Tux Machines

Do you waddle the waddle?

Other Sites

9to5Linux

Ubuntu 25.10 Official Flavors Are Now Available for Download, Here’s What’s New

Ubuntu 25.10’s official flavors include Kubuntu, Xubuntu, Lubuntu, Edubuntu, Ubuntu Studio, Ubuntu Budgie, Ubuntu Cinnamon, Ubuntu MATE, and Ubuntu Kylin.

KDE Gear 25.08.2 Rolls Out with More Improvements for Your Favorite KDE Apps

Coming a month after KDE Gear 25.08.1, the KDE Gear 25.08.2 release adds support for sending thumbnails when uploading videos to NeoChat, support for uppercase keysyms for the portal input to KDE Connect, and support for x-scheme-handler/feed in mimetype to Akregator.

PipeWire 1.4.9 Improves ALSA Recovery and Adapts to Newer libcamera Changes

PipeWire 1.4.9 is a small bugfix release that addresses a regression in node unprepared, which would leave nodes running, improves ALSA recovery when “3 periods” is not supported, and removes RestrictNamespaces from the systemd files to allow libcamera to load sandboxed IPA modules.

LibreOffice 25.8.2 Office Suite Is Now Available for Download with 70 Bug Fixes

Coming five weeks after LibreOffice 25.8.1, the LibreOffice 25.8.2 update is here to address various bugs, crashes, and other annoyances reported by users in an attempt to improve the overall stability and reliability of this popular open-source, free, and cross-platform office suite.

Ubuntu 25.10 “Questing Quokka” Is Now Available for Download, This Is What’s New

Dubbed Questing Quokka, Ubuntu 25.10 is powered by the latest and greatest Linux 6.17 kernel series for top-notch hardware support and ships with the latest GNOME 49 desktop environment, defaulting to a Wayland-only session for the Ubuntu Desktop flavor, meaning there’s no other session to choose from the login screen.

Wireshark 4.6 Open-Source Network Protocol Analyzer Released as a Major Update

Highlights of Wireshark 4.6 include a new “Plots” dialog that provides scatter plots with support for multiple plots, markers, and automatic scrolling, support for compressing live captures while writing, and support for writing absolute time fields in ISO 8601 format in UTC with -T json.

Ubuntu Buzz !

Ubuntu 25.10 Questing Quokka Released with Download Links, Official Flavors and Torrents

Congratulations to Canonical and Ubuntu Community for the release of Ubuntu 25.10 Questing Quokka yesterday Thursday, 9 October 2025! This is the third interim release between last LTS, 24.04 Noble Numbat (NN), and next LTS, designated 26.04 Resolute Raccoon (RR). We presented here a compilation of all download links including the Official Flavors, mirrors, and torrents. Let's celebrate together, and download and run our computer, laptop and server with Ubuntu.

How To Run openSUSE Leap 16 on QEMU-KVM Virtual Machine

LinuxGizmos.com

DL40N Fanless 1.3L Mini PC with Intel Twin Lake Processors

Built on Intel’s Twin Lake platform, the DL40N adopts an efficient-core (E-core) architecture fabricated on the Intel 7 process. These processors integrate up to eight threads with enhanced CPU and GPU frequencies.

Virtium Embedded Artists Expands SoM Lineup with Renesas RZ/G3E Platform

Virtium Embedded Artists has introduced the RZ/G3E SoM, a system-on-module based on the Renesas RZ/G3E processor for industrial and medical human-machine interface applications.

news

Microsoft Windows 11 Caches Exploitable Malware

posted by Roy Schestowitz on May 15, 2024

Fishtank PC builds

Reprinted with permission from Cybershow. Author: Helen Plews.

Figure 1: Tom's Hardware: Fishtank PC builds.

Malware is often thought of as a human interaction with a digital device that causes an infection such as a virus or worm. We assume a human used bad authentication, or the human clicked the bad link, the human downloaded the malware…

So if we have anti-virus and anti-phish educational campaigns we should be well protected right? What about the technical side of cybersecurity, where the hardware, network equipment, end device or software vulnerability is the cause?

This article will examine a case where an operating system is able to automatically open and store a phishing email attachment, leading to potential compromise. In this case Windows 11 has been caching attachments locally to provide synchronisation across devices with the Outlook Application. In many cases, it has cached exploitable malware. This is a growing issue brought to light by Windows 11 users and anti-virus providers, instead of the makers at Microsoft.

