Tux Machines

Do you waddle the waddle?

Other Sites

LinuxGizmos.com

M5Stack PowerHub IoT Development Kit Integrates ESP32-S3 and STM32 Coprocessor

M5Stack has introduced the PowerHub, a compact IoT controller designed for distributed power and device management. The ESP32-based PowerHub is described as providing a stable and flexible control platform that integrates communication interfaces, modular power input options, and precise monitoring capabilities.

Internet Society

What Is Meaningful Connectivity?

In Nepal, a couple of days’ hiking away from the Everest Base Camp, the communities of Khunde and Khumjung were considered connected by normal standards. After all, if people in the villages hiked up a mountain, they could get some reception to send messages. Meanwhile, in the local school’s computer lab, children were learning about the Internet through printouts. 

9to5Linux

Ubuntu 26.04 LTS “Resolute Raccoon” Daily Builds Are Now Available for Download

As expected, the first Ubuntu 26.04 LTS daily builds are based on the previous Ubuntu release, Ubuntu 25.10 “Questing Quokka”, which arrived earlier this month on October 9th. This means that the Ubuntu 26.04 LTS builds are powered by Linux kernel 6.17 and use the GNOME 49 desktop environment.

Ubuntu Buzz !

Download Zorin OS 18 with Mirrors, Torrents and Checksums

Zorin OS 18 has been released last week at Tuesday, 14th October 2025. This release is special because it comes out coincidentally in the same month Canonical releases Ubuntu 25.10 "Questing Quokka" and Microsoft ends the life of Windows 10. Currently available as Pro, Core and Education choices of edition, it is the successor to OS 17 released two years ago. This GNU/Linux system is suitable for most computer users, organizations, schools and offices. Below you will find the download links. Now, let's download Zorin OS together! 

news

Microsoft Windows 11 Caches Exploitable Malware

posted by Roy Schestowitz on May 15, 2024

Fishtank PC builds

Reprinted with permission from Cybershow. Author: Helen Plews.

Figure 1: Tom's Hardware: Fishtank PC builds.

Malware is often thought of as a human interaction with a digital device that causes an infection such as a virus or worm. We assume a human used bad authentication, or the human clicked the bad link, the human downloaded the malware…

So if we have anti-virus and anti-phish educational campaigns we should be well protected right? What about the technical side of cybersecurity, where the hardware, network equipment, end device or software vulnerability is the cause?

This article will examine a case where an operating system is able to automatically open and store a phishing email attachment, leading to potential compromise. In this case Windows 11 has been caching attachments locally to provide synchronisation across devices with the Outlook Application. In many cases, it has cached exploitable malware. This is a growing issue brought to light by Windows 11 users and anti-virus providers, instead of the makers at Microsoft.

Dropper Investigation

I am a life-long gamer and from experimentation over the years, I know I have the best rig, a customisable gaming PC. It’s very nice hardware it looks stunning with rainbow glowing fans and it sounds like a mini jet engine, rendering most graphics on Ultra with a graphics card which is at most 2 years old. The only issue I have had with it is in the operating system, which of course for a big gamer is Windows 11 due to its age. After just two weeks of operation I was alerted to a dropper located in my Windows Appdata folder, it was not dropping any further viruses yet as it had been caught by my expensive AV - which is why it sounds like a jet engine due to the large use of CPU!!

Was it a false positive? Well I ran the offline scan myself as my machine took 8x longer to boot. It behaved as if rebooting after a major update. There were no updates carried out, which made me suspect something amiss.

The virus location was not new to me, it is an appdata folder present in Windows 10 and Windows 11 for Windows mail in particular it processes mail syncing across devices; the full path is:

C:\Users\’Username’\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\SO\

Now I have had viruses popping up here before, in fact it has been an ongoing problem since I adopted the Windows 11 operating system (OS) in 2022 on the household laptops. Since then, both of my son’s laptops have alerted me to droppers and Trojans in the same Appdata folder. I initially assumed my children were not so good with their cybersecurity (being aged 5 and 9 that makes sense). Maybe they had clicked an email notification. Maybe they had downloaded some Trojan in the style of a game from a requested and shoddy gaming store all parents know about, stealthy and all whilst under supervision. That was until my brand new gaming rig got one.

