Forum Discussion

bvenhaus's avatar
bvenhaus
Copper Contributor
Dec 14, 2021

The ms-appinstaller protocol has been disabled.

I just found out that users can no longer install my MSIX from my website. This is a WPF application packaged with "Windows Application Packaging Project" (wapproj). When users click the "Get the app...
  • Aditi_Narvekar's avatar
    Aditi_Narvekar
    Dec 15, 2021

    bvenhaus Thank you for your question. We removed the ms-appinstaller custom scheme due to a security vulnerability. We do intend to bring this back, and are working on it. For now, you can update the link on your website by removing 'ms-appinstaller:?source='

     

    <html>
    <body>
        <h1> MyApp Web Page </h1>
        <a href="http://mywebservice.azureedge.net/HubApp.msix"> Install app package </a>
        <a href="http://mywebservice.azureedge.net/HubAppBundle.msixbundle"> Install app bundle  </a>
        <a href="http://mywebservice.azureedge.net/HubAppSet.appinstaller"> Install related set </a>
    </body>
</html>

     

     

JayBeavers's avatar
JayBeavers
Brass Contributor

  This broke the installation and update process for my commercial Windows app overnight because some hacker used a legitimate, documented "this is how you publish Windows apps" to distribute malware?

 

How is this considered an acceptable mitigation?

 

I have a $3k Extended Identity certificate that I sign my installer packages with, but now it's illegitimate to install it because a malicious payload was discovered somewhere else?

  • JayBeavers's avatar
    JayBeavers
    Brass Contributor
    Dec 21, 2021

    The security team declined to investigate the issue, citing this thread as the official guidance.

    If you have a support channel through MSFT from your business, please open and escalate an issue.  It doesn't feel like the people engaged in this conversation realize the implication of their actions and I haven't yet found someone to take responsibility for fixing it.

    ---

    Received via email:

    Hello Jay,

    Thank you for contacting the Microsoft Security Response Center (MSRC). We appreciate the time taken to submit this issue.

    We are aware of the issue you have reported regarding the MSIX installer. While this issue doesn't meet the definition of a vulnerability that MSRC can help with, we are aware that the issue is being supported through the following resources:

    <"https://docs.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web"> -> "The ms-appinstaller scheme(protocol) has been disabled."

    and

    <"https://techcommunity.microsoft.com/t5/msix-deployment/the-ms-appinstaller-protocol-has-been-disabled/m-p/3038361"> where Aditi_Narvekar from Microsoft has replied.

    and you may also contact support for more information:

    Contact Us - Microsoft Support

    We have also shared your feedback with the engineering team who own the ms-appinstaller scheme(protocol).

    As such, this MSRC thread is being closed and no longer monitored. We apologize for any inconvenience this may have caused. More information on reporting a security vulnerability can be found at <"https://www.microsoft.com/msrc/faqs-report-an-issue.">

    Regards,

    Duncan 

    MSRC

Resources