a bit more friction for downloading and installation after proper checks.
News URL
https://go.theregister.com/feed/www.theregister.com/2024/01/04/microsoft_windows_app_installation/
Related news
- Microsoft says Windows 10 21H2 support is ending in June (source)
- March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V (source)
- Microsoft again bothers Chrome users with Bing popup ads in Windows (source)
- Microsoft announces deprecation of 1024-bit RSA keys in Windows (source)
- Microsoft confirms Windows Server issue behind domain controller crashes (source)
- Microsoft releases emergency fix for Windows Server crashes (source)
- Microsoft confirms memory leak in March Windows Server security update (source)
- Microsoft fixes Windows Sysprep issue behind 0x80073cf2 errors (source)
- Recent Windows updates break Microsoft Connected Cache delivery (source)
- New Windows driver blocks software from changing default web browser (source)