Tux Machines

Do you waddle the waddle?

Other Sites

9to5Linux

Budgie 10.9.2 Desktop Arrives with Bug Fixes as Wayland Porting Continues

While the Budgie devs are hard at work porting the desktop environment to the modern Wayland display protocol, slated for the Budgie 10.10 release, they pushed a small point release for Budgie 10.9 users to address some annoyances and other issues reported by users.

LinuxGizmos.com

ASUS Chromebox 5a with 13th Gen Intel processors start at $294.00

The ASUS Chromebox 5a is a versatile mini-PC equipped with 13th Generation Intel Core or Celeron processors. These devices support multiple 4K@60Hz displays and include an M.2 2280 PCIe slot for storage expansion.

Robotic Platform Built on RISC-V Milk-V Meles with ROS2 Support

At the 2024 XUANTIE RISC-V Ecosystem Conference, a collaborative effort between Yahboom, milK-V, and ALIBABA DAMO Academy led to the unveiling of the RISC-V MicroROS educational robot. This robot, based on the Milk-V Meles SBC, is now available for purchase and provides an advanced learning platform for robotics enthusiasts and students.

(Updated) SeeedStudio Previews R1000 Powered by Raspberry Pi CM4

 

Neo6502 A Modern Open Source Retro Computer with W65C02 and RP2040

This dual-processor setup enables the Neo6502 to surpass traditional 6502-based systems in speed and efficiency by removing memory transfer bottlenecks between the processor and graphics. The device includes 2MB of Flash, 64k RAM, and 32k Graphics RAM, supporting complex computations and enhanced graphics.

CY8CKIT-062S2-AI Kit: Ready-to-Deploy ML Models and Comprehensive Onboard Sensors

The CY8CKIT-062S2-AI PSoC 6 AI Evaluation Kit from Infineon Technologies provides a compact and powerful platform for developers interested in edge AI applications. This kit is compatible with Imagimob Studio, facilitating the entire machine learning process from initial model training to final deployment within a unified setup.

news

Microsoft Windows 11 Caches Exploitable Malware

posted by Roy Schestowitz on May 15, 2024

Fishtank PC builds

Reprinted with permission from Cybershow. Author: Helen Plews.

Figure 1: Tom's Hardware: Fishtank PC builds.

Malware is often thought of as a human interaction with a digital device that causes an infection such as a virus or worm. We assume a human used bad authentication, or the human clicked the bad link, the human downloaded the malware…

So if we have anti-virus and anti-phish educational campaigns we should be well protected right? What about the technical side of cybersecurity, where the hardware, network equipment, end device or software vulnerability is the cause?

This article will examine a case where an operating system is able to automatically open and store a phishing email attachment, leading to potential compromise. In this case Windows 11 has been caching attachments locally to provide synchronisation across devices with the Outlook Application. In many cases, it has cached exploitable malware. This is a growing issue brought to light by Windows 11 users and anti-virus providers, instead of the makers at Microsoft.

Dropper Investigation

I am a life-long gamer and from experimentation over the years, I know I have the best rig, a customisable gaming PC. It’s very nice hardware it looks stunning with rainbow glowing fans and it sounds like a mini jet engine, rendering most graphics on Ultra with a graphics card which is at most 2 years old. The only issue I have had with it is in the operating system, which of course for a big gamer is Windows 11 due to its age. After just two weeks of operation I was alerted to a dropper located in my Windows Appdata folder, it was not dropping any further viruses yet as it had been caught by my expensive AV - which is why it sounds like a jet engine due to the large use of CPU!!

Was it a false positive? Well I ran the offline scan myself as my machine took 8x longer to boot. It behaved as if rebooting after a major update. There were no updates carried out, which made me suspect something amiss.

The virus location was not new to me, it is an appdata folder present in Windows 10 and Windows 11 for Windows mail in particular it processes mail syncing across devices; the full path is:

C:\Users\’Username’\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\SO\

Now I have had viruses popping up here before, in fact it has been an ongoing problem since I adopted the Windows 11 operating system (OS) in 2022 on the household laptops. Since then, both of my son’s laptops have alerted me to droppers and Trojans in the same Appdata folder. I initially assumed my children were not so good with their cybersecurity (being aged 5 and 9 that makes sense). Maybe they had clicked an email notification. Maybe they had downloaded some Trojan in the style of a game from a requested and shoddy gaming store all parents know about, stealthy and all whilst under supervision. That was until my brand new gaming rig got one.

