Other Sites

LinuxGizmos.com

(Updated) Banana Pi Showcases BPI-CanMV-K230D Zero with Canaan K230D Chip Design

The Banana Pi BPI-CanMV-K230D-Zero is an upcoming single-board computer for AIoT applications, developed in collaboration with Canaan Technology. Featuring the Kendryte K230D chip, it provides local AI inference capabilities, making it useful for DIY projects and embedded systems.

SolidRun HummingBoard i.MX8M IIOT SBC with NVMe, RS232, RS485, and LTE Support

SolidRun has launched a single-board computer tailored for Industrial Internet of Things and Human-Machine Interface applications, built around the i.MX8M Plus System-on-Module from NXP. Its carrier board includes features like RS232, RS485, dual CAN-FD, and dual 1Gb Ethernet and more.

Forlinx FET MX95xx C System on Module for Industrial and IoT Applications

Forlinx Embedded has introduced the FET-MX95xx-C System on Module, built around the high-performance NXP i.MX95xx processor for industrial, automotive, and IoT applications. Key features include a 10GbE port, dual GbE ports, CAN interfaces, camera support, and multiple wireless protocols.

T Display S3 AMOLED Plus with Enhanced 1.91″ Display and Real Time Clock

The T-Display S3 AMOLED Plus is an upgraded development board based on the ESP32-S3 microcontroller with a dual-core LX7 processor. It features a 1.91″ AMOLED display with a 240×536 resolution, using RM67162 IPS AMOLED technology for sharp colors and full viewing angles with QSPI interface support.

MYC LR3576 SoM with Octa-Core RK3576 for Embedded Applications

The MYC-LR3576 System-On-Module from MYIR is described as a robust platform for AIoT applications. Powered by the Rockchip RK3576, this compact module handles demanding edge computing, multimedia, and AI tasks with high-performance processing and versatile connectivity.

Tor Project blog

Get the latest from Tor, join us for State of the Onion 2024

Both events will be live-streamed and available for replay on our YouTube channel. Engage in the conversation on social media with the hashtag #StateOfTheOnion2024 or post questions and comments in the chat during the event.

news

Microsoft Windows 11 Caches Exploitable Malware

posted by Roy Schestowitz on May 15, 2024

Reprinted with permission from Cybershow. Author: Helen Plews.

Figure 1: Tom's Hardware: Fishtank PC builds.

Malware is often thought of as a human interaction with a digital device that causes an infection such as a virus or worm. We assume a human used bad authentication, or the human clicked the bad link, the human downloaded the malware…

So if we have anti-virus and anti-phish educational campaigns we should be well protected right? What about the technical side of cybersecurity, where the hardware, network equipment, end device or software vulnerability is the cause?

This article will examine a case where an operating system is able to automatically open and store a phishing email attachment, leading to potential compromise. In this case Windows 11 has been caching attachments locally to provide synchronisation across devices with the Outlook Application. In many cases, it has cached exploitable malware. This is a growing issue brought to light by Windows 11 users and anti-virus providers, instead of the makers at Microsoft.

Dropper Investigation

I am a life-long gamer and from experimentation over the years, I know I have the best rig, a customisable gaming PC. It’s very nice hardware it looks stunning with rainbow glowing fans and it sounds like a mini jet engine, rendering most graphics on Ultra with a graphics card which is at most 2 years old. The only issue I have had with it is in the operating system, which of course for a big gamer is Windows 11 due to its age. After just two weeks of operation I was alerted to a dropper located in my Windows Appdata folder, it was not dropping any further viruses yet as it had been caught by my expensive AV - which is why it sounds like a jet engine due to the large use of CPU!!

Was it a false positive? Well I ran the offline scan myself as my machine took 8x longer to boot. It behaved as if rebooting after a major update. There were no updates carried out, which made me suspect something amiss.

The virus location was not new to me, it is an appdata folder present in Windows 10 and Windows 11 for Windows mail in particular it processes mail syncing across devices; the full path is:

C:\Users\’Username’\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\SO\

Now I have had viruses popping up here before, in fact it has been an ongoing problem since I adopted the Windows 11 operating system (OS) in 2022 on the household laptops. Since then, both of my son’s laptops have alerted me to droppers and Trojans in the same Appdata folder. I initially assumed my children were not so good with their cybersecurity (being aged 5 and 9 that makes sense). Maybe they had clicked an email notification. Maybe they had downloaded some Trojan in the style of a game from a requested and shoddy gaming store all parents know about, stealthy and all whilst under supervision. That was until my brand new gaming rig got one.

