Tux Machines

Do you waddle the waddle?

Other Sites

Tor Project blog

New Alpha Release: Tor Browser 14.5a5

This version includes the first version of the connection assist for Android.

9to5Linux

Finnix Linux Distro for Sysadmins Celebrates 25th Anniversary with New Release

Finnix 250 is here to celebrate the distro’s 25th anniversary, which is a huge milestone for such a small project. The first Finnix release was made public on March 22nd, 2000. Despite the small footprint, the Finnix distro ships with hundreds of Linux utilities for system recovery, maintenance, testing, and other system administration tasks.

Calibre 8.0 Ebook Manager Released with Much Improved Kobo Support

Highlights of Calibre 8.0 include much improved Kobo support with the ability to natively edit, view, and convert KEPUB format files and automatic EPUB to KEPUB conversion when sending books to Kobo devices, support for new firmware for the latest Tolino devices, and a new option in Book details to suppress author search links.

LinuxGizmos.com

T-Display K230 Combines RISC-V Processing with LoRa, Wi-Fi, and AMOLED Display

The LILYGO T-Display K230 is a compact development board targeting IoT and embedded system applications. It features the Kendryte K230 system-on-chip, which includes a dual-core 64-bit RISC-V processor and dedicated units for AI acceleration, graphics rendering, and multimedia processing.

RPI Image Gen Introduces Custom Raspberry Pi Image Creation

The Raspberry Pi team has introduced rpi image gen, a new tool for creating custom software images with detailed control over configuration. It is designed for embedded systems, industrial applications, and personalized projects.

M5Stamp PLC Controller with Opto-Isolated Inputs, Relays, PWR CAN, and RS485

The M5Stamp PLC Controller, built on the StampS3A module, is a compact programmable logic controller designed for industrial automation and remote monitoring. With wireless connectivity, versatile I/O, and industrial communication support, it fits applications such as smart manufacturing and distributed control.

NXP’s FRDM i.MX 91 Board Provides Low-Power Solution for Linux-Based IoT Systems

news

Microsoft Windows 11 Caches Exploitable Malware

posted by Roy Schestowitz on May 15, 2024

Fishtank PC builds

Reprinted with permission from Cybershow. Author: Helen Plews.

Figure 1: Tom's Hardware: Fishtank PC builds.

Malware is often thought of as a human interaction with a digital device that causes an infection such as a virus or worm. We assume a human used bad authentication, or the human clicked the bad link, the human downloaded the malware…

So if we have anti-virus and anti-phish educational campaigns we should be well protected right? What about the technical side of cybersecurity, where the hardware, network equipment, end device or software vulnerability is the cause?

This article will examine a case where an operating system is able to automatically open and store a phishing email attachment, leading to potential compromise. In this case Windows 11 has been caching attachments locally to provide synchronisation across devices with the Outlook Application. In many cases, it has cached exploitable malware. This is a growing issue brought to light by Windows 11 users and anti-virus providers, instead of the makers at Microsoft.

Dropper Investigation

I am a life-long gamer and from experimentation over the years, I know I have the best rig, a customisable gaming PC. It’s very nice hardware it looks stunning with rainbow glowing fans and it sounds like a mini jet engine, rendering most graphics on Ultra with a graphics card which is at most 2 years old. The only issue I have had with it is in the operating system, which of course for a big gamer is Windows 11 due to its age. After just two weeks of operation I was alerted to a dropper located in my Windows Appdata folder, it was not dropping any further viruses yet as it had been caught by my expensive AV - which is why it sounds like a jet engine due to the large use of CPU!!

Was it a false positive? Well I ran the offline scan myself as my machine took 8x longer to boot. It behaved as if rebooting after a major update. There were no updates carried out, which made me suspect something amiss.

