How to Enable App Installer in a Secure Way After CVE-2021-43890 for many domains as sources?
Hi there,
I'm interested to know if there's an update regarding this Github issue after CVE-2021-43890 was reported. In a nutshell, I'm looking for a secure way to enable App Installer for installation from the web in many domains as ms-appinstaller source. The issue with the previous workaround, which was enabling it through group policy, is that it's insecure as it poses certain expectations from certain domains. I believe one way to fix this would be to allow the app installer to present the certificate, just like web browsers do with websites. (the proposed solution here that suggests showing the certificate in the installer, similar to what was possible with ClickOnces. However, this solution hasn't been answered yet.)
In my opinion, this solution would fix the CVE because the publisher certificate can be checked by the user prior to installation and enable the ms-appinstaller:// feature again by default.
I'm aware that there's a Group Policy in Windows to activate the app installer ("Enable App Installer"). Still, this isn't a good solution as it poses security risks similar to those brought about by the CVE. Another group policy, the "Enable App Installer Allowed Sources," is a safer alternative. However, the only secure way to use this policy would be to whitelist each ms-appinstaller:// source domain via group policy, which is a time-consuming process for over hundreds of .appinstaller deployments/domains.
If displaying the certificate of the publisher in the App Installer window isn't enough to resolve the CVE, then how about something similar to ClickOnces, such as Trusted Application Deployment Overview? Back then, it was possible to trust publisher names. This could work additional to "Enable App Installer Allowed Sources"
Thanks.