Examining the attack timeline of my gaming rig in detail showed that a phish had been ‘clicked’ from my Hotmail account which was logged in on my Outlook App, running in the background processes (not running in my taskbar) whilst I played some epic title the night before. This ‘click’ put an infected PDF invoice on my PC, and on boot the next day activated the dropper, slowing the machine right down - which gave me a clue.

Now let's be clear about how Microsoft works, as I understand it, and why this is a gripe serious enough to warrant its own blog post.

You must sign in online to a Microsoft account to access the PC at all times, then it creates session keys for all applications that come installed as standard with the OS. So, unless you take some drastic measures I will discuss in a moment, you will undoubtedly be running sessions of Windows apps in the background; Outlook, OneDrive, Teams, Xbox, Photos, Office, Store, the list is quite extensive.

Moving on, I look for the phish email I had. According to my AV "clicked on" log, I located the suspicious subject of the email. It was something akin to;

AMAZON ACCOUNT ###U$IIHknDBWON38383y4y29~~~

Now, you do not need to be a cybersecurity expert to tell that is a phish from the subject which was located using the now foreground Outlook app. And as expected, it was unread. It showed me that within a few minutes of receiving the unread email, the attached PDF invoice was added to the Windows Communication Appdata folder, which led to the dropper found by the offline scan.

It seemed that Outlook App was saving unread attachments to the appdata folder where the virus was located. Some of the located viruses over the past two years were found on multiple devices that used the same MS credentials which unless stated otherwise, auto sync application data. That is exactly what the

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

folder is for. It contains both the application data for Windows apps like Outlook to run and sync as well as data obtained in the process. I synced between my children's laptops as my account was the administrator for the network, it kept them safer online. Or so I thought.

Vulnerability Research

So I start down the usual process of researching the vulnerability to find a permanent mitigation. I find nothing at first, no CVE, no reports. I do find some details on the MS community website like this one from "2020 Trojan Found and Deleted"… but it Returns (Trojan: HTML/Phish.AB!MSR) . It is here I see the same problem and I see a response from an expert.

“The trojan is an email attachment synced to your PC. Do you have some Hotmail or Microsoft email setup in an email client applications like Outlook?” - Independent Expert, MS Community, 2020

So I search all around this topic and I cannot find anything from Microsoft about this issue right away, but I do find many victims. Anti-Virus companies, affected users and experts alike are all drawing attention to this problem. Eventually, thanks to Reddit I find a similar experience from a commentor who managed to find the reported exploit listed by Microsoft. You can find many more threads on the issue on Reddit with a search.

“Looking into the report we have a "Exploit:O97M/CVE-2017-11882.AZA!MTB" match, which doesn't seem to be that ominous since it requires the file to be executed on a non-updated Office/WordPad, still it ain't something I'd like to find lying around because the app found it was a good thing to download it, without my consent.” - JVMTG, Reddit, 2023

It is a known software error marked as severe on their own security intelligence website, with 24 exploits under the O97M CVE. I’d like to say I have more details from Microsoft but I do not, instead they offer very little default cybersecurity steps, such as "remain up to date and don’t click a phish".

This does seem rather severe. It locally caches attachments from emails including those which have not been opened to the windowscommunicationsapps folder from the Outlook App. It will then auto sync the data in the folder to all devices using the same credentials in their Outlook App on their phones, laptops, desktops, anywhere the Outlook App runs.

The only step missing for a full compromise is that infected files are auto-run… a feature I feel sure Microsoft are working on at this exact moment!

Attacks are becoming more complex, in 2022 they were able to add the dropper, which very slowly downloaded a fairly rubbish Trojan, which was easily removed. Recently there were 74 password protected files and multiple Trojans appearing as game applications in the same appdata folder. These were located only weeks after a fresh OS install and could not be explained by known activities on the machine or entirely resolved by AV due to the encryption of the folders they were located in.

Impact

Take a moment to think about how many commercial users of the Outlook application have auto-sync enabled in daily use. All those using Office 365 who sync between devices on their smartphone, personal devices and company equipment, or amongst family member's tablets and laptops. You should be concerned. And then get mad as hell, because it seems Microsoft have created their own quite special service for propagating malware, one that's been ongoing since at least 2020.

I have wasted countless hours re-installing OS’s, searching files, reading reports and researching this issue to find my only salvation in Reddit. Reddit of all places! This looks like something Microsoft rather wanted to sweep under the rug.