Examining the attack timeline of my gaming rig in detail showed that a phish had been ‘clicked’ from my Hotmail account which was logged in on my Outlook App, running in the background processes (not running in my taskbar) whilst I played some epic title the night before. This ‘click’ put an infected PDF invoice on my PC, and on boot the next day activated the dropper, slowing the machine right down - which gave me a clue.

Now let's be clear about how Microsoft works, as I understand it, and why this is a gripe serious enough to warrant its own blog post.

You must sign in online to a Microsoft account to access the PC at all times, then it creates session keys for all applications that come installed as standard with the OS. So, unless you take some drastic measures I will discuss in a moment, you will undoubtedly be running sessions of Windows apps in the background; Outlook, OneDrive, Teams, Xbox, Photos, Office, Store, the list is quite extensive.

Moving on, I look for the phish email I had. According to my AV "clicked on" log, I located the suspicious subject of the email. It was something akin to;

AMAZON ACCOUNT ###U$IIHknDBWON38383y4y29~~~

Now, you do not need to be a cybersecurity expert to tell that is a phish from the subject which was located using the now foreground Outlook app. And as expected, it was unread. It showed me that within a few minutes of receiving the unread email, the attached PDF invoice was added to the Windows Communication Appdata folder, which led to the dropper found by the offline scan.

It seemed that Outlook App was saving unread attachments to the appdata folder where the virus was located. Some of the located viruses over the past two years were found on multiple devices that used the same MS credentials which unless stated otherwise, auto sync application data. That is exactly what the

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

folder is for. It contains both the application data for Windows apps like Outlook to run and sync as well as data obtained in the process. I synced between my children's laptops as my account was the administrator for the network, it kept them safer online. Or so I thought.

Vulnerability Research

So I start down the usual process of researching the vulnerability to find a permanent mitigation. I find nothing at first, no CVE, no reports. I do find some details on the MS community website like this one from "2020 Trojan Found and Deleted"… but it Returns (Trojan: HTML/Phish.AB!MSR) . It is here I see the same problem and I see a response from an expert.

“The trojan is an email attachment synced to your PC. Do you have some Hotmail or Microsoft email setup in an email client applications like Outlook?” - Independent Expert, MS Community, 2020

So I search all around this topic and I cannot find anything from Microsoft about this issue right away, but I do find many victims. Anti-Virus companies, affected users and experts alike are all drawing attention to this problem. Eventually, thanks to Reddit I find a similar experience from a commentor who managed to find the reported exploit listed by Microsoft. You can find many more threads on the issue on Reddit with a search.

“Looking into the report we have a "Exploit:O97M/CVE-2017-11882.AZA!MTB" match, which doesn't seem to be that ominous since it requires the file to be executed on a non-updated Office/WordPad, still it ain't something I'd like to find lying around because the app found it was a good thing to download it, without my consent.” - JVMTG, Reddit, 2023

It is a known software error marked as severe on their own security intelligence website, with 24 exploits under the O97M CVE. I’d like to say I have more details from Microsoft but I do not, instead they offer very little default cybersecurity steps, such as "remain up to date and don’t click a phish".

This does seem rather severe. It locally caches attachments from emails including those which have not been opened to the windowscommunicationsapps folder from the Outlook App. It will then auto sync the data in the folder to all devices using the same credentials in their Outlook App on their phones, laptops, desktops, anywhere the Outlook App runs.

The only step missing for a full compromise is that infected files are auto-run… a feature I feel sure Microsoft are working on at this exact moment!

Attacks are becoming more complex, in 2022 they were able to add the dropper, which very slowly downloaded a fairly rubbish Trojan, which was easily removed. Recently there were 74 password protected files and multiple Trojans appearing as game applications in the same appdata folder. These were located only weeks after a fresh OS install and could not be explained by known activities on the machine or entirely resolved by AV due to the encryption of the folders they were located in.

Impact

Take a moment to think about how many commercial users of the Outlook application have auto-sync enabled in daily use. All those using Office 365 who sync between devices on their smartphone, personal devices and company equipment, or amongst family member's tablets and laptops. You should be concerned. And then get mad as hell, because it seems Microsoft have created their own quite special service for propagating malware, one that's been ongoing since at least 2020.

I have wasted countless hours re-installing OS’s, searching files, reading reports and researching this issue to find my only salvation in Reddit. Reddit of all places! This looks like something Microsoft rather wanted to sweep under the rug.

