{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-069.pdf"
    },
    "title": "Windows AppX Installer Spoofing Vulnerability",
    "serial_number": "2021-069",
    "publish_date": "15-12-2021 13:54:00",
    "description": "On December 14th, Microsoft released an advisory to address a Windows AppX Installer spoofing security flaw tracked as CVE-2021-43890. It can be exploited remotely by threat actors with low user privileges in high complexity attacks requiring user interaction. Attacks attempting to exploit this vulnerability has been already observed in the wild.",
    "url_title": "2021-069",
    "content_markdown": "---\ntitle: 'Windows AppX Installer Spoofing\u00a0Vulnerability'\nversion: '1.0'\nnumber: '2021-069'\ndate: 'December 15, 2021'\n---\n\n_History:_\n\n* _15/12/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn December 14th, Microsoft released an advisory [2] to address a Windows AppX Installer spoofing security flaw tracked as CVE-2021-43890. It can be exploited remotely by threat actors with low user privileges in high complexity attacks requiring user interaction [1]. Attacks attempting to exploit this vulnerability has been already observed in the wild.\n\n# Technical Details\n\nMicrosoft investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. _Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader_. [2]\n\nAccording to Microsoft, an attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights [2].\n\nBleepingComputer previously reported that Emotet began spreading using malicious Windows App Installer packages camouflaged as Adobe PDF software. While Microsoft did not directly link the CVE-2021-43890 zero-day to this campaign, the details from yesterday's advisory line up with tactics used in recent Emotet attacks.\n\n# Recommendations\n\nMicrosoft has patched this high severity Windows zero-day vulnerability. CERT-EU recommends to install the patched Microsoft Desktop Installer:\n\n* Microsoft Desktop Installer 1.16 for Windows 10, version 1809 and later;\n* Microsoft Desktop Installer 1.11 for Windows 10, version 1709 or Windows 10, version 1803.\n\n# Workarounds\n\n* Enable `BlockNonAdminUserInstall` GPO to prevent non-admins from installing any Windows App packages.\n* Enable `AllowAllTrustedAppToInstall` GPO to prevent installing apps from outside the Microsoft Store.\n* Use Windows Defender Application Control or AppLocker to block the Desktop App Installer app (`Microsoft.DesktopAppInstaller_8wekyb3d8bbwe`), or create policies to limit the apps installed in your environment.\n* Disable the `ms-appinstaller` protocol to install apps directly from a website.\n\n# References\n\n[1] <https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-appx-installer-zero-day-used-by-emotet/>\n\n[2] <https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-43890>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>15/12/2021 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On December 14th, Microsoft released an advisory [2] to address a Windows AppX Installer spoofing security flaw tracked as CVE-2021-43890. It can be exploited remotely by threat actors with low user privileges in high complexity attacks requiring user interaction [1]. Attacks attempting to exploit this vulnerability has been already observed in the wild.</p><h2 id=\"technical-details\">Technical Details</h2><p>Microsoft investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. <em>Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader</em>. [2]</p><p>According to Microsoft, an attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights [2].</p><p>BleepingComputer previously reported that Emotet began spreading using malicious Windows App Installer packages camouflaged as Adobe PDF software. While Microsoft did not directly link the CVE-2021-43890 zero-day to this campaign, the details from yesterday's advisory line up with tactics used in recent Emotet attacks.</p><h2 id=\"recommendations\">Recommendations</h2><p>Microsoft has patched this high severity Windows zero-day vulnerability. CERT-EU recommends to install the patched Microsoft Desktop Installer:</p><ul><li>Microsoft Desktop Installer 1.16 for Windows 10, version 1809 and later;</li><li>Microsoft Desktop Installer 1.11 for Windows 10, version 1709 or Windows 10, version 1803.</li></ul><h2 id=\"workarounds\">Workarounds</h2><ul><li>Enable <code>BlockNonAdminUserInstall</code> GPO to prevent non-admins from installing any Windows App packages.</li><li>Enable <code>AllowAllTrustedAppToInstall</code> GPO to prevent installing apps from outside the Microsoft Store.</li><li>Use Windows Defender Application Control or AppLocker to block the Desktop App Installer app (<code>Microsoft.DesktopAppInstaller_8wekyb3d8bbwe</code>), or create policies to limit the apps installed in your environment.</li><li>Disable the <code>ms-appinstaller</code> protocol to install apps directly from a website.</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-appx-installer-zero-day-used-by-emotet/\">https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-appx-installer-zero-day-used-by-emotet/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-43890\">https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-43890</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}