Microsoft disables a web-based app installer protocol to shut down malicious activity

Many of Microsoft's team members are still on an extended holiday break, which meant that for the past couple of weeks, we didn't get any updates for Windows 11, or any new builds from the Windows Insider Program. However, the Microsoft Security Response Center is still up and running, even during the holidays. This week, the MSRC took measures to shut down a protocol that was being used by cybercriminals to try and get people to install malicious apps from websites.

In a blog post, the MSRC stated that it had found evidence that the ms-appinstaller URI scheme was the subject of malicious activity. The ms-appinstaller URI scheme is supposed to allow users of the company's App Installer to download and install apps directly from websites by using the MSIX package installer.

In theory, this is supposed to be a convenient way for people to install apps without having to wait for the app to be downloaded first on their PC. However, as the blog post states, Microsoft has found that cybercriminals are using "social engineering and phishing techniques" to get people to download malicious apps via this protocol. The blog post did not state how extensive this activity has been.

On Thursday, the MSRC issued a security update for CVE-2021-43890. The update, which was labeled as "Important" disables the ms-appinstaller URI scheme by default. That means if you go to a website that uses this protocol to distribute apps, you won't be able to download and install that app immediately on your PC. Instead, the MSIX package will simply be downloaded to your storage device and you will have to install the app on your PC manually. You will be able to use anti-virus software on that package to find out if it has any malicious code.

Microsoft says it will "continue to monitor future malicious activity". It also recommends that users do not download or install any apps from unknown websites.

Source