Tux Machines

Do you waddle the waddle?

Other Sites

Ubuntu Buzz !

How To Install Tux Typing Game on Ubuntu 24.04

LinuxGizmos.com

Fruit Jam Mini Computer Features RP2350B, ESP32-C6 WiFi, and DVI Video

First seen earlier this year, Adafruit has officially launched the Fruit Jam, a compact RP2350B-powered development board. The product mentions that it matches the dimensions of a standard credit card, 3.375 by 2.125 inches (ISO/IEC 7810 ID-1), while providing the functionality of a miniature standalone computer.

Internet Society

The Power of Volunteers: Connecting an Indigenous Community in Panama

The Internet Society Panama Chapter had a plan. They would build the country’s first community network and bring the Internet to one of the country’s many Indigenous communities that were still offline. 

9to5Linux

KDE Plasma 6.4.4 Desktop Environment Improves Notifications, Flatpak Support

Coming three weeks after KDE Plasma 6.4.3, the KDE Plasma 6.4.4 release changes the behavior of notifications marked as “low priority” or that have been manually configured to show up in the history to selectively ignore that behavior and show up in the history when they arrive if Do Not Disturb mode is enabled.

Slackware-Based PorteuX 2.2 Distro Is Out with Linux Kernel 6.16 and GNOME 48.3

Powered by the latest and greatest Linux 6.16 kernel series, PorteuX 2.2 is here a little over two months after PorteuX 2.1, adding a patch to Xorg Server to make tear-free (vsync) available in the modesetting kernel driver, which is used for all graphics cards.

Darktable 5.2.1 Adds Support for Nikon D200, Nikon D5300, and Pentax K-r Cameras

Darktable 5.2.1 is here about one and a half months after Darktable 5.2 with base support for the Nikon D200 (12bit-compressed), Nikon D5300 (12bit-compressed), Panasonic DC-GH7 (4:3), Pentax K-r (PEF), and Samsung GX-1L cameras.

4MLinux 49.0 Distro Adds Support for Bcachefs Installations, New Apps, and More

Coming more than three months after 4MLinux 48.0, the 4MLinux 49.0 release is powered by the Linux 6.12 LTS kernel series, uses the Mesa 25.1 graphics stack, features support for Bcachefs installations in UEFI mode, and improves support for mobile devices via Bluetooth and PTP/MTP protocols.

TUXEDO InfinityBook Pro 15 Gen10 Linux Ultrabook Unveiled with Ryzen AI 300

TUXEDO InfinityBook Pro 15 Gen10 is powered by AMD Ryzen AI 300 processors, either the AMD Ryzen AI 7 350 with 8 cores, 16 threads, and AMD Radeon 860M graphics, the AMD Ryzen AI 9 365 with 10 cores, 20 threads, and AMD Radeon 880M graphics, or the AMD Ryzen AI 9 HX 370 with 12 cores, 24 threads, and AMD Radeon 890M graphics.

Tor Project blog

Arti 1.4.6 is released: Hidden Service resilience; work on flow control, Conflux, and CGO.

This release of Arti has some improvements for Onion Service (Hidden Service) operators. There's better resistance to denial-of-service (Proposal 362) and an experimental new utility for migration of Hidden Service identity key from a C Tor keystore to Arti.

news

Microsoft Windows 11 Caches Exploitable Malware

posted by Roy Schestowitz on May 15, 2024

Fishtank PC builds

Reprinted with permission from Cybershow. Author: Helen Plews.

Figure 1: Tom's Hardware: Fishtank PC builds.

Malware is often thought of as a human interaction with a digital device that causes an infection such as a virus or worm. We assume a human used bad authentication, or the human clicked the bad link, the human downloaded the malware…

So if we have anti-virus and anti-phish educational campaigns we should be well protected right? What about the technical side of cybersecurity, where the hardware, network equipment, end device or software vulnerability is the cause?

This article will examine a case where an operating system is able to automatically open and store a phishing email attachment, leading to potential compromise. In this case Windows 11 has been caching attachments locally to provide synchronisation across devices with the Outlook Application. In many cases, it has cached exploitable malware. This is a growing issue brought to light by Windows 11 users and anti-virus providers, instead of the makers at Microsoft.