The virus location was not new to me, it is an appdata folder present in Windows 10 and Windows 11 for Windows mail in particular it processes mail syncing across devices; the full path is:

C:\Users\’Username’\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\SO\

Now I have had viruses popping up here before, in fact it has been an ongoing problem since I adopted the Windows 11 operating system (OS) in 2022 on the household laptops. Since then, both of my son’s laptops have alerted me to droppers and Trojans in the same Appdata folder. I initially assumed my children were not so good with their cybersecurity (being aged 5 and 9 that makes sense). Maybe they had clicked an email notification. Maybe they had downloaded some Trojan in the style of a game from a requested and shoddy gaming store all parents know about, stealthy and all whilst under supervision. That was until my brand new gaming rig got one.

Examining the attack timeline of my gaming rig in detail showed that a phish had been ‘clicked’ from my Hotmail account which was logged in on my Outlook App, running in the background processes (not running in my taskbar) whilst I played some epic title the night before. This ‘click’ put an infected PDF invoice on my PC, and on boot the next day activated the dropper, slowing the machine right down - which gave me a clue.

Now let's be clear about how Microsoft works, as I understand it, and why this is a gripe serious enough to warrant its own blog post.

You must sign in online to a Microsoft account to access the PC at all times, then it creates session keys for all applications that come installed as standard with the OS. So, unless you take some drastic measures I will discuss in a moment, you will undoubtedly be running sessions of Windows apps in the background; Outlook, OneDrive, Teams, Xbox, Photos, Office, Store, the list is quite extensive.

Moving on, I look for the phish email I had. According to my AV "clicked on" log, I located the suspicious subject of the email. It was something akin to;

AMAZON ACCOUNT ###U$IIHknDBWON38383y4y29~~~

Now, you do not need to be a cybersecurity expert to tell that is a phish from the subject which was located using the now foreground Outlook app. And as expected, it was unread. It showed me that within a few minutes of receiving the unread email, the attached PDF invoice was added to the Windows Communication Appdata folder, which led to the dropper found by the offline scan.

It seemed that Outlook App was saving unread attachments to the appdata folder where the virus was located. Some of the located viruses over the past two years were found on multiple devices that used the same MS credentials which unless stated otherwise, auto sync application data. That is exactly what the

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

folder is for. It contains both the application data for Windows apps like Outlook to run and sync as well as data obtained in the process. I synced between my children's laptops as my account was the administrator for the network, it kept them safer online. Or so I thought.

Vulnerability Research

So I start down the usual process of researching the vulnerability to find a permanent mitigation. I find nothing at first, no CVE, no reports. I do find some details on the MS community website like this one from "2020 Trojan Found and Deleted"… but it Returns (Trojan: HTML/Phish.AB!MSR) . It is here I see the same problem and I see a response from an expert.

“The trojan is an email attachment synced to your PC. Do you have some Hotmail or Microsoft email setup in an email client applications like Outlook?” - Independent Expert, MS Community, 2020

So I search all around this topic and I cannot find anything from Microsoft about this issue right away, but I do find many victims. Anti-Virus companies, affected users and experts alike are all drawing attention to this problem. Eventually, thanks to Reddit I find a similar experience from a commentor who managed to find the reported exploit listed by Microsoft. You can find many more threads on the issue on Reddit with a search.

“Looking into the report we have a "Exploit:O97M/CVE-2017-11882.AZA!MTB" match, which doesn't seem to be that ominous since it requires the file to be executed on a non-updated Office/WordPad, still it ain't something I'd like to find lying around because the app found it was a good thing to download it, without my consent.” - JVMTG, Reddit, 2023

It is a known software error marked as severe on their own security intelligence website, with 24 exploits under the O97M CVE. I’d like to say I have more details from Microsoft but I do not, instead they offer very little default cybersecurity steps, such as "remain up to date and don’t click a phish".

This does seem rather severe. It locally caches attachments from emails including those which have not been opened to the windowscommunicationsapps folder from the Outlook App. It will then auto sync the data in the folder to all devices using the same credentials in their Outlook App on their phones, laptops, desktops, anywhere the Outlook App runs.

