CVE-2021-43890

Microsoft Windows AppX Installer Spoofing Vulnerability

Severity Score

7.1

*CVSS v3.1

Exploit Likelihood

14.9%

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Attend

*SSVC

Descriptions

We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.
An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Please see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section.
Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability.
December 27 2023 Update:
In recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme.
To address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.

Una vulnerabilidad de Suplantación de Identidad de Windows AppX Installer

We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader. An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Please see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section. Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability. December 27 2023 Update: In recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. To address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.

Microsoft Windows AppX Installer contains a spoofing vulnerability which has a high impacts to confidentiality, integrity, and availability.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Active

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2021-11-16 CVE Reserved
2021-12-15 CVE Published
2021-12-15 Exploited in Wild
2021-12-29 KEV Due Date
2025-02-04 CVE Updated
2025-02-04 First Exploit
2025-03-30 EPSS Updated

CWE

CAPEC

References (5)

URL	Tag	Source
https://github.com/ChrisTitusTech/winutil/pull/26	Issue Tracking
https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html	Media Coverage
https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abu...	Media Coverage

1 - 3 of 3

URL	Date	SRC
https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-act...	2025-02-04

1 - 1 of 1

URL	Date	SRC
https://portal.msrc.microsoft.com/en-US/security-guidance/adviso...	2024-07-24

1 - 1 of 1

URL	Date	SRC

Affected Vendors, Products, and Versions (11)

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microsoft Search vendor "Microsoft"	App Installer Search vendor "Microsoft" for product "App Installer"	< 1.16 Search vendor "Microsoft" for product "App Installer" and version " < 1.16"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows 10 1809 Search vendor "Microsoft" for product "Windows 10 1809"	-	-	Safe
Microsoft Search vendor "Microsoft"	App Installer Search vendor "Microsoft" for product "App Installer"	< 1.16 Search vendor "Microsoft" for product "App Installer" and version " < 1.16"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows 10 1903 Search vendor "Microsoft" for product "Windows 10 1903"	-	-	Safe
Microsoft Search vendor "Microsoft"	App Installer Search vendor "Microsoft" for product "App Installer"	< 1.16 Search vendor "Microsoft" for product "App Installer" and version " < 1.16"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows 10 1909 Search vendor "Microsoft" for product "Windows 10 1909"	-	-	Safe
Microsoft Search vendor "Microsoft"	App Installer Search vendor "Microsoft" for product "App Installer"	< 1.16 Search vendor "Microsoft" for product "App Installer" and version " < 1.16"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows 10 2004 Search vendor "Microsoft" for product "Windows 10 2004"	-	-	Safe
Microsoft Search vendor "Microsoft"	App Installer Search vendor "Microsoft" for product "App Installer"	< 1.16 Search vendor "Microsoft" for product "App Installer" and version " < 1.16"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows 10 20h2 Search vendor "Microsoft" for product "Windows 10 20h2"	-	-	Safe
Microsoft Search vendor "Microsoft"	App Installer Search vendor "Microsoft" for product "App Installer"	< 1.16 Search vendor "Microsoft" for product "App Installer" and version " < 1.16"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows 10 21h1 Search vendor "Microsoft" for product "Windows 10 21h1"	-	-	Safe
Microsoft Search vendor "Microsoft"	App Installer Search vendor "Microsoft" for product "App Installer"	< 1.16 Search vendor "Microsoft" for product "App Installer" and version " < 1.16"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows 10 21h2 Search vendor "Microsoft" for product "Windows 10 21h2"	-	-	Safe
Microsoft Search vendor "Microsoft"	App Installer Search vendor "Microsoft" for product "App Installer"	< 1.16 Search vendor "Microsoft" for product "App Installer" and version " < 1.16"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows 11 21h2 Search vendor "Microsoft" for product "Windows 11 21h2"	-	-	Safe
Microsoft Search vendor "Microsoft"	App Installer Search vendor "Microsoft" for product "App Installer"	< 1.11 Search vendor "Microsoft" for product "App Installer" and version " < 1.11"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows 10 1507 Search vendor "Microsoft" for product "Windows 10 1507"	-	-	Safe
Microsoft Search vendor "Microsoft"	App Installer Search vendor "Microsoft" for product "App Installer"	< 1.11 Search vendor "Microsoft" for product "App Installer" and version " < 1.11"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows 10 1709 Search vendor "Microsoft" for product "Windows 10 1709"	-	-	Safe

1 - 10 of 11