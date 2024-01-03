Microsoft has disabled the App Installer functionality that allowed Windows 10 apps to be installed directly from a web page by clicking on a link that used the ms-appinstaller URI scheme. This functionality has been heavily abused in recent months by different threat actors to deploy ransomware and other malicious implants.

“Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,” Microsoft said in a report last week.

The protocol handler was disabled on December 28 with the release of App Installer version 1.21.3421.0 after the company previously warned about the Windows AppX Installer Spoofing Vulnerability (CVE-2021-43890) on the last Patch Tuesday.

How does Microsoft App Installer work?

App Installer is a feature that was introduced in Windows 10 in 2016 to facilitate the installation of Universal Windows Platform (UWP) apps, previously known as Windows Store apps. These applications can be deployed on all Windows devices and are distributed in a package format called MSIX as .msxi or .msixbundle files. MSIX was introduced in 2019 and replaced the older AppX packaging format for apps on the Microsoft Store.

However, MSIX packages don’t necessarily have to be deployed from the Microsoft Store, they can also be installed offline and can also be deployed from any website thanks to the ms-appinstaller URI scheme and protocol handler. Microsoft encourages enterprises to use MSIX packages to deploy their applications because they offer better reliability and installation success rate, as well as optimized bandwidth and disk space usage.

“MSIX enables enterprises to stay current and ensure their applications are always up to date. It allows IT pros and developers to deliver a user centric solution while still reducing the cost of ownership of application by reducing the need to repackage,” the company said.