Microsoft Disables MSIX Protocol Handler Abused in Malware Attacks (bleepingcomputer.com) 11
Microsoft has again disabled the MSIX ms-appinstaller protocol handler after multiple financially motivated threat groups abused it to infect Windows users with malware. From a report: The attackers exploited the CVE-2021-43890 Windows AppX Installer spoofing vulnerability to circumvent security measures that would otherwise protect Windows users from malware, such as the Defender SmartScreen anti-phishing and anti-malware component and built-in browser alerts cautioning users against executable file downloads.
Microsoft says the threat actors use both malicious advertisements for popular software and Microsoft Teams phishing messages to push signed malicious MSIX application packages. "Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme (App Installer) to distribute malware," the company said.
Microsoft says the threat actors use both malicious advertisements for popular software and Microsoft Teams phishing messages to push signed malicious MSIX application packages. "Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme (App Installer) to distribute malware," the company said.
no shit (Score:5, Funny)
ms-appinstaller://who-could-have-thought-this-would-be-abused
Re: (Score:3)
Considering how much trouble and money you have to go though to get an app signed, what's the point of all that stuff when the malware is signed and distributed just as easily?
Re: (Score:2)
what's the point of all that stuff when the malware is signed and distributed just as easily?
Someone really needs to look into Windows 11.
Re: no shit (Score:2)
The operating system that comes with forcibly required spyware to work.
Re: (Score:2)
I always thought Microsoft was so desperate for "apps" that they would let anything onto their Windows Store, so I doubt their review process is comprehensive. They probably just run it through some scanners to make sure it doesn't crash and then call it "certified." It's security theater at best.
Re: no shit (Score:2)
Why would Microsoft be desperate for apps? Almost every app is made for Windows! Some Linux- and Mac-only apps may not be available, but there's always some equivalent.
Re: (Score:2)
There was a point where Microsoft would pay you to list your "app" in the Windows Store. There's lots of software available for Windows, but if you actually open their "app store" it's a wasteland of confusing shovelware.
Re: no shit (Score:2)
So is the Google playstore for Android.
Search for 'Authenticator' and see how many different hits you get.
Re: (Score:2)
Because Microsoft looked at Apple receiving a 30% cut of everything sold in the Apple app store and got insanely jealous. Then they churned out Windows 8 in an attempt to turn everything into an "app" and bring the worst aspects of phone UI to the computer screen. When customers rejected that hot garbage in a pique of common sense, Microsoft knew their app store was a failure and have been desperately trying to figure out a way to make it work since then. They also got the hint and backpedaled on a lot
Re: (Score:2)
It's security theater at best.
Like basically all "security" in MS products. Even their cloud security is crap and they cannot blame that on legacy stuff.
Why TF is this malware signed? (Score:3)
This is another abysmal failure by MS.