Dropper Investigation

I am a life-long gamer and from experimentation over the years, I know I have the best rig, a customisable gaming PC. It’s very nice hardware it looks stunning with rainbow glowing fans and it sounds like a mini jet engine, rendering most graphics on Ultra with a graphics card which is at most 2 years old. The only issue I have had with it is in the operating system, which of course for a big gamer is Windows 11 due to its age. After just two weeks of operation I was alerted to a dropper located in my Windows Appdata folder, it was not dropping any further viruses yet as it had been caught by my expensive AV - which is why it sounds like a jet engine due to the large use of CPU!!

Was it a false positive? Well I ran the offline scan myself as my machine took 8x longer to boot. It behaved as if rebooting after a major update. There were no updates carried out, which made me suspect something amiss.

The virus location was not new to me, it is an appdata folder present in Windows 10 and Windows 11 for Windows mail in particular it processes mail syncing across devices; the full path is:

C:\Users\’Username’\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\SO\

Now I have had viruses popping up here before, in fact it has been an ongoing problem since I adopted the Windows 11 operating system (OS) in 2022 on the household laptops. Since then, both of my son’s laptops have alerted me to droppers and Trojans in the same Appdata folder. I initially assumed my children were not so good with their cybersecurity (being aged 5 and 9 that makes sense). Maybe they had clicked an email notification. Maybe they had downloaded some Trojan in the style of a game from a requested and shoddy gaming store all parents know about, stealthy and all whilst under supervision. That was until my brand new gaming rig got one.

Examining the attack timeline of my gaming rig in detail showed that a phish had been ‘clicked’ from my Hotmail account which was logged in on my Outlook App, running in the background processes (not running in my taskbar) whilst I played some epic title the night before. This ‘click’ put an infected PDF invoice on my PC, and on boot the next day activated the dropper, slowing the machine right down - which gave me a clue.

Now let's be clear about how Microsoft works, as I understand it, and why this is a gripe serious enough to warrant its own blog post.

You must sign in online to a Microsoft account to access the PC at all times, then it creates session keys for all applications that come installed as standard with the OS. So, unless you take some drastic measures I will discuss in a moment, you will undoubtedly be running sessions of Windows apps in the background; Outlook, OneDrive, Teams, Xbox, Photos, Office, Store, the list is quite extensive.

Moving on, I look for the phish email I had. According to my AV "clicked on" log, I located the suspicious subject of the email. It was something akin to;

AMAZON ACCOUNT ###U$IIHknDBWON38383y4y29~~~

Now, you do not need to be a cybersecurity expert to tell that is a phish from the subject which was located using the now foreground Outlook app. And as expected, it was unread. It showed me that within a few minutes of receiving the unread email, the attached PDF invoice was added to the Windows Communication Appdata folder, which led to the dropper found by the offline scan.

It seemed that Outlook App was saving unread attachments to the appdata folder where the virus was located. Some of the located viruses over the past two years were found on multiple devices that used the same MS credentials which unless stated otherwise, auto sync application data. That is exactly what the

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

folder is for. It contains both the application data for Windows apps like Outlook to run and sync as well as data obtained in the process. I synced between my children's laptops as my account was the administrator for the network, it kept them safer online. Or so I thought.

Vulnerability Research

So I start down the usual process of researching the vulnerability to find a permanent mitigation. I find nothing at first, no CVE, no reports. I do find some details on the MS community website like this one from "2020 Trojan Found and Deleted"… but it Returns (Trojan: HTML/Phish.AB!MSR) . It is here I see the same problem and I see a response from an expert.

“The trojan is an email attachment synced to your PC. Do you have some Hotmail or Microsoft email setup in an email client applications like Outlook?” - Independent Expert, MS Community, 2020

So I search all around this topic and I cannot find anything from Microsoft about this issue right away, but I do find many victims. Anti-Virus companies, affected users and experts alike are all drawing attention to this problem. Eventually, thanks to Reddit I find a similar experience from a commentor who managed to find the reported exploit listed by Microsoft. You can find many more threads on the issue on Reddit with a search.

“Looking into the report we have a "Exploit:O97M/CVE-2017-11882.AZA!MTB" match, which doesn't seem to be that ominous since it requires the file to be executed on a non-updated Office/WordPad, still it ain't something I'd like to find lying around because the app found it was a good thing to download it, without my consent.” - JVMTG, Reddit, 2023

It is a known software error marked as severe on their own security intelligence website, with 24 exploits under the O97M CVE. I’d like to say I have more details from Microsoft but I do not, instead they offer very little default cybersecurity steps, such as "remain up to date and don’t click a phish".

This does seem rather severe. It locally caches attachments from emails including those which have not been opened to the windowscommunicationsapps folder from the Outlook App. It will then auto sync the data in the folder to all devices using the same credentials in their Outlook App on their phones, laptops, desktops, anywhere the Outlook App runs.

