CVE-2021-43890 Overview
CVE-2021-43890 is a spoofing vulnerability in the Microsoft Windows AppX Installer that has been actively exploited in the wild by threat actors deploying malware families including Emotet, Trickbot, and Bazaloader. The vulnerability allows attackers to craft malicious MSIX/AppX packages that can be distributed through phishing campaigns, exploiting the ms-appinstaller URI scheme to trick users into installing malicious software.
Microsoft has confirmed active exploitation of this vulnerability, with a significant increase in threat actor activity observed leveraging social engineering and phishing techniques targeting Windows OS users. In December 2023, Microsoft responded by disabling the ms-appinstaller protocol by default to address the ongoing abuse.
Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog and has been actively weaponized by financially motivated threat actors to distribute banking trojans and ransomware through phishing campaigns.
Affected Products
- Microsoft App Installer
- Microsoft Windows 10 (versions 1507, 1709, 1803, 1809, 1903, 1909, 2004, 20H2, 21H1, 21H2)
- Microsoft Windows 11 21H2
Discovery Timeline
- 2021-12-15 - CVE-2021-43890 published to NVD
- 2023-12-27 - Microsoft releases update disabling ms-appinstaller protocol by default
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2021-43890
Vulnerability Analysis
The vulnerability resides in the Windows App Installer component, specifically in how it handles the ms-appinstaller URI scheme. This protocol was designed to streamline the installation of MSIX packages directly from web sources, but the implementation contained insufficient validation that allowed attackers to spoof legitimate application installers.
When a user clicks a malicious link containing the ms-appinstaller: URI scheme, the App Installer would process the request and display installation prompts that could be crafted to appear as legitimate software. The spoofing aspect allows attackers to manipulate the displayed publisher information and application details, making malicious packages appear trustworthy.
The attack requires user interaction—specifically, the victim must click on a malicious attachment or link and proceed through the installation prompt. However, the spoofing capability significantly increases the likelihood of successful social engineering by presenting the malicious package as a trusted application.
Root Cause
The root cause of this vulnerability stems from insufficient validation in the Windows App Installer when processing MSIX packages delivered via the ms-appinstaller URI scheme. The component failed to adequately verify the authenticity and integrity of package metadata displayed to users, allowing attackers to spoof publisher information and application details. This design flaw enabled malicious packages to masquerade as legitimate software during the installation process.
Attack Vector
The attack vector is network-based, typically delivered through phishing emails containing malicious links or attachments. Threat actors craft specially designed MSIX packages that, when opened via the ms-appinstaller protocol, display spoofed publisher information to deceive users. The attack chain typically follows this pattern:
- Attacker creates a malicious MSIX package containing malware (Emotet, Trickbot, or Bazaloader)
- The package is hosted on a web server with a crafted ms-appinstaller: URI
- Phishing emails are sent containing links that trigger the App Installer
- When clicked, Windows App Installer displays the spoofed installation prompt
- If the user approves installation, the malware payload is executed
The vulnerability has been extensively abused by financially motivated threat actors, with multiple malware families leveraging this technique to bypass traditional email security controls and achieve initial access on victim systems.
Detection Methods for CVE-2021-43890
Indicators of Compromise
- Suspicious execution of AppInstaller.exe from unusual parent processes or following email client activity
- Network connections to unknown domains using the ms-appinstaller: protocol handler
- Presence of recently installed MSIX packages from untrusted publishers or unknown sources
- Process spawning patterns consistent with Emotet, Trickbot, or Bazaloader malware families
Detection Strategies
- Monitor for ms-appinstaller: URI scheme invocations in browser activity and email attachments
- Implement endpoint detection rules for suspicious AppInstaller.exe execution patterns, particularly when spawned by browser or email processes
- Deploy network monitoring to identify connections to known malicious infrastructure associated with Emotet/Trickbot/Bazaloader campaigns
- Create alerts for MSIX package installations from non-enterprise sources or unsigned packages
Monitoring Recommendations
- Enable Windows Event logging for App Installer activities and MSIX package installations
- Configure SentinelOne to alert on suspicious process chains involving AppInstaller.exe
- Monitor for registry modifications to the ms-appinstaller protocol handler settings
- Track user-initiated package installations from email-originated links or attachments
How to Mitigate CVE-2021-43890
Immediate Actions Required
- Update Microsoft App Installer to the latest version which disables the ms-appinstaller protocol by default
- Review and disable the ms-appinstaller protocol handler if not required for business operations
- Implement email security controls to block or sandbox MSIX attachments and ms-appinstaller: links
- Conduct user awareness training on phishing attacks leveraging Windows App Installer
Patch Information
Microsoft has released updates to the App Installer that disable the ms-appinstaller protocol by default. Organizations should ensure they are running the latest version of App Installer from the Microsoft Store. The Microsoft Security Advisory for CVE-2021-43890 provides detailed guidance on obtaining the updated application. Additionally, Microsoft's security blog post on Financially Motivated Threat Actors Misusing App Installer provides comprehensive information on the threat landscape and recommended mitigations.
Workarounds
- Disable the ms-appinstaller protocol handler via Group Policy or registry modification
- Block MSIX file types at the email gateway and web proxy level
- Restrict App Installer functionality to administrator-approved packages only through enterprise policy settings
- Configure users with least-privilege accounts to reduce impact if exploitation occurs
# Disable ms-appinstaller protocol handler via registry
# Run in elevated PowerShell session
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" -Name "EnableMSAppInstallerProtocol" -Value 0 -PropertyType DWord -Force
# Verify the setting
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" -Name "EnableMSAppInstallerProtocol"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
