Tips for the week – what about the AppX vulnerability?

Topic

New Reply

(Note, we’re not ready to give the all clear for installing this is just a post clarifying a particularly confusing update. More about the December up
[See the full post at: Tips for the week – what about the AppX vulnerability?]

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

lmacri

Reply | Quote

Replies

Susan wrote:

“make sure you don’t click on attachments that you weren’t expecting”.

I’m even paranoid and wary of attachments I *DO* expect.

That’s why I manually run Malwarebytes Premium (is also umbrella), Avast Free, Microsoft Defender (is also umbrella) and SuperAntispyware Free on any attachments. If there’s still doubt in my mind, I’ll send it to VirusTotal.

1 Desktop Win 11
1 Laptop Win 10
Both tweaked to look, behave and feel like Windows 95
(except for the marine blue desktop, rgb(0, 3, 98)

Reply | Quote

Under Apps & features, I have Windows App Installer. Yesterday, I saw that Microsoft Stores listed it for me to update and I did so. Is this one different from Windows AppX Installer?

Reply | Quote

They’re the same thing.

The updated version with the fix is 1.16.13405.0 and gets installed via the MS Store not Windows update.

2 users thanked author for this post.

lmacri, WCHS

Reply | Quote

Hi @alejr: Can you clarify? Then it’s NOT in the December Patch Tuesday CU (Dec 14, 2021 – OS Builds 19041.1415, 19042.1415, 19043.1415, and 19044.1415)? Or, alternatively, it’s not only in the patch but also available at MS-Stores as Windows App Installer/Windows AppX Installer?

Reply | Quote

I installed the Dec patch (KB5008212) first thing yesterday morning and, as of this morning at ~10 am EST, the App Installer was still listed as version 1.16.12653.0 (i.e. it had not been updated.)

So I connected to the MS Store and checked for available updates and the App Installer was one of the 4 listed. I allowed the Store to update those 4 apps and the App Installer was updated to version 1.16.13405.0 (which contains the fix.)

Note: MS Store on my PC is set to not automatically install updates.

BTW, if you review Microsoft’s December 2021 Security Updates, there’s no mention of the App Installer so it’s really no surprise it’s not part of the patch.

2 users thanked author for this post.

Steve S., WCHS

Reply | Quote

I set the store to automatically update because I don’t use these applications.  Like Browsers I recommend the store is set to automatic.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Ref: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-43890

An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

That executive summary excerpt indicates that this is a two part vulnerability
Firstly delivering a payload via email eg: ‘malicious attachment’

Secondly, opening and convincing the end-user to open the attachment via spoof email and all whilst using admin rights..yeah right !

Do a Parity check before opening ANY emails with attachments

I think there is more to this than meets the eye with restricting consequences all in the name of so-called security with alternative intentions.

Mitigations are and were already in-place here regardless so good luck with that…

No problem can be solved from the same level of consciousness that created IT- AE

Reply | Quote

The problem with this approach from Microsoft is that in a lot of corporate environments, the Store is blocked so that users can’t install non-approved apps.

No matter where you go, there you are.

1 user thanked author for this post.

Steve S.

Reply | Quote

Ok. I’m confused.

In my Apps & features, the App Installer is listed as version 1.4.3161.0.  Revo Uninstaller  shows it as installed on 1/2/2021 and listed as MICROSOFT.DESKTOPAPPINSTALLER_1.4.3161.0_X64__8WEKYB3D8BBWE

I don’t have an MS account. I don’t use the Microsoft Store at all. I opened the Store (for the first time in years!) but the App Installer isn’t even listed for me on the Store. I clicked on the get updates button anyway, which resulted in “All your trusted apps and games from Microsoft Store have the latest updates.”  However, my version of the App Installer remains the same.

The GPO description for AllowAllTrustedAppToInstall on the MS CVE 2021 43890 page seems confusing too. I have no plans to sideload any apps so would enabling this group policy actually restrict apps to only those from the Store?

EDIT: Of course! My Windows Update is disable via WUB.exe. Doh! 🙄  Still, having security updates only available via the Store seems a bad move on MS’s part.

EDIT2: App Installer now updated via the Store without an account – along with six other “apps” that were part of the OS when originally installed. If it comes as part of the OS as installed, I feel it should be serviced and patched via Windows Update – at least in a sane world.

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

1 user thanked author for this post.

