Microsoft has recently disabled the MSIX handler in Windows 10 and 11, which was used by malicious actors to distribute malware through the App Installer feature. This article will explain how the MSIX handler was abused, what kind of malware attacks were carried out, and what mitigations Microsoft has implemented to protect users.
Microsoft Addresses App Installer Abuse
The App Installer feature in Windows allows users to install applications from various sources, such as the Microsoft Store, local files, or web URLs. One of the supported formats for app packages is MSIX, which is a modern and secure packaging format that supports both desktop and UWP apps.
However, the App Installer feature also had a spoofing vulnerability that could allow attackers to trick users into installing malicious apps. The vulnerability was related to the code signing certificates that are used to verify the authenticity and integrity of the app packages. The App Installer feature did not properly validate the certificates and could display a fake or tampered certificate to the user, making it appear as if the app was from a trusted source.
This vulnerability was exploited by malware groups such as BazarLoader, which used phishing emails and fake websites to lure users into downloading and installing malicious MSIX packages. The malware could then perform various malicious activities, such as stealing credentials, encrypting files, or delivering ransomware.
Malware Attacks Using MSIX Protocol Handler
One of the ways that the attackers exploited the App Installer feature was by using the MSIX ms-appinstaller protocol. This is a custom URI scheme that can be used to launch the App Installer feature and install an app from a web URL. For example, a link like ms-appinstaller:?source=https://example.com/app.msix would open the App Installer feature and prompt the user to install the app from the specified URL.
The attackers used this protocol to distribute the BazarLoader malware, which is a sophisticated backdoor that can download and execute additional payloads. The attackers created phishing emails and fake websites that contained links to the ms-appinstaller protocol and tried to trick users into clicking on them. The links would point to malicious packages hosted on Microsoft Azure, which is a cloud computing platform that offers various services, including web hosting. The attackers used Azure to host their malware because it could bypass some security filters and make the links look more legitimate.
Mitigations Implemented by Microsoft
In response to the malware attacks, Microsoft has taken several steps to mitigate the threat and protect users from installing malicious software. One of the main actions that Microsoft has taken is to disable the ms-appinstaller URI scheme handler in Windows 10 and 11. This means that the links that use the ms-app installer protocol will no longer work, and users will not be able to install apps from web URLs using the App Installer feature. Microsoft has also removed the option to install apps from web URLs from the App Installer user interface.Additionally, Microsoft has also improved the validation of code signing certificates in the App Installer feature and has added more warnings and prompts to inform users of the potential risks of installing apps from unknown sources. Microsoft has also advised users to only install apps from trusted sources, such as the Microsoft Store, and to use antivirus software and other security tools to detect and remove any malware infections.