The only step missing for a full compromise is that infected files are auto-run… a feature I feel sure Microsoft are working on at this exact moment!

Attacks are becoming more complex, in 2022 they were able to add the dropper, which very slowly downloaded a fairly rubbish Trojan, which was easily removed. Recently there were 74 password protected files and multiple Trojans appearing as game applications in the same appdata folder. These were located only weeks after a fresh OS install and could not be explained by known activities on the machine or entirely resolved by AV due to the encryption of the folders they were located in.

Impact

Take a moment to think about how many commercial users of the Outlook application have auto-sync enabled in daily use. All those using Office 365 who sync between devices on their smartphone, personal devices and company equipment, or amongst family member's tablets and laptops. You should be concerned. And then get mad as hell, because it seems Microsoft have created their own quite special service for propagating malware, one that's been ongoing since at least 2020.

I have wasted countless hours re-installing OS’s, searching files, reading reports and researching this issue to find my only salvation in Reddit. Reddit of all places! This looks like something Microsoft rather wanted to sweep under the rug.

If you sync with Outlook App between devices with the same MS account, you are vulnerable to this malware propagation. Microsoft insist users take advantage of auto-synced features across devices and use this as a clear marketing tool especially for commercial settings. It seems my trust in this feature was misplaced.

Mitigation And Loss of Trust

Some will say that this is "just a feature" of sync. I disagree because like so many Microsoft processes it feels out of control. It does not just synchonise expected user data. It inappropriately populates and copies undocumented files into system folders and, without any knowledge or intervention from the user, replicates them across devices.

The mitigation is you must live without synchronisation in Microsoft applications. So far it has worked 100%. Turning off sync across applications does work. This can be done during an OS install by refusing all sync options when prompted. You must also make sure it is off in the account settings for the user. This can be done from the settings panel when logged on to Windows. There are many guides available like this one from Process.st. Even with sync off, you can still access email and other services using the web applications, which will sync files and emails but will not store these to the local machine.

If like myself, you have lost trust in the applications themselves, removing windows apps entirely may be more fitting, this allows the folder

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

to be deleted and does not appear, like a lurking background threat at a later date just in case you change your mind. My gaming rig has only one MS app remaining, Xbox and that is the way it will stay until the situation is openly discussed by MS and the vulnerability resolved. No more Appdata Phishes please.

In summary, no amount of phishing training will prevent a bad design in the operating system. Caching malware infected attachments to system folders and replicating them is bad design in my opinion. In this case, the operating system has been phished, not the human.

Other Recent Tux Machines' Posts

Goodbye to Ricky Hatton [original]
The impact he had in (and on) Manchester was huge and his death devastated many, even Manchester United fans
Nature Called [original]
Microsoft is having layoffs again this week
Tux Machines Will Pursue Compensation From Brett Wilson LLP, Just Like Others Do [original]
One way or another, justice will be served
Ubuntu 25.10 “Questing Quokka” Is Now Available for Download, This Is What’s New
Canonical published today the Ubuntu 25.10 (Questing Quokka) release, the latest stable version of their popular GNU/Linux distribution, featuring up-to-date components and new features.
40 Years of Freedom
let's travel back to the late 1970s and early 1980
At 40 Years, Free Software Foundation Now Wants to 'Free Your Phone'
The FSF looks to bring computing freedom to mobile with LibrePlanet and they also have a new president.
KDE Gear 25.08.2 Rolls Out with More Improvements for Your Favorite KDE Apps
The KDE Project released today KDE Gear 25.08.2 as the second maintenance update to the latest KDE Gear 25.08 open-source software suite series to address various issues in your favorite KDE apps.
Linux Foundation Receives More Millions to Front for GAFAM Monopolies
now Facebook
System76’s Oryx Pro Is the First Linux Laptop to Ship with the COSMIC Desktop
Linux hardware vendor System76 announced today a new variant of its Oryx Pro Linux-powered laptop that ships with the upcoming COSMIC desktop environment on top of the Pop!_OS Linux 24.04 LTS distribution.
 
