back to article A bunch of apps will be able to bypass Microsoft's new store and use own update methods

Microsoft has a new app store coming to both Windows 10 and 11, but some applications will use their own update mechanisms, raising security and user experience concerns. When Microsoft introduced Windows 11, the company confirmed there would be a new Microsoft Store, backported also to Windows 10, in which all the content is …

  1. Anonymous Coward
    Anonymous Coward

    More AC than Chicken shack

    in which all the content is "tested for security, family safety and device compatibility."

    Curious, I wonder what ‘tested’ means in this context and who pays for the testing and most importantly how do they pay for that testing. Excuse me if I’m unconvinced.

    1. stiine Silver badge
      Paris Hilton

      Re: More AC than Chicken shack

      If any of them were tested for 'my' family's safety, then the rest of you should skip them.

      She'd be the least of your children's worries...

  2. Dan 55 Silver badge
    Pirate

    What could possibly go wrong?

    Brown showed how developers can submit a classic setup application in .exe or .msi format, located on the vendor's own infrastructure, but with a promise that "once submitted, the binary at the provided URL must not change." It must also be a complete installer, not a downloader for another install package. The installer also has to run in silent mode.

    And of course if the developer goes bust there's no chance of their domain getting nabbed by a ne'er-do-well.

    1. LosD

      Re: What could possibly go wrong?

      I'd expect a certificate to be involved, so that won't pose a risk.

      1. Anonymous Coward
        Anonymous Coward

        Re: What could possibly go wrong?

        Gee I grab the domain ten minutes later I have a cert..

        1. teknopaul

          Re: What could possibly go wrong?

          Validating that content has not changed is trivial no need for ssl, as simple SHA256 will suffice.

          1. Michael Wojcik Silver badge

            Re: What could possibly go wrong?

            I'm really not sure what problem you think you're solving, but it's not this one.

            Software developer X goes out of business. Attacker purchases X's domain name (X.com or whatever). Attacker publishes an "update" of X's software product Y on the new X.com.

            Attacker can, for bonus points, get a certificate with a suitable subject DN and sign the update to Y. There are plenty of ways to do that, once attacker owns X.com. It could be a DV certificate with the wrong EKU or, an OV certificate issued to another organization name but with "X.com" stuck in it somewhere so it looks valid to users, or even an EV certificate for a different organization – the EV process is not hard to subvert (just a bit expensive).

            A bare cryptographic hash (of what? from where?) does nothing to reduce this risk.

            Also, code signing has nothing to do with SSL or TLS. They both happen to use X.509 certificates in some cases (not all TLS suites use certificates; neither do all code-signing systems), but aside from that they're unrelated.

        2. Michael Wojcik Silver badge

          Re: What could possibly go wrong?

          DV certificates should not be acceptable for code signing. Specifically, it shouldn't be listed in their EKUs. But I don't know how many DV-issuing CAs set the EKU correctly, or whether Authenticode claims or enforces such a restriction.

          In any case, I agree that once a malefactor gains control of the domain they'll almost certainly be able to push signed malicious updates to many customers. It's a bit harder with kernel-mode code since that has to go through the Microsoft Partner Portal and that still requires an EV certificate (not for signing code directly – the process is a bit convoluted – but EV is involved). But, of course, if a defunct organization is purchased by an attacker, there's nothing to stop that purchaser from getting an EV certificate in the organization's name.

  3. cornetman Silver badge

    It seems to me that it would have been wiser to restrict the store to applications that can be updated through the store.

    Many people these days have certain expectations of app stores. By doing what they've done, they have made the situation confusing.

    It cannot surely be *that* difficult for an application vendor to repackage their application to use the new MSIX format for the store. I would imagine that it is similar to packaging for both RPM and DEB, perhaps a bit of a pain to set up, but once done, it is a mundane maintenance task.

    1. Dan 55 Silver badge

      It looks like they're trying to lower the bar again since nobody jumped it when they lowered it last time.

    2. teknopaul

      customers have become accostomed to paying 30% extra for all apps and have (seemly) lost interest in alternatives.

      It's amazing how fast people can be persuaded to put up with "the new normal" no matter how much their freedoms are restricted.

  4. Anonymous Coward
    Anonymous Coward

    Does that mean I can submit e.g. a Linux installer, which will (among other things) suggest erasing a previously installed Windows system?

    If not, why not? it's definitely "tested for security, family safety and device compatibility."

    1. katrinab Silver badge
      Trollface

      You could submit a WSL distro to the store, and then push an update that enhances the experience by installing it natively.

      1. elsergiovolador Silver badge

        I hope someone actually does it.

