製品・ソフトウェアに関する情報
Vulnerability Search
App Installer におけるなりすまされる脆弱性
Title App Installer におけるなりすまされる脆弱性
Summary

App Installer には、なりすまされる脆弱性が存在します。

Possible impacts なりすまされる可能性があります。
Solution

ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date Dec. 14, 2021, midnight
Registration Date Dec. 24, 2021, 4:35 p.m.
Last Update Dec. 24, 2021, 4:35 p.m.
CVSS3.0 : 重要
Score 7.1
Vector CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS2.0 : 警告
Score 6
Vector AV:N/AC:M/Au:S/C:P/I:P/A:P
Affected System
マイクロソフト
App Installer 
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
ベンダー情報
その他
Change Log
No Changed Details Date of change
1 [2021年12月24日]
  掲載		 Dec. 24, 2021, 4:35 p.m.
NVD Vulnerability Information
CVE-2021-43890
Summary

We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.
An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Please see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section.
Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability.
December 27 2023 Update:
In recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme.
To address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations.

Publication Date Dec. 16, 2021, 12:15 a.m.
Registration Date Dec. 16, 2021, 10:01 a.m.
Last Update March 8, 2025, 6:54 a.m.
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:microsoft:app_installer:*:*:*:*:*:*:*:* 1.16
execution environment
1 cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:*:*
2 cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:*:*
3 cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:*:*
4 cpe:2.3:o:microsoft:windows_10_2004:-:*:*:*:*:*:*:*
5 cpe:2.3:o:microsoft:windows_10_20h2:-:*:*:*:*:*:*:*
6 cpe:2.3:o:microsoft:windows_10_21h1:-:*:*:*:*:*:*:*
7 cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:*:*
8 cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:*:*
Configuration2 or higher or less more than less than
cpe:2.3:a:microsoft:app_installer:*:*:*:*:*:*:*:* 1.11
execution environment
1 cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:*:*
2 cpe:2.3:o:microsoft:windows_10_1709:-:*:*:*:*:*:*:*
3 cpe:2.3:o:microsoft:windows_10_1803:-:*:*:*:*:*:*:*
Related information, measures and tools
Common Vulnerabilities List