Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Required
Privileges Required
Low
Attack Vector
Network
3

CVE-2021-43890

Disclosure Date: December 15, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated
Validated
Validated

Description

We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.
An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Please see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section.
Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability.
December 27 2023 Update:
In recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme.
To address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.

Add Assessment

2
Ratings
Technical Analysis

A great overview of this bug is available at https://borncity.com/win/2021/12/16/update-fixt-windows-appx-installer-0-day-schwachstelle-cve-2021-43890-emotet-schlupfloch/ which leads on from a description at https://borncity.com/win/2021/12/02/windows-10-11-falle-beim-trusted-apps-installer/ showing how this bug was exploited in the wild. Essentially, by abusing the ms-appinstaller:// URI handler in Microsoft Windows, one can trick users into thinking that the website is trying to ask them to install software to do something; in the case of the campaign it was to install a PDF viewer so that one could open a protected PDF.

However what is interesting here is that if a user goes to inspect the properties of the app to be installed, a cursory glance will show that, according to AppX Installer, it is signed by a trusted publisher and the publisher details look legitimate. Its not unless you click on the Trusted App details link that one will see that something looks odd (assuming of course the user hasn’t already found the request for downloading a PDF viewer for viewing a sent PDF file suspicious).

Microsoft fixed this bug by disabling the ms-appinstaller:// URL entirely to prevent it from being abused for these types of attacks, however it is also recommended that the Prevent non-admin users from installing packaged Windows apps setting be set to prevent non-admin users from being able to install packaged Windows apps, which should prevent variants of this attack from being exploitable in your environment. More information on these and other mitigations can be found under the Workarounds section at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43890.

CVSS V3 Severity and Metrics
Base Score:
7.1 High
Impact Score:
5.9
Exploitability Score:
1.2
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
Low
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • app installer

Exploited in the Wild

Reported by:
Technical Analysis