    2. teknopaul

      don't see why not

      it would save downloading Firefox to download Ubuntu.

  5. JWLong Silver badge

    App Stores

    All the app store operators are scurrying for the corners like cockroaches in a brightly lit room.

    They must be seeing the writing on the wall that's coming from the Epic/Apple battle of earlier this year.

    Ever notice that thieves come in droves, and when they do the sheriff goes on a drinking binge.

  6. <BLINK/>

    All of the obscurity, non of the security

    Worst of both worlds

  7. Anonymous Coward
    Anonymous Coward

    Just a setup.exe on a website will do.

    Actually, if Microsoft just provide me with a public www directory that I can upload exe installers, Linux deb/rpms and macOS dmgs, that would be useful. They can keep the rest of that silly store crap however.

    1. Michael Wojcik Silver badge

      For Windows, ship MSIs, not EXEs. Stefan Kanthak will happily explain why.

  8. Anonymous Coward
    Anonymous Coward

    Microsoft need to offer some reason why devs would use their store

    MS: Hey, developers! Use our store! You can keep 70% of your app revenue!

    DEVS: Er, can't we just put it on our website and keep 100%?

    MS: And you don't have to use UWP any more! You can keep 70% of your app revenue!

    DEVS: Nah, I'm good with 100%

    MS: It has auto updating and you can keep 85% of your app revenue!

    DEVS: 100% still better.

    1. localzuk

      Re: Microsoft need to offer some reason why devs would use their store

      A lot of developers will gain a bit of visibility by being on the store. Finding good windows software is often pretty tough going via search engines.

      1. Michael Wojcik Silver badge

        Re: Microsoft need to offer some reason why devs would use their store

        Is it? I've been using Windows since "search engine" meant "archie" (alas), and I've never had a problem.

        I mean, what constitutes "good [W]indows software" is debatable, but for the rare occasions when I couldn't find something that was good enough, I'm dubious any Microsoft "app store" would have had anything better. Certainly that hasn't been my experience with any other app store.

  9. cookieMonster Silver badge
    FAIL

    Microsoft & Windows

    It’s like a Groundhog Day train wreck.

    Why can they not get anything right?

    Copy Apple for fucks sake, it won’t be invented in Redmond, but fuck it, it might actually be useful!!!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Microsoft & Windows

      Copy Apple? That's the problem, not the solution. The solution: nuke the store. Problem solved.

  10. Anonymous Coward
    Anonymous Coward

    Perfect attack vector

    So let me get this straight...

    "For those apps "packaged as a Win32 App," the terms state that "end users will not be able to receive updates from the Store. Apps can be updated directly by you via your app that is installed on a Windows Device after download from the Store."

    So find an app used by your targets (with MS guaranteeing app security to the users for you :), identify the subset of users you want to target, compromise the app update infrastructure, roll out a silent update to the identified targets, and then clean up after yourself. REALLY? That's the latest in secure app distribution from MS?!?

    1. elsergiovolador Silver badge

      Re: Perfect attack vector

      Why all the hassle if you can just use print spooler?

      1. NetBlackOps

        Re: Perfect attack vector

        ‘Cause supply chain attacks are kewl!

      2. Michael Wojcik Silver badge

        Re: Perfect attack vector

        PrintNightmare? So last week. PetitPotam is what all the kids are using these days.

  11. Alumoi Silver badge

    The installer also has to run in silent mode

    Oh, really? LIke a virus or something?

    No freaking way! I expect at least the courtesy of a big freaking message saying 'Hey, I'm just going to install an update which will change your settings, remove useful features and activate more telemetry. But hey, rounded corners!'

  12. elsergiovolador Silver badge

    Window Store

    I think I used it to install some app and I to this day don't know whether it has installed or not.

    Oh and to get WSL 2 working.

    I am not sure what's the fuss is about. I think Microsoft should be pushed so that the Store and other junk apps can be uninstalled without "unintended" consequences.

  13. LenG

    Why bother?

    I've never used the MS Store. I doubt I ever will.

    1. MJI Silver badge

      Re: Why bother?

      What MS Store?

      Just checked and so far I can get Ebay and Amazon via web and for games, so far Steam.

      So again what MS Store?

      1. Boothy

        Re: Why bother?

        I've used the store twice I think so far.

        Once to give WSL a go, and the other was for a AAA game (can't remember which atm).

        The game was a feeeby a little while back, came as a PC digital bonus with a new Ryzen (Zen 2) CPU I bought. So only choice was install via the Store, or just don't install.

