TechGuard Blog

Microsoft Protocol Update

Attention all Microsoft users, there were two significant updates this week that will bring you some joy, and maybe even some relief! For those who don’t know, Microsoft announced there would be an update for the Microsoft MSIX protocol that will temporarily disable it. At the same time, CISA announced it has expanded its list of vulnerabilities to include CVE-2022-21882. Both have been known to be exploited by malicious threat actors. How does CVE-2022-21882 relate to MSIX?


After months of repeated abuse from the famous malware gang, Emotet, Microsoft announced it would temporarily disable their favorite protocol to deliver malware. If you’re not familiar with MSIX, let’s discuss MSIX and why it is an attack vector for malware gangs like Emotet.


The MSIX protocol in Microsoft is responsible for making app packages easy for users to install and keeping apps updated. This was designed specifically for Windows 10, but after some time out it can now be installed on all Windows Operating Systems. The protocol works because it allows users to double click to execute the file. The OS will read the manifest files, install the files it needs for its platform, and download them. While this was initially intended to be something that would help users, it is now an attack vector that can harm their environment.


Attackers soon discovered they could abuse this protocol and began to send emails to users that would lure them to malicious sites. These sites would then have the user download a PDF component claiming the user needed to download an adobe signed file that contained the malicious malware on it. The problem with the attack, and why Microsoft had to disable the protocol, was because the gang had found ways to spoof signatures in the MSIX-packaged files. There was an initial patch for this, CVE-2021-43890, released in December of last year, and some group policies for those who couldn’t update. This, unfortunately, didn’t stop the attacks. Microsoft has said it plans to bring the protocol back after the flaws have been fixed.


In other news, CISA announced it was expanding its list of vulnerabilities to include CVE-2022-21882 which fixes a vulnerability in the Win32k.sys driver that allows privilege escalation. This vulnerability has been known to allow authenticated users to elevate local system or administrator privileges. CISA has given an action required Date of 02/18/2022.


So, make sure to get out there and install your patches this week!

Written by Adam Voss

Adam Voss graduated from Maryville University with an emphasis on pen-testing. Currently, he works at TechGuard as a cybersecurity analyst. When he's not working on projects or expanding his knowledge in the field to get his certs, he can be found doing something that involves physical exercise or rooting for the cardinals or blues.