Remember the movie Groundhog Day? Bull Murray plays a rather self-centered weatherman who finds himself in a time loop on Groundhog Day.
Windows administrators may have similar feelings to Murray's in regards to vulnerability CVE-2021-43890. First patched in December 2021, Microsoft announced in December 2023 that it has detected attacks in the wild and patched the issue again.
If that sounds confusing, it is. What Microsoft failed to mention is that the first patch has somehow been undone since April 2023.
The vulnerability report refers to the issue as a spoofing vulnerability in Appx installer in Microsoft Windows. Microsoft developed the ms-appinstaller Uniform Resource Identifier to support the downloading and installation of apps directly from Internet servers.
In other words: users who clicked on ms-appinstaller links would get an installation prompt similarly to the one displayed on the screenshot above.
While it still required the user to hit the "install" button, the lack of a prominent "cancel" button led to unwanted installations. A click on the x-icon at the top of the window cancelled the process.
Activation of install would download and install the malware on the device.
Microsoft describes the process in the following way: "Users who click the links to the installers are presented with the desktop App Installer experience. If the user clicks “Install” in the desktop App Installer, the malicious application is installed and eventually runs additional processes and scripts that lead to malware installation."
Microsoft's blog post on its Security blog reveals that it observed several attacks that make use of App Installer to infect Windows devices. The functionality is disabled by default according to this Microsoft support page. Administrators may enable it, however. What Microsoft fails to mention in the post is that it disabled the functionality in December 2021 already as a reaction to abuse of the functionality.
Will Dormann was among the first to spot this missing piece of information in Microsoft's announcement.
What Microsoft also does not reveal in its announcement is when it disabled the functionality by default. Günter Born thinks that the December 2023 security updates are the most likely option, but Microsoft never revealed this. Born found a single reference on the web by a Microsoft Answers user who got the "cannot open app package" error message when trying to install an app using the ms-appinstaller protocol.
The description informs the user that the protocol has been disabled.
System administrators may want to read through Microsoft's entire post on the Security blog. It includes information about three malwares that used the vulnerability as well as a long list of recommendations.
Apart from making sure that App Installer build 1.21.3421.0 is used, Microsoft recommends the following mitigations:
More than half of Microsoft's suggestions are about educating users.
You can check the AppInstaller version in the following way:
Check the version that is returned. You can upgrade the application using the command winget upgrade Microsoft.AppInstaller.
Now You: have you used App Installer in the past to install apps?
The man leading one of the most prominent and most powerful AI companies on the planet has just revealed what it is about AI that keeps him awake at n
The OpenAI team, led by Sam Altman, has finally unveiled GPT-5, with around 600,000 people watching the launch livestream either live or during the fi
Microsoft could be adding a guided tour to its Copilot app in Windows 11, making it easier for users to get started, according to TechRadar. The six-s
Amazon is taking some inspiration from the TV shows available on its Prime Video streaming platform, and porting it over to Kindle e-readers to keep u
Windows 11 has support for voice commands like “Open Edge” largely for accessibility purposes but with the latest Insider preview build, it’s taking a
OpenAI released its Sora text-to-video generation tool late in 2024, and expanded it to the European market at the end of February this year. It seems
Apple’s progress with bringing AI to its hardware hasn’t exactly hit the same notes as the progress it has made with computing and wearable endeavors.
@Leopeva64Microsoft has added a new share button to Copilot in Edge, allowing users to share AI chat conversations with others more easily by creating
We are a comprehensive and trusted information platform dedicated to delivering high-quality content across a wide range of topics, including society, technology, business, health, culture, and entertainment.
From breaking news to in-depth reports, we adhere to the principles of accuracy and diverse perspectives, helping readers find clarity and reliability in today’s fast-paced information landscape.
Our goal is to be a dependable source of knowledge for every reader—making information not only accessible but truly trustworthy. Looking ahead, we will continue to enhance our content and services, connecting the world and delivering value.