The only step missing for a full compromise is that infected files are auto-run… a feature I feel sure Microsoft are working on at this exact moment!

Attacks are becoming more complex, in 2022 they were able to add the dropper, which very slowly downloaded a fairly rubbish Trojan, which was easily removed. Recently there were 74 password protected files and multiple Trojans appearing as game applications in the same appdata folder. These were located only weeks after a fresh OS install and could not be explained by known activities on the machine or entirely resolved by AV due to the encryption of the folders they were located in.

Impact

Take a moment to think about how many commercial users of the Outlook application have auto-sync enabled in daily use. All those using Office 365 who sync between devices on their smartphone, personal devices and company equipment, or amongst family member's tablets and laptops. You should be concerned. And then get mad as hell, because it seems Microsoft have created their own quite special service for propagating malware, one that's been ongoing since at least 2020.

I have wasted countless hours re-installing OS’s, searching files, reading reports and researching this issue to find my only salvation in Reddit. Reddit of all places! This looks like something Microsoft rather wanted to sweep under the rug.

If you sync with Outlook App between devices with the same MS account, you are vulnerable to this malware propagation. Microsoft insist users take advantage of auto-synced features across devices and use this as a clear marketing tool especially for commercial settings. It seems my trust in this feature was misplaced.

Mitigation And Loss of Trust

Some will say that this is "just a feature" of sync. I disagree because like so many Microsoft processes it feels out of control. It does not just synchonise expected user data. It inappropriately populates and copies undocumented files into system folders and, without any knowledge or intervention from the user, replicates them across devices.

The mitigation is you must live without synchronisation in Microsoft applications. So far it has worked 100%. Turning off sync across applications does work. This can be done during an OS install by refusing all sync options when prompted. You must also make sure it is off in the account settings for the user. This can be done from the settings panel when logged on to Windows. There are many guides available like this one from Process.st. Even with sync off, you can still access email and other services using the web applications, which will sync files and emails but will not store these to the local machine.

If like myself, you have lost trust in the applications themselves, removing windows apps entirely may be more fitting, this allows the folder

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

to be deleted and does not appear, like a lurking background threat at a later date just in case you change your mind. My gaming rig has only one MS app remaining, Xbox and that is the way it will stay until the situation is openly discussed by MS and the vulnerability resolved. No more Appdata Phishes please.

In summary, no amount of phishing training will prevent a bad design in the operating system. Caching malware infected attachments to system folders and replicating them is bad design in my opinion. In this case, the operating system has been phished, not the human.

Other Recent Tux Machines' Posts

GIMP 3.0 Image Editor Is Now Available for Download, Here’s What’s New
The development team behind the popular GIMP open-source image editing software published today the final build of the highly anticipated GIMP 3.0 release.
Calibre 8.0 Ebook Manager Released with Much Improved Kobo Support
Calibre developer Kovid Goyal released Calibre 8.0 today as a major update to this open-source, free, and cross-platform ebook manager, viewer, reader, and organizer.
GNOME 48 “Bengaluru” Desktop Environment Officially Released, This Is What’s New
The GNOME Project released today GNOME 48 “Bengaluru” as the latest stable version of this widely used desktop environment for GNU/Linux distributions, a major release that introduces exciting new features.
Kali Linux 2025.1 Ethical Hacking Distro Is Here with Xfce 4.20, Refreshed Theme
Offensive Security announced today the release and general availability of Kali Linux 2025.1 as the first update to this Debian-based distribution for ethical hacking and penetration testing in 2025.
 
