2 min Security

Microsoft blocks MSIX protocol handler

Microsoft blocks MSIX protocol handler

Microsoft has again blocked the MSIX ms-appinstaller protocol handler to prevent hackers from using it to infect Windows environments with ransomware.

Microsoft’s research shows that malware attacks on Windows environments again exploit the CVE-2021-43890 Windows AppX Installer spoofing vulnerability.

Through this vulnerability, hackers can bypass security methods designed to protect Windows users. Consider Defender SmartScreen anti-phishing and malware technology. Also at play are built-in browser alerts that are supposed to protect users from downloading exe files.

As of mid-November 2023, hackers were using the current version of the appinstaller protocol handler as an access channel for spreading malware capable of spreading ransomware. The hackers use malicious ads for popular software and Microsoft Teams phishing messages to spread signed MSIX application packages.

Several cybercriminals also sell a malware kit that abuses the MSIX file format and the ms-app installer protocol handler. According to the tech giant, financially motivated hacker groups are actively abusing the MSIX ms-app installer protocol handler.

Previous incidents

This is not the first time Microsoft has faced attacks via the Windows AppX Installer. Two years ago, the Emotet botnet tried to infect Windows 10 and 11 users with malware. In addition, the vulnerability was used to distribute the BazarLoader malware using malicious packages hosted on Azure and with so-called *.web.core.windows.net URLs.

Microsoft advises companies to install the patched App Installer version 1.21.3421.0 or later versions to prevent attacks. Also, administrators who do not yet want to install this version immediately should disable the protocol setting by setting ‘Group Policy EnableMSAppInstallerProtocol’ to disabled.

Tip: Windows Mixed Reality dies a quiet death