Security News > 2024 > January > Microsoft kills off Windows app installation from the web, again
![Microsoft kills off Windows app installation from the web, again](/static/build/img/news/microsoft-kills-off-windows-app-installation-from-the-web-again-medium.jpg)
Microsoft has disabled a protocol that allowed the installation of Windows apps after finding that miscreants were abusing the mechanism to install malware.
The move came just before Christmas, and seemingly mimicked issues first reported in December 2021, to address a Windows AppX Installer vulnerability in which an attacker could spoof App Installer into installing malicious software.
The ms-appinstaller URI scheme allows the MSIX package installer to install Windows apps from a web page using the local App Installer application.
Microsoft had relied on developers having to sign their app packages with "a third party paid certificate from a trusted certification authority," but evidently it put too much trust in such authorities.
Customers who have EnableMSAppInstallerProtocol group policy set to "Not Configured" or "Enabled" and are also using vulnerable versions of App Installer - from v1.18.2691 up until v1.21.3421, as well as Windows OS updates between October 2022 and March 2023 - are advised to update App Installer and to set the desired policy.
For those who rely on web-based installation as an app distribution channel, the consequence is a bit more friction for downloading and installation after proper checks.
News URL
https://go.theregister.com/feed/www.theregister.com/2024/01/04/microsoft_windows_app_installation/
Related news
- Microsoft deprecates Windows NTLM authentication protocol (source)
- Microsoft announces first Windows 10 Beta build since 2021 (source)
- Microsoft Research chief scientist has no issue with Windows Recall (source)
- Microsoft makes Windows Recall opt-in, secures data with Windows Hello (source)
- Windows Recall will be opt-in and the data more secure, Microsoft says (source)
- Let's kick off our summer with a pwn-me-by-Wi-Fi bug in Microsoft Windows (source)
- Microsoft deprecates Windows DirectAccess, recommends Always On VPN (source)
- Microsoft delays Windows Recall amid privacy and security concerns (source)
- Microsoft delays Windows Recall rollout, more security testing needed (source)
- Microsoft removes Copilot app ‘incorrectly’ added on Windows PCs (source)