Dropper Investigation

I am a life-long gamer and from experimentation over the years, I know I have the best rig, a customisable gaming PC. It’s very nice hardware it looks stunning with rainbow glowing fans and it sounds like a mini jet engine, rendering most graphics on Ultra with a graphics card which is at most 2 years old. The only issue I have had with it is in the operating system, which of course for a big gamer is Windows 11 due to its age. After just two weeks of operation I was alerted to a dropper located in my Windows Appdata folder, it was not dropping any further viruses yet as it had been caught by my expensive AV - which is why it sounds like a jet engine due to the large use of CPU!!

Was it a false positive? Well I ran the offline scan myself as my machine took 8x longer to boot. It behaved as if rebooting after a major update. There were no updates carried out, which made me suspect something amiss.

The virus location was not new to me, it is an appdata folder present in Windows 10 and Windows 11 for Windows mail in particular it processes mail syncing across devices; the full path is:

C:\Users\’Username’\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\SO\

Now I have had viruses popping up here before, in fact it has been an ongoing problem since I adopted the Windows 11 operating system (OS) in 2022 on the household laptops. Since then, both of my son’s laptops have alerted me to droppers and Trojans in the same Appdata folder. I initially assumed my children were not so good with their cybersecurity (being aged 5 and 9 that makes sense). Maybe they had clicked an email notification. Maybe they had downloaded some Trojan in the style of a game from a requested and shoddy gaming store all parents know about, stealthy and all whilst under supervision. That was until my brand new gaming rig got one.

Examining the attack timeline of my gaming rig in detail showed that a phish had been ‘clicked’ from my Hotmail account which was logged in on my Outlook App, running in the background processes (not running in my taskbar) whilst I played some epic title the night before. This ‘click’ put an infected PDF invoice on my PC, and on boot the next day activated the dropper, slowing the machine right down - which gave me a clue.

Now let's be clear about how Microsoft works, as I understand it, and why this is a gripe serious enough to warrant its own blog post.

You must sign in online to a Microsoft account to access the PC at all times, then it creates session keys for all applications that come installed as standard with the OS. So, unless you take some drastic measures I will discuss in a moment, you will undoubtedly be running sessions of Windows apps in the background; Outlook, OneDrive, Teams, Xbox, Photos, Office, Store, the list is quite extensive.

Moving on, I look for the phish email I had. According to my AV "clicked on" log, I located the suspicious subject of the email. It was something akin to;

AMAZON ACCOUNT ###U$IIHknDBWON38383y4y29~~~

Now, you do not need to be a cybersecurity expert to tell that is a phish from the subject which was located using the now foreground Outlook app. And as expected, it was unread. It showed me that within a few minutes of receiving the unread email, the attached PDF invoice was added to the Windows Communication Appdata folder, which led to the dropper found by the offline scan.

It seemed that Outlook App was saving unread attachments to the appdata folder where the virus was located. Some of the located viruses over the past two years were found on multiple devices that used the same MS credentials which unless stated otherwise, auto sync application data. That is exactly what the

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

folder is for. It contains both the application data for Windows apps like Outlook to run and sync as well as data obtained in the process. I synced between my children's laptops as my account was the administrator for the network, it kept them safer online. Or so I thought.

Vulnerability Research

So I start down the usual process of researching the vulnerability to find a permanent mitigation. I find nothing at first, no CVE, no reports. I do find some details on the MS community website like this one from "2020 Trojan Found and Deleted"… but it Returns (Trojan: HTML/Phish.AB!MSR) . It is here I see the same problem and I see a response from an expert.

“The trojan is an email attachment synced to your PC. Do you have some Hotmail or Microsoft email setup in an email client applications like Outlook?” - Independent Expert, MS Community, 2020

So I search all around this topic and I cannot find anything from Microsoft about this issue right away, but I do find many victims. Anti-Virus companies, affected users and experts alike are all drawing attention to this problem. Eventually, thanks to Reddit I find a similar experience from a commentor who managed to find the reported exploit listed by Microsoft. You can find many more threads on the issue on Reddit with a search.