DrBonzo

Reply | Quote

UGH. Another Microsoft mess. I read this thread and opened Microsoft Store app. I hate the thing but I have an iPhone and Apple watch and I can no longer update iCloud for Windows directly from Apple but am forced to use the Microsoft store which I last used on December 3 to fix iCloud for Windows. Store worked properly that day and I got iCloud fixed.

Well, Microsoft Store is currently a mess which I learned when I opened it today. In the past, it has always shown WHICH MICROSOFT ACCOUNT I am logged into when I open the store. That information is shown in the upper right corner and was there on Dec 3 when I had last used the store. Now, there is nothing in the upper right corner and there is no way (that I can find) to see which MS account I am logged into on the Store, or if I am not logged into any and need to login, or if I want to switch Microsoft Accounts.

I repaired the Store app as per what Microsoft says to do if there are problems with the app. That did not give me back any information regarding my login status. The store does say my apps are all up to date and even lists one as purchased in 2018 but I never purchased it! All I did was try it and then uninstalled it and I have never seen it listed as a “purchased” app until today!

I did manage to learn that somehow all but one of my three Microsoft accounts had been deleted and that is weird because no one else uses this computer and I didn’t delete any MS accounts. I set up again one of the “deleted” ones and had to go through every setting so there was no retained memory of that MS account. I suspect though that this situation may have to do with my trying unsuccessfully for many hours over multiple days to get rid of the “default” email address Microsoft has for me. I rarely keep any email address for long and got rid of this particular one many months ago yet Windows 10 insists it is my Microsoft address.

I have App Installer version 1.16.12986.0 and I have NOT been offered a newer version while using Microsoft Store today.

Reply | Quote

Mele20 wrote:

there is no way (that I can find) to see which MS account I am logged into on the Store,

You just click on the profile upper right corner and can see the account you are logged in.

Reply | Quote

Alex5723 wrote:

You just click on the profile upper right corner and can see the account you are logged in.

The MS Store is completely MISSING, I just discovered, on my other (Windows 8 Pro) computer. Plus, my Microsoft Authenticator app on my iPhone is messed up suddenly also and I have only one time today had the login for the MS Store done correctly using the Authenticator app on Windows 10 Pro and, of course, I can’t see if it works on logging into the MS Store on the Windows 8 Pro computer since the store is completely missing on it and when I try to download and install the Store app on that computer I get a PDF Microsoft terms agreement popping up on Evince app that I use for PDFs and I can’t download the missing MS Store app for that computer.

As for clicking on the profile upper right corner on Windows 10 in MS Store, that’s part of the problem I noticed today. There is nothing in the upper right corner when in Microsoft Store! It used to be as you describe and show in your screenshot but I don’t have that now. I’m very persistent and that trait is the only reason I finally found the profile for MS Store in Windows 10. There is a TINY, FAINT spot and looks sort of like the bottom half of a small circle located several inches to the left of the right edge of the window near the top when in the MS Store. I tried clicking on that faint whatever and it was my profile!

That’s obviously something wrong with Microsoft Store on my Windows 10 Pro as my profile should not be behind a faint sliver of what looks like the bottom of a small circle which is not even in the upper right corner! It could be that the feature update to 21H2 on November 16 caused this problem.

Reply | Quote

Mele20 wrote:

It could be that the feature update to 21H2 on November 16 caused this problem

I am on Windows 10 Pro 21H2 with December CU.
Never has a problem with my profile on Microsoft store (all other store aps have been removed). I keep the store app as it is difficult to restore and I need the store for my iCloud app updates.

How to Restore the Windows 8.1 Store App So It Functions Normally Again

Do the same for Microsoft store app on your Windows 10.

Reply | Quote

Just another Forum Poster wrote:

They’re the same thing.

The updated version with the fix is 1.16.13405.0 and gets installed via the MS Store not Windows update.

Windows Update MUST be enabled to install from Microsoft Store so the store is not updating anything…Windows Update is doing it. This is probably why I am not offered the current version of App Installer. It is not installed by Microsoft Store rather by Windows Update. I use Win Aero Tweaker and keep Windows Update disabled in it. I cannot get anything from Microsoft Store until I disable the tweak to keep Windows Update disabled. If the Store was installing stuff then I could keep Windows Update disabled and still install from the Store but that is not possible.

1 user thanked author for this post.

WCHS

Reply | Quote