back to article Microsoft kills off Windows app installation from the web, again

Microsoft has disabled a protocol that allowed the installation of Windows apps after finding that miscreants were abusing the mechanism to install malware. The move came just before Christmas, and seemingly mimicked issues first reported in December 2021, to address a Windows AppX Installer vulnerability (CVE-2021-43890) in …

  1. David 132 Silver badge
    Facepalm

    To be fair to Microsoft…

    …no-one, absolutely no-one, could have foreseen that a mechanism for allowing arbitrary web pages to silently and automatically install applications on user PCs might be abused. That would call into question the integrity of the world’s CAs, and if you can’t trust CAs, who can you trust?

    Oh, sorry, forgot my <sarcasm> tags there.

  2. Gene Cash Silver badge

    "from a trusted certification authority"

    Would be nice to know who they were, so I could remove them from my certificate repository.

    Are they honestly not going to get any blowback from this?

    "Yeah, we vetted 'em... their check cleared."

    1. Lee D Silver badge

      Re: "from a trusted certification authority"

      What's the CA got to vet?

      Every piece of software signed with that key? That's totally unrealistic.

      Every company who requests such a key? They already do - they know exactly who bought that key.

      Every rogue former-employee who had access to the key using it to sign malware? How can you police that as a CA?

      Or should they remove the entire company's certificate which signs thousands of pieces of software because of one signed piece of rogue software? I'm inclined to say yes, but you can see where that could be a problem (e.g. revoking all of Adobe's keys or Microsoft's or even a small indie game company's).

      It's not the CA's problem. All they're doing is providing a signed certificate, they can't sign off on literally everything that certificate itself ever signs, in perpetuity. All they're doing is saying "Yep, that was definitely signed by company X".

      If Company X has lax security around their keys, that's their problem. If Company X accidentally signs something they shouldn't, that's their problem. If Company X was designed to appear legitimate but then go on to sign things they shouldn't, that's their problem and risks the CA revoking their entire certificate but far more likely - those individual signed packages will be blacklisted way before that happens.

      Fact is, trusting a piece of software because the user once trusted an earlier piece of software from the same company is a DUMB IDEA. Trusting a piece of software just because it has been code-signed is a DUMB IDEA. Trusting everything that a key signs without question is a DUMB IDEA, even a Microsoft key.

      Code-signing isn't about certifying every byte as a safe instruction. It's about accountability. We trusted X. X made this happen. We no longer trust X.

      But you and I will have very different ideas on what X or Y we want to trust, or indeed have to to operate our business, and what happens to everything that X ever signed if X signs a small package on the other side of the world that it shouldn't have. I'd really rather my networks didn't collapse instantly because everything stops working because someone signed a script that someone else mistook for malware.

      I've had that because of a code-signing certificate inside a Java JAR inside a piece of UPS software installed on a server. That certificate expiring was literally enough to bring down thousands of customer networks instantly with no obvious cause whatsoever (the UPS software occupied 100% CPU and prevented any analysis or investigation, even in safe mode).

      CAs and code-signing aren't for software-whitelisting on a global scale.

      They're a tiny part of such a system, in which it is an incredibly bad idea to revoke entire company's certificates (and hence why Microsoft has to "work with" CAs to see what they can do).

      The CA is merely certifying "Yep, Company X signed that software". Whether that software is bad, whether specific users, company, browsers, operating systems or anything else should actually trust that software, or whether that software has been compromised is none of their business.

      The only thing that really should be taken into consideration for them is "Is this certificate so false / misused / compromised that we should revoke anything ever made by it?" which is a huge decision and not to be taken lightly.

      1. Michael Wojcik Silver badge

        Re: "from a trusted certification authority"

        Every rogue former-employee who had access to the key using it to sign malware? How can you police that as a CA?

        To be fair, the Code Signing Working Group proposed some years back that all CAs conforming to the CA/BF Basic Requirements would have to issue code-signing certificates only when they had proof, or at least attestation, that the private key was in a FIPS 140-2 Level 2 or better HSM. While not bulletproof, that would at least provides some evidence that code signing could not be done by any random employee, and the associated private keys couldn't just be kept in a file alongside source or some such thing.

        Microsoft originally said they were going to adopt that recommendation (I think this was around 2018?), but backed off when developers complained that it was too onerous. (FIPS 140-validated HSMs are expensive for small shops, and larger shops would typically need ones that support key distribution, which are even more expensive.)

        I've forgotten what the current state of this is, because we moved to keeping the code-signing keys in HSMs years ago, with a fairly elaborate and locked-down signing pipeline. (Internal builds are signed with an internal-only key and certificate issued by our own CA, so developers don't have access to production signing with the commercial-CA-issued certificate.)

      2. Mike Pellatt

        Re: "from a trusted certification authority"

        You've just described, in about 20 paras, why PKI is broken, in this case for code signing, but it's not its only brokenness. By a long chalk.

        1. Mike007 Bronze badge

          Re: "from a trusted certification authority"

          PKI is working correctly when it tells you that you are at the real amazon-shop.com

          PKI is working correctly when it tells you that a program is from the "Trusted Signer" called "Totally-not-a-company-I-paid-£20-to-establish-in-a-fake-name-to-get-a-cert Ltd"

  3. Yorick Hunt Silver badge
    Mushroom

    In other news...