Today in Techrights
Some of the latest articles
GNU/Linux Leftovers
Graphics, Alpine, Debian, and more
OpenBSD -current is now "7.8-current", BSD Now Podcast's Latest Episode
2 BSD news picks
Free, Libre, and Open Source Software Leftovers
FOSS leftovers
Programming Leftovers
Development picks for today
Red Hat and Fedora Leftovers
Red Hat mostly
PostgreSQL: PGroonga 4.0.4 and Prague PostgreSQL Developer Day 2026
PostgreSQL news for today
Web Browsers: Plasma Browser Integration in 6.x, Firefox’s New Profile Manager, and Mozilla Promoting Slop/Plagiarism
Web Browsers roundup, mostly Firefox
Applications and Games for GNU/Linux: FOSS Weekly, WinBoat, and New Steam Games with Native GNU/Linux Clients
3 stories combined
Kernel: Intel's Betrayal, Bootlin on Forging BTF for eBPF, and Resizeable BAR Support on the Raspberry Pi
Linux kernel stories
today's howtos
many howtos
Open Hardware/Modding: Arduino, Raspberry Pi, SparkFun, and More
hardware related picks
Security Leftovers
Patches and incidents
FSF Comments on End of Vista 10
and more TCO stories
Meta Unveils OpenZL: A New Open Source Data Compression Framework
OpenZL is Meta’s new open-source compression framework that delivers faster
Android Leftovers
I tweaked these Developer options and Android Auto became far less annoying
4 things Microsoft needs to prioritize on Windows if they want to stop bleeding users to Linux
f Microsoft wants to stop users from jumping ship to Linux, it’s not about reinventing Windows, it’s about fixing what people already hate about it
Free and Open Source Software
This is free and open source software
Virtium Embedded Artists Expands SoM Lineup with Renesas RZ/G3E Platform
Virtium Embedded Artists provides Linux BSP Plus, Verified Linux Package
Games: Outlive, Truckful, Fanatical Bundle and More
gaming related news
Beyond Free: Developers, It's Time to Reclaim Open Source from the Exploitation Trap
Yet, beneath this gleaming façade of collaborative triumph, a troubling reality persists, casting a long shadow over the very ethos of open source
Computer not working? How Linux on a flash drive will save your Windows system
With the help of a Live distribution, you can not only recover files, but also "revive" a broken Windows, check the hardware or erase data irrevocably
Security Leftovers
Security related picks
today's leftovers
GNU/Linux mostly
Games: Godot Engine and Status of CachyOS
gaming leftovers
Fedora/Copr and Red Hat Hype Articles
3 new ones
today's howtos
idroot mostly
Today in Techrights
Some of the latest articles
Ubuntu 25.10 Official Flavors Are Now Available for Download, Here’s What’s New
As part of today’s release of Ubuntu 25.10 (Questing Quokka), all the official Ubuntu flavors have been updated to the same version, so here’s a look at their new features and improvements.
Open Hardware/Modding: Raspberry Pi Boards and Qualcomm Acquisition of Arduino
4 stories for now
GNU/Linux and BSD Leftovers
today's leftovers
Free, Libre, and Open Source Software Leftovers
FOSS picks
Programming Leftovers
Development related bits
Ubuntu Touch and Mobile as a Risk to Freedom
Linux and more
Gnoppix KDE 25.10 Launches with Debian Trixie Base
Gnoppix KDE 25.10 debuts with major performance boosts, privacy upgrades
Open Hardware/Modding: Raspberry Pi, Fountain Pen, and More
Hardware related news
FreeBSD Sponsorship and Q3 2025 Issue of the FreeBSD Journal
FreeBSD bits
Games: Winnie’s Hole, Crusader Kings III, and More
gaming news
Red Hat: AlmaLinux Beta and Red Hat's Latest Slopfest
AlmaLinux and Red Hat news
PipeWire 1.4.9 Improves ALSA Recovery and Adapts to Newer libcamera Changes
PipeWire 1.4.9 open-source server for handling audio/video streams and hardware on Linux is now available for download with various fixes and improvements.
LibreOffice 25.8.2 Office Suite Is Now Available for Download with 70 Bug Fixes
The Document Foundation announced today the general availability of LibreOffice 25.8.2 as the second maintenance update to the latest LibreOffice 25.8 office suite series with various bug fixes.
Free and Open Source Software
This is free and public domain software
MX Linux 23.6 Libreto: High Performance on Legacy or Bleeding-Edge Hardware
Whether reviving old gear or maxing out new silicon, MX Linux 23.6 Libretto stays cool
Wireshark 4.6 Open-Source Network Protocol Analyzer Released as a Major Update
Wireshark 4.6 has been released today as a major update to this popular, open-source, free, and cross-platform network protocol analyzer software for Linux, macOS, and Windows systems.
Android Leftovers
Android's latest PS2 emulator debuts with a healthy serving of controversy
Mission:Libre: A New Community Building Free Software's Teen Movement
Free software is built on principles of user freedom, transparency, and community collaboration
Free and Open Source Software, and Benchmark
This is free and open source software
Today in Techrights
Some of the latest articles
GNU/Linux and Development Leftovers
LWN and more sources
Latest LWN Articles About Linux Kernel
behind paywall no more