        Biggest annoyance I noticed with Store items, is no direct control over where things install to. Basically mimicking a mobile device. Everything went on the C: drive by default, and it was a global OS setting to change this, not a Store setting, and not for individual 'apps'.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why bother?

      This is a locked down company machine and the mantra is "thou shalt not download programs except from the company store" (so they control security/compatibility/updates/licensing)... but it comes with MS Store!

      They haven't even tried to hide it... it's on the taskbar and on the start screen (or it was until I hid it)

      (never used it here or at home... why install another ad-slinger 'free' version)

  14. Blackjack Silver badge

    Yet another reason to not use Windows, I lost count by now.

  15. Bubba Von Braun

    The future is already here

    MSFS2020 seems to be using this model, My only interaction with the "Store" is for MSFS 2020 and a debacle that has become.. In game updates that wont apply.. After today's Sim Update I am done with it.. Either be a monopolist or get out of the devs way and let them accept responsibility for the install and updates just like the good old days :-)

  16. sabroni Silver badge
    Facepalm

    And if they'd forced clients to use their update mechanism?

    Fucking Walled Garden Bastards!!!!

    1. Anonymous Coward
      Anonymous Coward

      Re: And if they'd forced clients to use their update mechanism?

      No. Criticising walled gardens is to do with companies stopping or restricting the ability for people to distribute software OUTSIDE the store. If that was easy, no-one would care that an app installed from the store could only be updated via the store, in fact, most would agree that that is a good thing.

  17. Nifty

    I once installed a program from the MS app store the wanted to troubleshoot it by having a look at its config and temp files and maybe try clearing them down. Found it wa impossible to acess them, hidden location, no permissions etc. Unistalled it and reinstalled from a downloaded MSI file. Still unsure if uninstalling an app store program cleans up its config and user files cleanly.

    1. Boothy

      Ah yes, I'd forgotten about that. I'd installed a freeby AAA game I got (see other post).

      Wanted to move it to a different drive than C: (large game), and lots of Googling and hunting around, and just yuck.

      Seemed like such a horrible way to manage installs! Lets not just fix it to one drive (can be changed, but only by a global OS setting), but lets also hide it under somewhere the owner of the system can't easily get into!

    2. Anonymous Coward
      Anonymous Coward

      Yeah, as you know, that's how it is on the mobile OS's - MS would like to get the same levels of PC lockdown as the mobile OSs enjoy.

      They know though that they can't just "disable admin" overnight.

  18. Omnipresent Bronze badge

    I'm sorry, I couldn"t remote today...

    My computer was busy with third party updates, and tomorrow is patch Tuesday. How about we make it Friday @ 3 pm?

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm sorry, I couldn"t remote today...

      Shortly after starting a Teams meeting yesterday:

      Chat from ABC: "PC is forcing me to restart!"

      ABC: Now shows as off-line.

      Someone else on audio: "Hmm, looks like we've lost ABC"

      5 minutes later, ABC returns to the meeting.

      ABC: "Sorry about that"

      Audio again: "Welcome back, this seems to be the new norm!"

  19. Boothy

    Store install location

    Have they ever improved the install location for the MS Store downloaded/installed items?

    I've used it for messing with WSL2, and also for a freeby AAA game that came with my then new Zen 2 Ryzen CPU.

    The game was a 40+GB install, and the Store gave no options for installing to a different drive other than C:

    When I looked into it, there was a setting that could be changed, to use a different drive for 'app' installs, but this was a Windows OS setting, and directed all Store 'apps' to be installed to that location.

    This completely put me off ever buying (or even getting free 'apps'), via the MS Store. I'd like to be able to install things to a drive of my choice, on an app by app basis.

    Personally I always have a minimal boot/C: drive (fast M2), that has an image backup (tested). A document drive (file backup). Then everything else goes on separate drives (other M2s, or cheaper 2.5 SSDs), which are not backed up, but can be easily re-built by just installing the 'apps' again.

    So unless they add some mechanism to control the install location for each individual 'app' separately, I can't see me ever using the Store. (I've no issue with there being a default, as long as you can 1. set this yourself, and 2. override it on individual app install.).

  20. Anonymous Coward
    Anonymous Coward

    MS - untrusted since FTDIGATE.

    See title !

  21. steviebuk Silver badge

    Store

    Bollocks. Hate the shitting windows store. Several Windows 10 releases ago one release appeared on a few machines at work. But how? All updates are done by WSUS and we don't allow new builds until tested. Turned out despite WSUS being on and windows updates only coming from there. If the windows store was allowed, there was/is a fucking button in there that you can click to bypass everything, even WSUS and do a new release update.

    Store has been disabled ever since.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like