Examining the attack timeline of my gaming rig in detail showed that a phish had been ‘clicked’ from my Hotmail account which was logged in on my Outlook App, running in the background processes (not running in my taskbar) whilst I played some epic title the night before. This ‘click’ put an infected PDF invoice on my PC, and on boot the next day activated the dropper, slowing the machine right down - which gave me a clue.

Now let's be clear about how Microsoft works, as I understand it, and why this is a gripe serious enough to warrant its own blog post.

You must sign in online to a Microsoft account to access the PC at all times, then it creates session keys for all applications that come installed as standard with the OS. So, unless you take some drastic measures I will discuss in a moment, you will undoubtedly be running sessions of Windows apps in the background; Outlook, OneDrive, Teams, Xbox, Photos, Office, Store, the list is quite extensive.

Moving on, I look for the phish email I had. According to my AV "clicked on" log, I located the suspicious subject of the email. It was something akin to;

AMAZON ACCOUNT ###U$IIHknDBWON38383y4y29~~~

Now, you do not need to be a cybersecurity expert to tell that is a phish from the subject which was located using the now foreground Outlook app. And as expected, it was unread. It showed me that within a few minutes of receiving the unread email, the attached PDF invoice was added to the Windows Communication Appdata folder, which led to the dropper found by the offline scan.

It seemed that Outlook App was saving unread attachments to the appdata folder where the virus was located. Some of the located viruses over the past two years were found on multiple devices that used the same MS credentials which unless stated otherwise, auto sync application data. That is exactly what the

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

folder is for. It contains both the application data for Windows apps like Outlook to run and sync as well as data obtained in the process. I synced between my children's laptops as my account was the administrator for the network, it kept them safer online. Or so I thought.

Vulnerability Research

So I start down the usual process of researching the vulnerability to find a permanent mitigation. I find nothing at first, no CVE, no reports. I do find some details on the MS community website like this one from "2020 Trojan Found and Deleted"… but it Returns (Trojan: HTML/Phish.AB!MSR) . It is here I see the same problem and I see a response from an expert.

“The trojan is an email attachment synced to your PC. Do you have some Hotmail or Microsoft email setup in an email client applications like Outlook?” - Independent Expert, MS Community, 2020

So I search all around this topic and I cannot find anything from Microsoft about this issue right away, but I do find many victims. Anti-Virus companies, affected users and experts alike are all drawing attention to this problem. Eventually, thanks to Reddit I find a similar experience from a commentor who managed to find the reported exploit listed by Microsoft. You can find many more threads on the issue on Reddit with a search.

“Looking into the report we have a "Exploit:O97M/CVE-2017-11882.AZA!MTB" match, which doesn't seem to be that ominous since it requires the file to be executed on a non-updated Office/WordPad, still it ain't something I'd like to find lying around because the app found it was a good thing to download it, without my consent.” - JVMTG, Reddit, 2023

It is a known software error marked as severe on their own security intelligence website, with 24 exploits under the O97M CVE. I’d like to say I have more details from Microsoft but I do not, instead they offer very little default cybersecurity steps, such as "remain up to date and don’t click a phish".

This does seem rather severe. It locally caches attachments from emails including those which have not been opened to the windowscommunicationsapps folder from the Outlook App. It will then auto sync the data in the folder to all devices using the same credentials in their Outlook App on their phones, laptops, desktops, anywhere the Outlook App runs.

The only step missing for a full compromise is that infected files are auto-run… a feature I feel sure Microsoft are working on at this exact moment!

Attacks are becoming more complex, in 2022 they were able to add the dropper, which very slowly downloaded a fairly rubbish Trojan, which was easily removed. Recently there were 74 password protected files and multiple Trojans appearing as game applications in the same appdata folder. These were located only weeks after a fresh OS install and could not be explained by known activities on the machine or entirely resolved by AV due to the encryption of the folders they were located in.

