Geeks for your information News Privacy & Security News v
Its Groundhog Day at Microsoft! Vulnerability patched again
Its Groundhog Day at Microsoft! Vulnerability patched again
harlan4096 Offline
MalWare Zoo Team
*******
Posts: 13,815
Threads: 9,255
Thanks Received: 8,903 in 7,082 posts
Thanks Given: 9,584
Joined: 12 September 18
#1
Exclamation  29 December 23, 12:13
Quote:Remember the movie Groundhog Day? Bull Murray plays a rather self-centered weatherman who finds himself in a time loop on Groundhog Day.

Windows administrators may have similar feelings to Murray's in regards to vulnerability CVE-2021-43890. First patched in December 2021, Microsoft announced in December 2023 that it has detected attacks in the wild and patched the issue again.

If that sounds confusing, it is. What Microsoft failed to mention is that the first patch has somehow been undone since April 2023.

Appx installer spoofing vulnerability in Windows

[Image: Fig8-Sample-malicious-App-Installer-experience.webp]

The vulnerability report refers to the issue as a spoofing vulnerability in Appx installer in Microsoft Windows. Microsoft developed the ms-appinstaller Uniform Resource Identifier to support the downloading and installation of apps directly from Internet servers.

In other words: users who clicked on ms-appinstaller links would get an installation prompt similarly to the one displayed on the screenshot above.

While it still required the user to hit the "install" button, the lack of a prominent "cancel" button led to unwanted installations. A click on the x-icon at the top of the window cancelled the process.

Activation of install would download and install the malware on the device.

Microsoft describes the process in the following way: "Users who click the links to the installers are presented with the desktop App Installer experience. If the user clicks “Install” in the desktop App Installer, the malicious application is installed and eventually runs additional processes and scripts that lead to malware installation."

Microsoft's blog post on its Security blog reveals that it observed several attacks that make use of App Installer to infect Windows devices. The functionality is disabled by default according to this Microsoft support page. Administrators may enable it, however. What Microsoft fails to mention in the post is that it disabled the functionality in December 2021 already as a reaction to abuse of the functionality.
...
Continue Reading
[-] The following 1 user says Thank You to harlan4096 for this post:
  • ismail
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Windows 11 KB5048685 Update causes Wi-Fi...
The KB5048685 Upda...harlan4096 — 12:36
Windows 11: issue may prevent further in...
The latest version...harlan4096 — 08:47
Notepad++ v8.7.5 (2024-12-25)
Notepad++ v8.7.5 (...harlan4096 — 08:16
AdGuard for Mac 2.16.2
AdGuard for Mac 2....harlan4096 — 08:13
AdGuard Browser Extension 5.0.178 (MV3)
AdGuard Browser Ex...harlan4096 — 08:12

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>