If you sync with Outlook App between devices with the same MS account, you are vulnerable to this malware propagation. Microsoft insist users take advantage of auto-synced features across devices and use this as a clear marketing tool especially for commercial settings. It seems my trust in this feature was misplaced.

Mitigation And Loss of Trust

Some will say that this is "just a feature" of sync. I disagree because like so many Microsoft processes it feels out of control. It does not just synchonise expected user data. It inappropriately populates and copies undocumented files into system folders and, without any knowledge or intervention from the user, replicates them across devices.

The mitigation is you must live without synchronisation in Microsoft applications. So far it has worked 100%. Turning off sync across applications does work. This can be done during an OS install by refusing all sync options when prompted. You must also make sure it is off in the account settings for the user. This can be done from the settings panel when logged on to Windows. There are many guides available like this one from Process.st. Even with sync off, you can still access email and other services using the web applications, which will sync files and emails but will not store these to the local machine.

If like myself, you have lost trust in the applications themselves, removing windows apps entirely may be more fitting, this allows the folder

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

to be deleted and does not appear, like a lurking background threat at a later date just in case you change your mind. My gaming rig has only one MS app remaining, Xbox and that is the way it will stay until the situation is openly discussed by MS and the vulnerability resolved. No more Appdata Phishes please.

In summary, no amount of phishing training will prevent a bad design in the operating system. Caching malware infected attachments to system folders and replicating them is bad design in my opinion. In this case, the operating system has been phished, not the human.

Other Recent Tux Machines' Posts

Best Free and Open Source Software
The developers of the open-source office suite ONLYOFFICE Docs released version 8.1 with multiple new features
Darktable 4.8 Open-Source RAW Image Editor Released, Here’s What’s New
Darktable 4.8 open-source raw image editor has been released today as a major update introducing new features, improvements, and enhanced camera support.
EasyOS Scarthgap-series version 6.0 released
EasyOS Scarthgap-series version 6.0 is released
Budgie 10.9.2 Desktop Arrives with Bug Fixes as Wayland Porting Continues
Budgie developer Joshua Strobl announced the release of Budgie 10.9.2 as a minor maintenance update in the Budgie 10.9 series of this modern desktop environment for GNU/Linux distributions.
Mozilla and Tor Browser
Some Mozilla fluff and a new release
openSUSE Leap 15.6 Officially Released, Here’s What’s New
The openSUSE Project today announced the release and general availability of openSUSE Leap 15.6 as the latest stable version of this openSUSE variant for those who prefer a more conservative and well-tested operating system.
GNU/Linux Leftovers
GNU/Linux focus, for now
Programming Leftovers
Programming relates stories
BSD: Building rbenv on OpenBSD 7.5 and FreeBSD Day Interview with Beastie
Some BSD news
 
