"๐จ Windows App Installer Vulnerability: A New Twist in Cybersecurity ๐จ"
Microsoft has temporarily disabled the MSIX ms-appinstaller protocol handler in Windows due to security concerns. This action was taken because malicious groups, like the Sangria Tempest group (also known as FIN7), were using it to distribute malware. This vulnerability, known as CVE-2021-43890, was exploited through phishing and malicious ads, often resulting in ransomware attacks. These attacks were able to bypass Defender SmartScreen and browser security warnings. Microsoft initially disabled this handler in February 2022 to counter Emotet attacks and has now decided to disable it again due to ongoing misuse by financially motivated threat groups.
The MSIX ms-appinstaller protocol handler is an important part of the MSIX package format. It simplifies the process of installing Windows applications directly from a URL, making it easier for developers and users. MSIX is a modern app package format for Windows that combines the best features of MSI, .appx, App-V, and ClickOnce installation technologies. Its main goal is to help developers package and distribute their applications efficiently and reliably, ensuring compatibility.
For more on CVE-2021-43890: Microsoft Advisory
For details on FIN7: MITRE - FIN7
Tags: #CyberSecurity #WindowsVulnerability #MSIX #ProtocolHandler #Malware #Ransomware #Phishing #ThreatIntelligence #SangriaTempest #FIN7 #MicrosoftSecurity
Sources:
- MSRC Blog: Microsoft addresses App Installer abuse
- BleepingComputer, Sergiu Gatlan: Microsoft disables MSIX protocol handler