“Looking into the report we have a "Exploit:O97M/CVE-2017-11882.AZA!MTB" match, which doesn't seem to be that ominous since it requires the file to be executed on a non-updated Office/WordPad, still it ain't something I'd like to find lying around because the app found it was a good thing to download it, without my consent.” - JVMTG, Reddit, 2023

It is a known software error marked as severe on their own security intelligence website, with 24 exploits under the O97M CVE. I’d like to say I have more details from Microsoft but I do not, instead they offer very little default cybersecurity steps, such as "remain up to date and don’t click a phish".

This does seem rather severe. It locally caches attachments from emails including those which have not been opened to the windowscommunicationsapps folder from the Outlook App. It will then auto sync the data in the folder to all devices using the same credentials in their Outlook App on their phones, laptops, desktops, anywhere the Outlook App runs.

The only step missing for a full compromise is that infected files are auto-run… a feature I feel sure Microsoft are working on at this exact moment!

Attacks are becoming more complex, in 2022 they were able to add the dropper, which very slowly downloaded a fairly rubbish Trojan, which was easily removed. Recently there were 74 password protected files and multiple Trojans appearing as game applications in the same appdata folder. These were located only weeks after a fresh OS install and could not be explained by known activities on the machine or entirely resolved by AV due to the encryption of the folders they were located in.

Impact

Take a moment to think about how many commercial users of the Outlook application have auto-sync enabled in daily use. All those using Office 365 who sync between devices on their smartphone, personal devices and company equipment, or amongst family member's tablets and laptops. You should be concerned. And then get mad as hell, because it seems Microsoft have created their own quite special service for propagating malware, one that's been ongoing since at least 2020.

I have wasted countless hours re-installing OS’s, searching files, reading reports and researching this issue to find my only salvation in Reddit. Reddit of all places! This looks like something Microsoft rather wanted to sweep under the rug.

If you sync with Outlook App between devices with the same MS account, you are vulnerable to this malware propagation. Microsoft insist users take advantage of auto-synced features across devices and use this as a clear marketing tool especially for commercial settings. It seems my trust in this feature was misplaced.

Mitigation And Loss of Trust

Some will say that this is "just a feature" of sync. I disagree because like so many Microsoft processes it feels out of control. It does not just synchonise expected user data. It inappropriately populates and copies undocumented files into system folders and, without any knowledge or intervention from the user, replicates them across devices.

The mitigation is you must live without synchronisation in Microsoft applications. So far it has worked 100%. Turning off sync across applications does work. This can be done during an OS install by refusing all sync options when prompted. You must also make sure it is off in the account settings for the user. This can be done from the settings panel when logged on to Windows. There are many guides available like this one from Process.st. Even with sync off, you can still access email and other services using the web applications, which will sync files and emails but will not store these to the local machine.

If like myself, you have lost trust in the applications themselves, removing windows apps entirely may be more fitting, this allows the folder

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

to be deleted and does not appear, like a lurking background threat at a later date just in case you change your mind. My gaming rig has only one MS app remaining, Xbox and that is the way it will stay until the situation is openly discussed by MS and the vulnerability resolved. No more Appdata Phishes please.

In summary, no amount of phishing training will prevent a bad design in the operating system. Caching malware infected attachments to system folders and replicating them is bad design in my opinion. In this case, the operating system has been phished, not the human.

Other Recent Tux Machines' Posts

KDE Plasma 6.4.4, Bugfix Release for August
Today KDE releases a bugfix update to KDE Plasma 6, versioned 6.4.4
Try Xfce on Wayland with openSUSE Leap 16.0 RC
openSUSE Leap 16.0 has officially transitioned from Beta into the Release Candidate phase with the Build 148.4
Proxmox VE 9.0 Launches with Debian 13 Under the Hood
Proxmox Virtual Environment 9.0 is out now, featuring Debian 13
Big Changes Ahead for MX Linux 25
So, starting with MX Linux 25, users will need to pick their preferred init system—systemd or sysVinit—when downloading the ISO
DebEX KDE Plasma based on Debian Trixie (upcoming Debian 13) with Refracta Snapshot and Calamares Installer :: Build 250707
NEWS 250707 about DebEX KDE Plasma – a Refracta Build
 