Impact

Take a moment to think about how many commercial users of the Outlook application have auto-sync enabled in daily use. All those using Office 365 who sync between devices on their smartphone, personal devices and company equipment, or amongst family member's tablets and laptops. You should be concerned. And then get mad as hell, because it seems Microsoft have created their own quite special service for propagating malware, one that's been ongoing since at least 2020.

I have wasted countless hours re-installing OS’s, searching files, reading reports and researching this issue to find my only salvation in Reddit. Reddit of all places! This looks like something Microsoft rather wanted to sweep under the rug.

If you sync with Outlook App between devices with the same MS account, you are vulnerable to this malware propagation. Microsoft insist users take advantage of auto-synced features across devices and use this as a clear marketing tool especially for commercial settings. It seems my trust in this feature was misplaced.

Mitigation And Loss of Trust

Some will say that this is "just a feature" of sync. I disagree because like so many Microsoft processes it feels out of control. It does not just synchonise expected user data. It inappropriately populates and copies undocumented files into system folders and, without any knowledge or intervention from the user, replicates them across devices.

The mitigation is you must live without synchronisation in Microsoft applications. So far it has worked 100%. Turning off sync across applications does work. This can be done during an OS install by refusing all sync options when prompted. You must also make sure it is off in the account settings for the user. This can be done from the settings panel when logged on to Windows. There are many guides available like this one from Process.st. Even with sync off, you can still access email and other services using the web applications, which will sync files and emails but will not store these to the local machine.

If like myself, you have lost trust in the applications themselves, removing windows apps entirely may be more fitting, this allows the folder

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

to be deleted and does not appear, like a lurking background threat at a later date just in case you change your mind. My gaming rig has only one MS app remaining, Xbox and that is the way it will stay until the situation is openly discussed by MS and the vulnerability resolved. No more Appdata Phishes please.

In summary, no amount of phishing training will prevent a bad design in the operating system. Caching malware infected attachments to system folders and replicating them is bad design in my opinion. In this case, the operating system has been phished, not the human.

Other Recent Tux Machines' Posts

Techrights Turns 19 Very Soon [original]
Let us know if you need any accommodation-related arrangements
KDE Plasma 6.5 Desktop Environment Officially Released, This Is What’s New
The KDE Project released today KDE Plasma 6.5 as the latest stable version to this popular desktop environment for Linux-based operating system that brings new features, improvements, and bug fixes.
Modders install Bazzite Linux on Microsoft’s Xbox Ally for a better experience
The Linux community is teaching Microsoft how to make a better Xbox
Fedora Under IBM Permits Slop as Code
bad idea
 
