Toll-free in North America

1-833-2READINESS

Everywhere else:

+44 203 633 5432

Happy New Year – Patch Up!

Greg Lambert
January 2, 2024
2 minutes

The last zero-day of 2023 (CVE-2023- 43890) is now causing issues with application installations in 2024. This security vulnerability relating to the core Windows installer protocol for Microsoft AppX (and MSIX) has now been reported as both publicly available and exploited in the wild. A true zero-day nightmare for IT administrators who wished for brief respite over the Christmas break.

Microsoft has investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. At present, Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.

On December 28th, 2023, Microsoft updated CVE-2021-43890 to disable ms-appinstaller URI scheme (protocol) by default, as a security response to protect vulnerable systems from attackers’ evolving techniques against previous safeguards. This means that users will no longer be able to install an app directly from a web page using the MSIX package installer. Instead, users will be required to download the MSIX package first to install it, which ensures that locally installed antivirus protections will run.

An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Most worryingly, the Windows following OS updates listed below contained a previous (vulnerable) version of the AppInstaller.

Please add this update to your Out-of-Band, “Patch Now” schedule.

Greg Lambert

CEO, Product Evangelist
Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.

Planning business modernization projects?

  • Windows 10/11 migration
  • MS server 2022
  • Migration to Azure

Is your application estate ready?

Assurance.

Unbounded.

3 months of patch protection, assessments and dependency reports for your entire portfolio.

  • No cost
  • No limit of applications
  • No software needed
  • No infrastructure required
  • No obligation
Contact us to get started