The last zero-day of 2023 (CVE-2023- 43890) is now causing issues with application installations in 2024. This security vulnerability relating to the core Windows installer protocol for Microsoft AppX (and MSIX) has now been reported as both publicly available and exploited in the wild. A true zero-day nightmare for IT administrators who wished for brief respite over the Christmas break.
Microsoft has investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. At present, Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.
On December 28th, 2023, Microsoft updated CVE-2021-43890 to disable ms-appinstaller URI scheme (protocol) by default, as a security response to protect vulnerable systems from attackers’ evolving techniques against previous safeguards. This means that users will no longer be able to install an app directly from a web page using the MSIX package installer. Instead, users will be required to download the MSIX package first to install it, which ensures that locally installed antivirus protections will run.
An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Most worryingly, the Windows following OS updates listed below contained a previous (vulnerable) version of the AppInstaller.
Please add this update to your Out-of-Band, “Patch Now” schedule.