Microsoft Takes Action Against Hacker Abuse of MSIX’s ms-appinstaller Protocol Handler
Microsoft has once again announced that it will be turning off the ms-appinstaller protocol handler for MSIX by default due to abuse by various hacker groups. The decision comes in response to observations that hacker groups, including Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, have been using the ms-appinstaller URI protocol to spread malicious programs.
The ms-appinstaller protocol handler allows users to install applications by simply clicking on links on websites without having to download the entire MSIX package, providing a convenient installation experience. However, Microsoft’s investigation has revealed that the abuse of this protocol handler has led to ransomware attacks and the spread of malware kits by hacker groups.
The decision to turn off the ms-appinstaller protocol handler by default is an effort to protect customers from related attacks. Microsoft is currently investigating the use of the App Installer in these attacks and has taken this proactive step to prevent further exploitation by hacker groups.
This is not the first time Microsoft has taken action to address the abuse of the ms-appinstaller protocol processor. In February 2022, the company temporarily turned off the processor due to similar abuses by hackers.
Once the processor is turned off, the App Installer will no longer be able to install programs directly from the web server. Instead, users will have to download the program first. Website administrators are advised to remove ‘ms-appinstaller:?source=” from their websites to allow users to download the MSIX package or .appinstaller file and then install the package through the App Installer.
The abuse of the ms-appinstaller protocol handler by hacker groups highlights the need for continued vigilance and cybersecurity measures to protect users from malicious attacks. Microsoft’s decision to turn off the ms-appinstaller protocol handler is aimed at safeguarding its users and preventing further exploitation by malicious actors.