Finnix Linux Distro for Sysadmins Celebrates 25th Anniversary with New Release
Today, Ryan Finnie announced the release and general availability of Finnix 250 (codename Eau Claire) as the latest stable version for this Debian-based live Linux distro targeting casual system administrators.
Security Leftovers
Security picks for today
GNU/Linux and More
leftovers for today
ReactOS 0.4.15 is Out
Release of ReactOS 0.4.15
Fedora, Hey Hi (AI) Hype, and Red Hat/IBM Layoffs
Some IBM stuff
Free, Libre, and Open Source Software Leftovers
FOSS links
Open Hardware/Modding: Pi Tin, JetKVM, and More
Gadgets and more
Programming Leftovers
Development picks for today
WINE or Emulation: Winamp, 'Retro', and ScummVM
Going back in time...
Games: Constraints, Godot, Wreckfest, and More
gaming picks
Wine 10.4 continues work on Bluetooth driver and more Vulkan video decoder support in WineD3D
Wine 10.4 is out now as the latest development release of the Windows compatibility layer
Miracle-WM 0.5 Released with Assorted Improvements
A new version of Miracle-WM, the Mir-based tiling window manager developed by Canonical engineer Matthew Kosarek is out, the first update to be released this year
Blender 4.4 Released with Rendering Support for H.265/HEVC
Blender, the popular free open-source 3D computer graphics software, announced new 4.4 release few days ago
OpenSUSE, Fedora, Red Hat, Canonical, and Hardware
today's leftovers
today's howtos
half a dozen howtos, idroot mostly
Security Leftovers and Windows TCO
security-centric news
Programming Leftovers
Programming picks for today
How I made Arch Linux look and run better than Windows
How I made Arch Linux better than Windows 11
Free and Open Source Software, howtos and Installations
This is free and open source software
This Week in Plasma: 6.4 Improvements
Welcome to a new issue of "This Week in Plasma"
RPI Image Gen Introduces Custom Raspberry Pi Image Creation
rpi image gen is an alternative to the existing pi gen tool, which is used to produce the official Raspberry Pi OS distribution
Games: EARTH DEFENSE FORCE Collection, Humble Heroines Bundle, and More
10 stories from GamingOnLinux
today's leftovers
FOSS and more
Programming Leftovers
Not limited to free/libre
Security Leftovers
patches and more
Free Software Leftovers
applications and such
today's howtos
half a dozen or so for now
Today in Techrights
Some of the latest articles
today's leftovers
3 more misc. links
Free, Libre, and Open Source Software Leftovers
FOSS stories
Programming Leftovers
Development related picks
Red Hat Leftovers
mostly fluff
Videos/Audiocasts/Shows: Ask Noah Show, LibreOffice Podcast, BSD Now, and More
4 new ones
today's howtos
Instructionals/Technical posts
Exploring Game Engines and Godot 4.5 dev 1
gaming development stuff
Security and Windows TCO Leftvers
lots of Windows TCO examples
Raspberry Pi 5 and More
Raspberry Pi picks
Games: Steam Deck, Assassin's Creed Shadows, and More
a dozen picks from GamingOnLinux
Android Leftovers
Google could revamp Android’s backup settings with a sleek new look (APK teardown)
Miracle-WM 0.5 Released with Drag-and-Drop Tiling
Miracle-WM 0.5 Wayland compositor is here with drag-and-drop tiling
Huawei Just Made a Weird Flip Phone (And It Doesn't Run Android)
Remember Huawei? The US banned the company from using Google apps and services or collaborating with US companies
Git 2.49: Faster Packing, Smarter Cloning, and More
Git 2.49 distributed revision control tool introduces faster packing
Chimera Linux ghosts RISC-V because there's no time for sluggish hardware
Dev behind the GNU-free distro says boards too slow for serious work
elementary OS 8.0.1 Released with Linux Kernel 6.11 from Ubuntu 24.04.2 LTS
elementary OS 8.0.1 arrived today as the first point release to the elementary OS 8.0 “Circe” series incorporating a newer kernel from the upstream Ubuntu LTS repos and various other improvements.
Only one day left to win a piece of free software history in the silent auction
Our first-ever Silent Memorabilia Auction will end tomorrow, March 21, at 15:00 EDT (19:00 UTC). This is your last chance to bid