Security Leftovers
Security patches and some news
Free, Libre, and Open Source Software Leftovers
FOSS picks
Programming Leftovers
Development related picks
Content Management Systems (CMS) / Static Site Generators (SSG): Kiwi TCMS 15.1, Migration to WriteFreely, and html-is-a-tree
publication tools in the news
Web Browsers Focus, Especially Mozilla and Firefox
WWW links
GNU/Linux Leftovers
GNU/Linux picks
Open Hardware/Modding: ESP32, Amiga A1200, and More
Hardware picks
Fedora, Red Hat, and CentOS Leftovers
IBM et al
Software: Notesnook, sudo-sh, Typst 0.14
releases and more
GNOME Foundation Update and This Week in GNOME
GNOME news picks
KDE: Plasma 6.5 in Arch Linux, Kai Uwe on KSplash BGRT, and Release of Haruna 1.6
KDE news
today's howtos
weekend howtos and more
Libre Hardware Founder's Project Sabotaged
It’s commonly thought that software and hardware are different however hardware design of an SoC can be done in python using open source toolchains
AgarimOS – respin of Void Linux
AgarimOS is a respin of Void Linux
I tried switching to open-source software for everything but hit a wall I didn’t expect
I believe open source is the way to go
Free and Open Source Software
This is free and open source software
Games: Dispatch, OCCT, Nova Roma, and More
latest from GamingOnLinux
HydraPWK – security-focused Linux distribution
HydraPWK (formerly known as BlackTrack) is an open source Linux distribution based on Debian
Linux Kamarada – Manjaro based distribution
Linux Kamarada is a Linux distribution that, for future releases, will be based on Manjaro
Libpeas and Introspection
One of the unintended side-effects of writing applications using language bindings is that you inherit the dependencies of the binding
Xubuntu 25.10: Best New Features
We outline the list of new features of Xubuntu 25.10 release and additional updates for this version
Austria Says ‘Auf Wiedersehen’ to Proprietary and ‘Willkommen’ to Open Source
The Austrian Ministry for Economic Affairs drops foreign clouds for a homegrown Nextcloud and LibreOffice solution
GNU/Linux Leftovers
GNU/Linux picks
"I ditched Windows and built a Linux laptop in minutes"; "Windows 10 retiring is a great opportunity for Linux"
a pair of news articles
Kernel: Intel Xe3P and ActiveImage Protector 2022 in Linux
some kernel stuff
Today in Techrights
Some of the latest articles
Free, Libre, and Open Source Software Leftovers
FOSS leftovers
GNU/Linux and BSD Leftovers
podcasts and more
Web Browsers: Curl, Universe Browser, Mozilla, and More
mostly Firefox
Security Leftovers
patches and more
Programming Leftovers
Development related news
Games: Godot 3.6.2, Crosswords 0.3.16, and C++ Strategy Game Programming
news related to gaming
KDE: Plasma Mobile and Plasma 6.5 Improvements
Some Plasma and KDE news
Open Hardware and Proprietary Things (Gadgets and Beyond)
some hardware picks
Latest Announcements From Ubuntu and Rust Pushers Break Ubuntu
Ubuntu leftovers
Red Hat's Blog Posts and Paid-for Puff Pieces
all about IBM Red Hat
today's howtos
Friday's long batch
AlmaLinux 10.1 Adds Native Btrfs Filesystem Support
The upcoming AlmaLinux 10.1 will introduce native Btrfs support
Hey Hi (AI) Hype IBM Red Hat and Canonical
3 picks for now
Games: PAYDAY 2, MicroProse, HELLDIVERS 2, and More
Latest from GoL
MutantC: An open-source, modular Linux handheld designed to be customizable for various tasks
MutantC: An open-source, modular Linux handheld designed to be customizable for various tasks
Android Leftovers
Gboard's latest update removes the period and comma keys on Android
Free and Open Source Software
This is free and open source software
Stable kernels: Linux 6.17.5, Linux 6.12.55, and Linux 6.6.114
I'm announcing the release of the 6.17.5 kernel
Taking a Spin on Bluefin’s Immutable Linux
At Distro of the Week, we are always focused on our readers
What Happened To Limpopo [original]
Rest in peace my dear Limpopo, you will be missed
Today in Techrights
Some of the latest articles
Zulip is The Best Open-Source Slack Alternative You Can Install on Your Server
Zulip is the best open-source Slack alternative you can get, and it can be hosted on your own server or use it with a paid plan
New Releases of GNU/Linux Distros: Clonezilla live 3.3.0-33, Exton modified Build 251019, and AnduinOS 1.4
3 new releases
Ultramarine 42 Images, Terra 43, and More!
Ultramarine 42 images and Terra 43 are available now! Ultramarine 43 upgrades are coming your way in a few days.
