cbcvebase.
CVE-2021-43890
published 2021-12-15

CVE-2021-43890: We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to…

PriorityP185high7.1CVSS 3.1
AVNACHPRLUIRSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2021-12-29
Exploited in the wild
EPSS
10.29%
95.1th percentile
We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader. An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Please see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section. Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability. December 27 2023 Update: In recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. To address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftapp_installer< 1.161.16
microsoftapp_installer< 1.111.11
microsoftapp_installer>= 1.0.0.0 < publicationpublication
msrcapp_installer

Detection & IOCsextracted from sources · hover to see the quote

otherms-appinstaller
otherms-appinstaller:*
pathMicrosoft.DesktopAppInstaller_8wekyb3d8bbwe
  • Monitor for use of the ms-appinstaller URI scheme handler being invoked, particularly from browser processes, as threat actors are leveraging it to deliver malware via phishing campaigns.
  • Detect AppX installer launching from user-opened email attachments or browser downloads; exploitation involves specially crafted .appx/.msix packages delivered via phishing.
  • Alert on AppX installer activity associated with known malware families Emotet, Trickbot, and BazaLoader; these families have been observed being delivered via exploitation of this vulnerability.
  • Check App Installer version; versions prior to build 1.21.3421.0 have the ms-appinstaller URI scheme enabled by default and are vulnerable.
  • Monitor for silent/hidden subframe protocol invocations of ms-appinstaller in browser traffic, which may indicate a drive-by exploitation attempt.
  • ·The ms-appinstaller protocol is only disabled by default in App Installer build 1.21.3421.0 or greater; older versions remain vulnerable unless the protocol is explicitly disabled via Group Policy (EnableMSAppInstallerProtocol = Disabled), which requires version 1.17.10633.0 or greater.
  • ·Customers running Windows 10 version 1709 or 1803 must use a different (older) installer build (1.11) and cannot use the same mitigation path as Windows 10 1809+ or Windows 11 users.
  • ·The BlockNonAdminUserInstall GPO workaround only prevents non-admin users from installing packages; administrator users remain able to install AppX packages and could still be targeted.

CVSS provenance

nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
vulncheck7.1HIGH
cisa7.1HIGH
vendor_msrc7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.