Forum Discussion

Copper Contributor

Dec 14, 2021

Solved

The ms-appinstaller protocol has been disabled.

I just found out that users can no longer install my MSIX from my website. This is a WPF application packaged with "Windows Application Packaging Project" (wapproj). When users click the "Get the app...

Aditi_Narvekar

Dec 15, 2021

bvenhaus Thank you for your question. We removed the ms-appinstaller custom scheme due to a security vulnerability. We do intend to bring this back, and are working on it. For now, you can update the link on your website by removing 'ms-appinstaller:?source='

<html>
    <body>
        <h1> MyApp Web Page </h1>
        <a href="http://mywebservice.azureedge.net/HubApp.msix"> Install app package </a>
        <a href="http://mywebservice.azureedge.net/HubAppBundle.msixbundle"> Install app bundle  </a>
        <a href="http://mywebservice.azureedge.net/HubAppSet.appinstaller"> Install related set </a>
    </body>
</html>

JayBeavers

Brass Contributor

Dec 15, 2021

This broke the installation and update process for my commercial Windows app overnight because some hacker used a legitimate, documented "this is how you publish Windows apps" to distribute malware?

How is this considered an acceptable mitigation?

I have a $3k Extended Identity certificate that I sign my installer packages with, but now it's illegitimate to install it because a malicious payload was discovered somewhere else?