    Local government decrees that the front door on every house must be left unlocked because a couple of the councillors' close friends were expecting visitors and couldn't be bothered getting off their arses to answer the doorbell.

    Why is it always the lowest common denominator that gets catered to? The IT world was a much better place when it was inhabited exclusively by eggheads; nobody back then prioritised changing the colour of a UI element over improving its functionality.

    Maybe M$ should simply have an "I'm an idiot" tickbox at installation time, the result of which Windows can use to determine whether such "conveniences" are enabled or disabled by default.

    1. Alumoi Silver badge

      Re: In other news...

      Why is it always the lowest common denominator that gets catered to?

      They vote as they are told.

      Maybe M$ should simply have an "I'm an idiot" tickbox at installation time, the result of which Windows can use to determine whether such "conveniences" are enabled or disabled by default.

      Care to bet they will install every crap under the sun if you tick that box? For your convenience, of course. And, if you don't tick it, they will install it anyway, for your convenience.

      1. MrDamage Silver badge

        Re: In other news...

        Microsoft: We're not happy until you're not happy.

    2. froggreatest
      Gimp

      Re: In other news...

      They are so focussed on their enterprise customers and usability of the legacy workarounds there is no resistance to some requests. Imagine VP asking you to enable this, just think of the promotion, bite the teeth, lalala.

  4. ldo

    How Come Microsoft Can’t Get It To Work?

    Linux distros have been doing signed package repositories for years, with good results. Why can’t Microsoft manage the same? Is it because proprietary software developers can’t be trusted?

    1. Anonymous Coward
      Anonymous Coward

      Re: How Come Microsoft Can’t Get It To Work?

      It's likely because Linux distros repositories are extremely centralized by default compared to the way Windows apps are distributed.

      And when you get out of those known repos, the situation is hardly better.

      I had words with very well known security software companies who were telling me to install unsigned RPMs of their expensive products, for example.

      1. ldo

        Re: How Come Microsoft Can’t Get It To Work?

        You do know that all the major distros allow the addition of third-party repos to the package-management system, right?

        1. Joe W Silver badge

          Re: How Come Microsoft Can’t Get It To Work?

          The AC above likely does know.

          The bloody software company doesn't, apparently.

    2. fajensen
      Pint

      Re: How Come Microsoft Can’t Get It To Work?

      They can. It's just Market Segmentation Rulez making it appear that they can't. Most people will run some "consumer thrash" Windows, where nothing of the good stuff really works.

      Enforcing known repositories, signed applications and keeping a curated set of "Bad Boys" out, is being sold as a premium Windows feature, reserved for "enterprise" licenses.

      One can install "Applocker" on any windows >= 10 and hack the configuration locally, but, it really needs quite a bit of Windows Server infrastructure to manage it in practice). Another possibility is using "Windows Defender", which seems to be more geared towards Windows 365 (To keep things balkanised as they should be :). It is not an easy job, these tools are not for the eyes of average PC-users, but they do work.

      I initially researched this while trying to find a proper way to keep "snap.do" off my teenagers computers.

  5. trindflo Bronze badge
    Flame

    This has proven to be a popular feature, according to Microsoft

    Popular with who? Microsoft? They're the ones constantly installing apps I never asked for all over my enterprise.

    1. David 132 Silver badge

      Re: This has proven to be a popular feature, according to Microsoft

      Popular with the vendors of the shovelware shite that Microsoft push unwanted onto people’s desktops.

      “Another piece of crap that is paying us commission dollars just got installed! Check it out!”

  6. joed

    M$ always leaves barn door open for "business"

    On one hand how nice of M$ to not require signing apps by their own CA (for a fee of course), on the other hand how the hell they allowed zero touch installs of all appx packages instead of restricting them to ones signed by specific CA (as defined by a group policy pushed by a business that cared for this sort of app deployments)?

    1. Richard 12 Silver badge
      WTF?

      Re: M$ always leaves barn door open for "business"

      It seems they're just permitting everything signed by anyone that has a trust chain back to a trusted root CA.

      So all it takes is for a miscreant to distribute malware this way is to get a signing cert from a single company anywhere in the world.

      Then MsAppInstaller will silently compromise entire corporate networks, automatically.

      They really don't think at all, do they.

      1. fajensen

        Re: M$ always leaves barn door open for "business"

        From Microsofts perspective, it doesn't affect anyone important at all. The developers just picked the most cost efficient way to implement an important feature (and created a selling point for "bigger" licenses :). We got to remember that the 2-3 corporates who probably asked for this feature, and were big enough to get it, they are also very likely to have their policies tuned up and bummed into perfection. So, it works for them.

  7. cookieMonster Silver badge
    WTF?

    What was the saying. ???

    Death, Taxes and Microsoft fucking up?

    Nice to see the new year off to a ….. meh

    1. ecofeco Silver badge
      Thumb Up

      Re: What was the saying. ???

      Brilliant.

      Got to remember this one. Perfection description.

    2. ldo

      Re: Death, Taxes and Microsoft fucking up?

      And the customers continuing to throw money at them regardless.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like