9to5Linux Weekly Roundup: August 3rd, 2025
The 251st installment of the 9to5Linux Weekly Roundup is here for the week ending on August 3rd, 2025.
Independent Distro KaOS Linux 2025.07 Is Out with KDE Plasma 6.4 and Linux 6.15
KaOS Linux 2025.07 independent distribution is now available for download with the latest KDE Plasma 6.4 desktop environment and Linux kernel 6.15.
NetBSD 11 prepares for launch with 57 supported platforms
For many years, NetBSD's most distinctive feature was the range of supported platforms, which the project terms ports
Audacity 3.7.5 Audio Editor Introduces 32-Bit PCM Support to the FLAC Importer
Audacity 3.7.5 has been released as a new stable version of this open-source digital audio editor and recording software to improve the stability and reliability of the software.
NetworkManager 1.54 Brings Support for Configuring Per-Device IPv4 Forwarding
NetworkManager 1.54 has been released as the latest stable version of this popular open-source software for managing network connections inside a Linux-based operating system.
NVIDIA 580 Linux Graphics Driver Enters Public Beta with Better Wayland Support
NVIDIA released the beta version of the upcoming NVIDIA 580 series of their graphics drivers for NVIDIA GPUs on Linux, BSD, and Solaris systems.
Free, Libre, and Open Source Software Leftovers
FOSS picks
KDE Plasma 6.4.4 Desktop Environment Improves Notifications, Flatpak Support
The KDE Project released KDE Plasma 6.4.4 as the fourth maintenance update to the latest KDE Plasma 6.4 desktop environment series to address more of those pesky bugs and other improvements.
Slackware-Based PorteuX 2.2 Distro Is Out with Linux Kernel 6.16 and GNOME 48.3
PorteuX 2.2 has been released as a new update to this portable Linux distribution based on Slackware Linux and inspired by both Slax and Porteus distros.
Audacity 3.7.5 Adds Beta Support for Windows ARM64
Audacity 3.7.5 audio editor brings beta support for Windows ARM64
Android Leftovers
I built a second brain using Obsidian on Android: Here are my top tips
3 Linux Distros That Feel Like macOS
There are several Linux distributions that are designed to mimic the look, feel, and even the workflow of macOS
Games: Dying Light, Godot Engine, and More
11 stories for today
Darktable 5.2.1 Adds Support for Nikon D200, Nikon D5300, and Pentax K-r Cameras
Darktable 5.2.1 has been released today as the latest version to this open-source, free, and cross-platform RAW image editor for GNU/Linux, macOS, and Windows systems.
Daily Driving Thunderbird
The “personal information manager” is an absolute must for juggling a busy personal and work life
Free and Open Source Software, howtos and Installations
This is free and open source software
4MLinux 49.0 Distro Adds Support for Bcachefs Installations, New Apps, and More
4MLinux developer Zbigniew Konojacki announced the release and general availability of 4MLinux 49.0 as the latest stable version of this mini Linux distribution featuring the lightweight JWM window manager.
TUXEDO InfinityBook Pro 15 Gen10 Linux Ultrabook Unveiled with Ryzen AI 300
Linux hardware vendor TUXEDO Computers unveiled the 10th generation (Gen10) InfinityBook Pro 15 ultrabook featuring AMD Ryzen AI HX370 CPUs, a powerful 99 Wh battery, and up to 128 GB of RAM.
StarDict Plugins in Debian 13 Raise Privacy Concerns
StarDict sends the selected text in plaintext over HTTP to third-party servers in China
Today in Techrights
Some of the latest articles
Free, Libre, and Open Source Software, Security, and More
mostly FOSS links
GNU/Linux and NetBSD Leftovers
mostly GNU/Linux
Programming Leftovers
Development related picks
PostgreSQL Pigsty 3.6 is Out and "When Your Relational Database Isn't the Right Tool Anymore"
Databases stuff
Latest Red Hat Official Site
Red Hat leftovers
Open Hardware/Modding: Arduino, Raspberry Pi, and More
Hardware picks
X and Wayland Picks
mostly the latter
Audiocasts/Shows: Late Night Linux and Destination Linux
2 new episodes
today's howtos
Instructionals for today
