Forum Discussion
The ms-appinstaller protocol has been disabled.
bvenhaus Thank you for your question. We removed the ms-appinstaller custom scheme due to a security vulnerability. We do intend to bring this back, and are working on it. For now, you can update the link on your website by removing 'ms-appinstaller:?source='
<html> <body> <h1> MyApp Web Page </h1> <a href="http://mywebservice.azureedge.net/HubApp.msix"> Install app package </a> <a href="http://mywebservice.azureedge.net/HubAppBundle.msixbundle"> Install app bundle </a> <a href="http://mywebservice.azureedge.net/HubAppSet.appinstaller"> Install related set </a> </body> </html>
Microsoftbvenhaus Thank you for your question. We removed the ms-appinstaller custom scheme due to a security vulnerability. We do intend to bring this back, and are working on it. For now, you can update the link on your website by removing 'ms-appinstaller:?source='
<html>
<body>
<h1> MyApp Web Page </h1>
<a href="http://mywebservice.azureedge.net/HubApp.msix"> Install app package </a>
<a href="http://mywebservice.azureedge.net/HubAppBundle.msixbundle"> Install app bundle </a>
<a href="http://mywebservice.azureedge.net/HubAppSet.appinstaller"> Install related set </a>
</body>
</html>
Aditi_Narvekar could you please restore this functionality ASAP? This was a major sweeping break of what must be thousands of apps, if not more.
If the issue is unsigned apps using ms-appinstaller and carrying a malicious payload, please mitigate by disabling unsigned apps. If the issue is an EV certificate signed app using ms-appinstaller and carrying a malicious payload, please use certificate revocation to address the vulnerability.
I switched my application to use MSIX and an EV certificate because this is the best practice and most up to date tooling (via Visual Studio) for distributing a Windows app outside of the MS Store. This action has revoked, without notification, the proper way to securely distribute non-public Windows apps.
The cure is more harmful than the disease in this case.- I wonder if Aditi_Narvekar understands the implication for Microsoft customers with this issue? It would also be good for a reply to Jay Beavers' request.
It leaves our customers in a vulnerable situation by not being able to receive security updates to the framework, downloading the app is not a viable option - please restore this prootocol asap, we will all be losing business caused by this issue.
Aditi_Narvekar Do you have a timeframe on when it will come back?? Removing the ms-appinstaller prefix doesn't really work as it then asks the user to download the file. Once downloaded they have to chose to run it which is a complete deviation from what ms-appinstaller did. Also you can not pass parameters on to the application with a direct link, ms-appinstaller allowed for that. Unfortunatly this has completly brought down our distribution system.
Aditi_Narvekar Could you provide us any additional information on this? This has serious implications on how we distribute certain apps.
Can you at least confirm at least if it will eventually be restored? I understand if you cannot provide a timeline yet but we would like to know so we can plan accordingly. I would hate to go through the trouble of implementing an alternative (albeit less effective) approach only to have it restored shortly afterwards.
Thanks.
Ernie
- I've now opened a business support ticket on this from my company's support contract and set it to Sev-A, Critical Impact. I'll post here if I get traction.
- Aditi_NarvekarHi all,
To confirm, yes, we do plan on correcting this. I know the team is working on bringing it back, but don't have a date for this yet.
@Aditi Now it has been more than a month - should MS be providing some updates on this issue???
It now has over 14,000 views - given how specific the issues is it would seem unlikely these are accidental occurrences and the impact is growing and being noticed. It is bad enough that the temporary fix of just cutting everyone off is most likely worse than the disease, but not informing folks of any progress on a fix implies a complete lack of progress and caring about the problems your customers are facing.