LPTK – LessPass Compatible Password Manager Designed for GNOME
Looking for a stateless password manager? There’s now a new LessPass compatible password manager designed for GNOME
Best Free and Open Source Software
We recommend the best free and open source alternatives
NXP’s FRDM i.MX 91 Board Provides Low-Power Solution for Linux-Based IoT Systems
It is intended for early-stage development and evaluation of industrial and IoT systems that require basic Linux support
Choose Freedom, Not Trialware
A few weeks ago, a customer walked into a Best Buy, which is a well-known retailer in North America that sells computers
Linux drama: Rust advocates respond nonsense
With feedback from three official and semiofficial Rust communities, I think it’s fair to say these responses are representative of the overall Rust community
Rust doesn't belong in the Linux kernel; it’s all about ideology
In this article I’ll touch a little on the technical aspects of C versus Rust
1.5 Years Since Tux Machines Moved to the UK [original]
The decision to move was well overdue
About Today in Techright [original]
Some of the latest articles
Today in Techrights
Some of the latest articles
GNU/Linux Leftovers
only 3 more
Programming Leftovers
Development picks
Retro and Linux Hardware
Raspberry Pi and more
Audiocasts/Shows: Risky Business on Risky Microsoft, LinDoz 2025 Beta 2 Teaser, and FLOSS Weekly
Some videos and shows
Canonical/Ubuntu Leftovers
some picks about Ubuntu
Red Hat / IBM Leftovers
mostly redhat.com
today's howtos
many howtos
Security Leftovers
Security picks for today
Huawei to drop Windows, shifting to HarmonyOS and Linux for future PCs
Huawei appears to be shifting its focus toward Linux and HarmonyOS, its proprietary operating system
PeerTube v7.1 is out!
continues to evolve graphically
New Smartwatches Support PebbleOS with Long Battery Life and E-Paper Displays
Two new smartwatches running open-source PebbleOS have been introduced: Core 2 Duo and Core Time 2
FSF launches pre-bid phase for silent memorabilia auction
The Free Software Foundation (FSF) has published the memorabilia items for bidding in the silent auction on the LibrePlanet wiki
Dinit on antiX now possible
It still needs a lot of work and thought
Fedora Linux 42 Enters Public Beta Testing with Linux Kernel 6.14 and GNOME 48
Today, the Fedora Project announced the beta version of the upcoming Fedora Linux 42 release for public testing to give us a glimpse of the new features and report potential bugs.
Ikey Doherty’s Serpent OS Changes Name to AerynOS
As of today, March 20th, the Serpent OS distribution created by ex-Solus founder and Budgie desktop creator Ikey Doherty changed its name to AerynOS. Here’s what you need to know about this major change!
Asahi Linux loses another prominent dev as GPU guru calls it quits
Fedora Asahi Remix 42 still scheduled for release in about a month
Linux GPU Configuration Tool (LACT) adds AMD RDNA4 support and NVIDIA locked clocks support | GamingOnLinux
If you want to tweak your GPU on Linux, this is one of the easiest ways to do it.
Free, Libre, and Open Source Software Leftovers
FOSS picks
Open Hardware: Raspberry Pi, RISC-V, Arduino, and More
Hardware picks
Programming Leftovers
Development news
Android Leftovers
PS3 emulator for Android RPCS3-Android gets a major update
Games: GOG, Ruffy and the Riverside, Native GNU/Linux Games and More
7 stories from GamingOnLinux
Rocky Linux From CIQ — Hardened Takes Enterprise Linux Security to the Next Level
Rocky Linux from CIQ – Hardened is a new take on Rocky Linux that’s not only fully supported by CIQ
Ubuntu 25.10 plans to swap GNU coreutils for Rust
It's easier to replace bits of userland than the kernel
Mecha Comet modular Linux handheld gets pre-launch upgrade, coming to Kickstarter in Q3, 2025
After making its debut at CES in January, the Mecha Comet has undergone some changes...
Best Free and Open Source Software
This is free and open source software
LWN Articles About Kernel: Module Integrity Checking and More
now outside paywall
Today in Techrights
Some of the latest articles