Newelle, GNU, Tellico, and More Applications
Applications related news
Flameshot Screenshot Tool Updated
Flameshot release
Fedora for Architects: Open Source Tools for Architectural Design
Architects depend on digital tools for every stage of design
today's leftovers
Linux, BSD, and more
Games: The Drifter, Heroic Games Launcher 2.18.1, FEX, and More
s dozen stories from GamingOnLinux
Free and Open Source Software
This is free and open source software
Fostering Constructive Communication in Open Source Communities
I write this in the wake of a personal attack against my work and a project that is near and dear to me
Linux is becoming more appealing for gamers – here's why
For a long time, Windows was the only serious choice for PC gaming
'Linux' Foundation Still All About Buzzwords, Mindless Hype (or Plagiarism), and Openwashing
LF shallow
postmarketOS in 2025-07: Fairphone 6, apk3, /usr merge, immutable, new plasma camera
Let's start with this amazing photo that Luca took of the Fairphone (Gen. 6) showing the brand new postmarketOS port
GNU/Linux Leftovers
howtos, LF, and more
Gaming More Mainstream Among GNU/Linux Users
2 new articles
Today in Techrights
Some of the latest articles
Linux Kernel: Nova Lake and NVIDIA Display Driver v580 Beta
kernel news
Leftovers on Applications and Games
Applications and more
Android Leftovers
Google is making Android’s touchpad controls more like a desktop OS
This Linux distro makes Slackware easier than ever
Slackware isn't exactly the most user-friendly
Project Banana ripens into a pre-alpha for KDE Linux, and you can test it
Desktop project's in-house distro is impressively ambitious
Legendary OpenPrinting architect looking for new role
Canonical lays off one of its old hands – a longstanding FOSS developer – after nearly two decades
Best Free and Open Source Software
This is free and open source software
On Window Activation
How hard can it be? Well, you probably know by now that Wayland
The Oracle and the Librarian
Nobody remembers the librarian. The librarian is not so much grey as transparent, with sensible shoes and a pencil skirt. As Dita Kraus or Sayuri Komachi, in fiction, their wisdom is highly tailored, to "help people find what they are looking for
These 5 Linux distros were built specifically to keep data safe from prying eyes
Sick and tired of being paranoid about who may be watching what you use your PC for
Free, Libre, and Open Source Software Leftovers
FOSS picks for today
Programming Leftovers
Development picks for today
Retro/Open Hardware/Modding: OpenEmbed, 3D Printing, and More
hardware projects and news
Audiocasts/Shows: LINUX Unplugged and mintCast
2 new episodes
GNOME and Guadec Updates, Coverage
GNOME related links
Debian 13 "Trixie" Coming and Leaving NixOS After a Year
Debian and more
today's howtos
mostly idroot
This Week in Plasma: day/night theme switching
This week something was merged for Plasma 6.5 that a lot of people have been wanting for a long time
Android Leftovers
Samsung Galaxy A17 5G predicted to launch as more expensive mid-range Android smartphone
Newelle, a ‘Virtual Assistant’ for GNOME, Hits Version 1.0
For most Ubuntu users, interacting with an AI chatbot means opening your web browser or (increasingly, your IDE)
Free and Open Source Software
This is free and open source software
Review: Expirion 6.0
Expirion Linux Expirion Linux is a Devuan-based desktop distribution which offers LXQt and Xfce desktop editions
Announcing Incus 6.15
The Incus team is pleased to announce the release of Incus 6.15
IceWM 3.8.2 Window Manager Brings New Icesh Actions
IceWM, a lightweight window manager for X Window System, favored for its minimal resource usage and high configurability, has rolled out its second update in the 3.8 series, version 3.8.2
Self-Hosting, Homelab, and Home Assistant
4 recent articles from HowTo Geek
BSD and GNU/Linux on USB, Laptop With Kubuntu, and ChromeOS Limitations
recent articles
today's howtos
a tad older, 4 in total
Today in Techrights
Some of the latest articles