CVE-2021-43890

We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.

An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Please see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in theFAQ section.

Please see the Mitigations andWorkaround sections for important information about steps you can take to protect your system from this vulnerability.

December 27 2023 Update:

In recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme.

To address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.

Recent assessments:

gwillcox-r7 at December 21, 2021 3:56pm UTC reported:

A great overview of this bug is available at <https://borncity.com/win/2021/12/16/update-fixt-windows-appx-installer-0-day-schwachstelle-cve-2021-43890-emotet-schlupfloch/&gt; which leads on from a description at <https://borncity.com/win/2021/12/02/windows-10-11-falle-beim-trusted-apps-installer/&gt; showing how this bug was exploited in the wild. Essentially, by abusing the ms-appinstaller:// URI handler in Microsoft Windows, one can trick users into thinking that the website is trying to ask them to install software to do something; in the case of the campaign it was to install a PDF viewer so that one could open a protected PDF.

However what is interesting here is that if a user goes to inspect the properties of the app to be installed, a cursory glance will show that, according to AppX Installer, it is signed by a trusted publisher and the publisher details look legitimate. Its not unless you click on the Trusted App details link that one will see that something looks odd (assuming of course the user hasn’t already found the request for downloading a PDF viewer for viewing a sent PDF file suspicious).

Microsoft fixed this bug by disabling the ms-appinstaller:// URL entirely to prevent it from being abused for these types of attacks, however it is also recommended that the Prevent non-admin users from installing packaged Windows apps setting be set to prevent non-admin users from being able to install packaged Windows apps, which should prevent variants of this attack from being exploitable in your environment. More information on these and other mitigations can be found under the Workarounds section at <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43890&gt;.

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 5