Today in Techrights
Some of the latest articles
Open Hardware: Raspberry Pi, RISC-V, and More
Some hardware picks
Linux Kernel News
and some analysis
today's leftovers
SUSE, Ubuntu, and more
Fedora Week of Diversity and IBM/Red Hat Discrimination
Which is it then?
Security Leftovers
Security related news
KDE PIM Sprint and Federico Mena-Quintero on GNOME
Some GNOME and KDE updates
today's howtos
only 3 howtos for now
Here’s Why I Think KDE Is a Better Desktop Environment Than GNOME
As a long-time Linux user, I've dabbled with various desktop environments
Android Leftovers
New Android Feature Could Save Battery by Turning Off Your Screen When Not in Use
The Linux Mint 22 Beta is almost here as ISO testing gets underway
In the past, Canonical would push out Ubuntu in April and October and Linux Mint releases would follow just a month later usually in May and November
Radxa Fogwise Airbox AI box review – Part 2: Llama3, Stable Diffusion, imgSearch, Python SDK, YOLOv8
After checking out Radxa Fogwise Airbox hardware in the first part of the review last month
A No-Nonsense Open-Source Diary App for Android
Add your thoughts to the app like you jot down things in your diary
HandBrake 1.8.1 Video Transcoder Fixes Bugs and Issues
HandBrake 1.8.1 free video transcoder fixes video artifacts, subtitle corruption, and more
Best Free and Open Source Software
They are all free and open source goodness
Open Hardware/Modding Leftovers
Raspberry Pi, SparkFun etc.
today's howtos
half a dozen howtos
Free Software Leftovers
FOSS links collection
UEFI Holes and Windows TCO
Proprietary failings
today's howtos
mostly from the past 5 days
Security Leftovers
Security stories
Audiocasts/Shows and Videos (Invidious)
episodes and shows
Peropesis 2.6: several updates
Peropesis release
NuTyX 24.6.3 available with cards 2.7.4
The new version of LXQt 2.0 based on Qt6 is now available on NuTyX
SysLinuxOS 12.4 released
SysLinuxOS 12.4 released. SysLinuxOS is updated to version 12.4
Releasing SKUDONET 7.1.0 Community Edition
We are very proud to announce the next SKUDONET Community Edition v7.1.0, we have been working hard for more than 6 months and finally, the results are awesome
Security Leftovers
and Windows issues
Ubuntu and OpenSUSE Leftovers
today's leftovers
Programming Leftovers
Programming related picks
Applications: Cambalache, AMD ROCm, and Oi Grandad
Some software on Linux
Open Hardware/Modding: Raspberry Pi and More
hacker-friendly devices
Today in Techrights
Some of the latest articles
Looking for the artwork for Trixie the next Debian release
Each release of Debian has a shiny new theme, which is visible on the boot screen, the login screen and, most prominently, on the desktop wallpaper.
Releases of MyGNUHealth and GNU Automake 1.16.92
two GNU releases
Blaming "Linux" for Problems of VMware (Prolific GPL Violator, Infringer of the Linux Licence)
FUD tactics
Intel Slips Battlemage Support And Power-Saving Features Into Linux 6.11
"The year of the Linux desktop" is a long-standing meme among PC enthusiasts, but thanks to controversial decisions by Microsoft, continual development effort from Linux lovers, and the massive success of Valve's Steam Deck, Linux is seeing greater adoption than ever among consumer PC users
Microsoft Driving People Away (to GNU/Linux)
2 stories
]Free, Libre, and Open Source Software Leftovers
FOSS picks for this afternoon
Fedora / Red Hat / IBM Leftovers
mostly Fedora, some CentOS too
Programming Leftovers
Programming related news and views
Godot Event, Game of Trees Hub, and New Steam Games with Native GNU/Linux Clients
misc. stories
UEFI is Opposite of Security (Again) and Proprietary Kaspersky 'Security' Products Treated Like a Back Door
Fake security on display
Open Hardware: Arduino, Raspberry Pi, and More
Some hardware projects
The X Window System is still hanging on at 40
X uses a client-server model
This Week in GNOME: #153 Proudly Colorful
Update on what happened across the GNOME project in the week from June 14 to June 21
today's howtos
first long batch
How to simplify switching from macOS to Linux
Belonging is essential to most people. Belonging somewhere gives you a haven and a feeling of coming home.
Photographs From the Parties [original]
2 weeks ago we started inflating balloons and arranging foods, alerting friends and colleagues etc.
Windows Falls Below 25% in Uzbekistan [original]
In a lot of Africa Windows is now below 10%
Windows TCO: Deaths, Ransom, and More
Microsoft and TCO
KDE Plasma 6.1 Desktop Environment Officially Released, Here’s What’s New
The KDE Project announced today the general availability of KDE Plasma 6.1 as the latest version of their acclaimed desktop environment for GNU/Linux distributions.
This week in KDE: Plasma 6.1 cleanups
Plasma 6.1 has been released to good reviews! We’ve spent the week fixing issues reported so far, as always
Games: VKD3D-Proton, Survivors Bundle, X4: Foundations
8 latest in gamingonlinux
Best Free and Open Source Software
We recommend the best free and open source alternatives
Trisquel – Linux distribution based on Ubuntu
Trisquel Linux is a 100% free operating system without any proprietary software whatsoever
Two Months After SLAPP (Strategic Lawsuit Against Public Participation) [original]
The SLAPP has been mostly been put to rest, so we can now focus on GNU/Linux news and Free software stuff
A breath of SSD air for a 10-year-old (Linux) laptop
I made it into a Linux-only system. The only downside? Ultra-long boot times
Not Made in China [original]
release of GNU/Linux distros in Taiwan is hardly unprecedented
FOSS, Openwashing, and IBM
today's leftovers
Today's HowTos and Programming Leftovers
today's howtos
Security Leftovers and Windows TCO
mostly security stuff
Tux Machines Parties (20 Years) [original]
We've managed to keep the site going as usual despite preparations and other distractions and now we're back to normal
Today in Techrights
Some of the latest articles
GCC 12.4 Released
The GNU Compiler Collection version 12.4 has been released