Mobile Systems: Mobian 13.0 released, GrapheneOS could break Pixel exclusivity in 2026 with major OEM deal
mobile platforms in the news
New Release of OpenBSD
new OpenBSD
today's leftovers
GNU/Linux and more
Security Leftovers
Security centric leftovers
KDE: Thunderbird on KDE Plasma and KDE Gear 25.12 release schedule
a pair of KDE posts
Open Hardware/Modding: Arduino, Tinkercad, ESP32, and More
hardware picks
A Look at Lenspect and Translate Shell for GNU/Linux
software picks
Lingmo OS 3.0: Stable and slim macOS clone for old PCs
Lingmo OS is based on Debian 12 "Bookworm", which is considered extremely stable and is also used as a foundation by Q4OS
Pangolin Reverse Proxy Moves to Dual Licensing With New Enterprise Edition
The open-source Pangolin tunneled reverse proxy adopts dual licensing
SuperTuxKart 1.5 Open-Source Kart Racing Game Released with Major Changes
After several years of development, SuperTuxKart 1.5 has been officially released today for this free, open-source, and cross-platform kart racing game, a major update that brings new features and improvements.
Free and Open Source Software
This is free and open source software
Quirinux – Devuan-based Linux distribution
Quirinux is a Devuan-based Linux distribution designed for the development of animated films
SVG in GTK
GTK has been using SVG for symbolic icons since essentially forever
Links 23/10/2025: LLM 'Hallucinations' (Defects) in Practical Code 'Generation', China Becomes More Economically and Technologically Independent
Links for the day
Free, Libre, and Open Source Software Leftovers
FOSS leftovers
GNU/Linux: Kernel, KDE, EasyOS, and Mobile Systems
today's leftovers
Audiocasts/Shows: Destination Linux and FLOSS Weekly
2 episodes
Applications: devise-otp 2.0, Valkey 9.0.0, RustDesk Released 1.4.3, Tinkercad, and More
Application releases and more
Programming Leftovers
Development related picks
Ubuntu: Recent Version, Next Version, and Latest From ubuntu.com
ubuntu.com and more
Security Leftovers
Security and more
Red Hat Leftovers
Red Hat dot com
today's howtos
Instructionals/Technical picks
Games: GNOME Crosswords, New Steam Games with Native GNU/Linux Clients, GNU/Linux Outperforms Windows
GNU/Linux centric gaming news
Android Leftovers
Google Photos brings 3D photo ‘experiences’ to Samsung’s Android XR headset
DietPi 9.18 Adds NanoPi R3S, R76S, and M5 Support
DietPi 9.18 adds support for NanoPi R3S, R76S, and M5
I finally switched to Linux, and these 5 apps made it painless
I recently made the switch from Linux on all my ex-Windows devices
Zorin OS 18 Downloads Skyrocket in the Last 48 Hours
Over 100K users downloaded Zorin OS 18 in 48 hours
VirtualBox 7.2.4 Released with Initial Support for Linux Kernel 6.18
Oracle released today VirtualBox 7.2.4 as the second maintenance update to the latest VirtualBox 7.2 series for this open-source, free, and cross-platform virtualization solution from Oracle.
Free and Open Source Software, howtos and Installations
This is free and open source software
Ubuntu upgrade adventures, a rollercoaster with mostly down
Going from one major release of Ubuntu to another
Games: MARVEL Cosmic Invasion, Kingdoms of the Dump, and Cult of the Lamb DLC Woolhave
gaming picks
Microsoft's Graveley, a Serial Strangler of Women, Pays People on Motorcycle (Dressed Like Hells Angels) to Drive in Heavy Rain From London to My Home's Doorstep [original]
Mentioning someone was in prison for bad things isn't a crime, it's a public service
Mobile Systems/Mobile Applications: GNU/Linux on Gadgets and GNU/Linux Inside Android
some mobile picks
Linux and GNU/Linux Leftovers
howtos and more
Free, Libre, and Open Source Software Leftovers
FSFE and more
Debian Technical Committee overrides systemd change
Debian Policy still cites the FHS, even though the FHS has gone unmaintained for more than a decade
The FSF considers large language models
Nick Clifton asked whether the FSF is working on a new version of the GNU General Public License — a GPLv4 — that takes LLM-generated code into account
Open Hardware/Modding: RISC-V, Retro, and Linux
Hardware bits
Today in Techrights
Some of the latest articles
Recent Videos About GNU/Linux and BSD
Via Invidious
Ubuntu 26.04 LTS “Resolute Raccoon” Daily Builds Are Now Available for Download
As of today, October 22nd, 2025, Canonical has published the first working daily build ISO images of the upcoming Ubuntu 26.04 LTS (codename Resolute Raccoon) for early adopters, application developers, and general public testing. Previous daily builds released until today were broken.