If you sync with Outlook App between devices with the same MS account, you are vulnerable to this malware propagation. Microsoft insist users take advantage of auto-synced features across devices and use this as a clear marketing tool especially for commercial settings. It seems my trust in this feature was misplaced.

Mitigation And Loss of Trust

Some will say that this is "just a feature" of sync. I disagree because like so many Microsoft processes it feels out of control. It does not just synchonise expected user data. It inappropriately populates and copies undocumented files into system folders and, without any knowledge or intervention from the user, replicates them across devices.

The mitigation is you must live without synchronisation in Microsoft applications. So far it has worked 100%. Turning off sync across applications does work. This can be done during an OS install by refusing all sync options when prompted. You must also make sure it is off in the account settings for the user. This can be done from the settings panel when logged on to Windows. There are many guides available like this one from Process.st. Even with sync off, you can still access email and other services using the web applications, which will sync files and emails but will not store these to the local machine.

If like myself, you have lost trust in the applications themselves, removing windows apps entirely may be more fitting, this allows the folder

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

to be deleted and does not appear, like a lurking background threat at a later date just in case you change your mind. My gaming rig has only one MS app remaining, Xbox and that is the way it will stay until the situation is openly discussed by MS and the vulnerability resolved. No more Appdata Phishes please.

In summary, no amount of phishing training will prevent a bad design in the operating system. Caching malware infected attachments to system folders and replicating them is bad design in my opinion. In this case, the operating system has been phished, not the human. █

Other Recent Tux Machines' Posts

today's howtos: many howtos for Friday
Kubernetes 1.32 sneak peek and Istio 1.24.0: Server level releases
Ubuntu Touch OTA-6 Rolls Out with Wireless Display Improvements, Bug Fixes: The UBports Foundation announced today the release and general availability of Ubuntu Touch OTA-6 as the sixth update to the Ubuntu Touch mobile operating system based on Ubuntu 20.04 LTS.
KDE Frameworks 6.8.0: KDE today announces the release of KDE Frameworks 6.8.0
KDE Gear 24.08.3 Released with More Fixes for Your Favorite KDE Applications: The KDE Project released today KDE Gear 24.08.3 as the third and last maintenance update to the KDE Gear 24.08 collection of applications for the KDE Plasma desktop environment and the GNU/Linux ecosystem.
GNOME 48 Desktop Environment Release Date Slated for March 19th, 2025: While most of us are already enjoying the many new features and improvements of the GNOME 47 “Denver” desktop environment series, the GNOME project started working on the next major release, GNOME 48.
Forlinx FET MX95xx C System on Module for Industrial and IoT Applications: The module operates on a Linux-based platform, ensuring compatibility with a wide range of software libraries and development tools
After Cyberwar: many applications labelled as "cybersecurity" and given a veneer of legitimacy are really "weaponised" and abusive code
Slow Weekend Ahead [original]: It's part of the Web becoming worse and worse each month
Tux Machines Will Hopefully Become Faster Soon [original]: At the moment we're finishing the last batch of maintenance work
Mass Layoffs at Mozilla Again: 30% of staff
Stable kernels: Linux 6.6.60, Linux 6.11.7, Linux 6.1.116, Linux 5.15.171, Linux 5.10.229, Linux 5.4.285, and Linux 4.19.323: I'm announcing the release of the 6.6.60 kernel
Android Leftovers: More Android devices will introduce users to Quick Share during setup, following Pixel
Raspberry Pi News and Projects: Raspberry Pi picks
KDE Frameworks 6.8 Adds Breeze Icons for Typst Files And Fixes Many Bugs: The KDE Project released today KDE Frameworks 6.8 as a new monthly update to this collection of more than 70 add-on libraries to Qt providing commonly needed functionality for KDE applications and the KDE Plasma desktop.
Calibre 7.21 Adds Read Aloud with Sentence Tracking for EPUBs: Calibre 7.21 ebook manager introduces an audio overlay for EPUB, enabling immersive reading with sentence tracking & custom voices
Celebrating our top contributors on Firefox’s 20th anniversary: Firefox was built by a group of passionate developers, and has been supported by a dedicated community of caring contributors since day one
Portwell PJAI-100-ON rugged Edge AI embedded system features NVIDIA Jetson Orin Nano for industrial quality control: While specific operating systems are not confirmed, NVIDIA Jetson modules rely on the Jetpack SDK based on Ubuntu by default, but also supporting other Linux operating systems since version 6.0
Radxa E52C – A Rockchip RK3582 router with dual 2.5GbE, USB 3.0 port, USB serial console port: On the software side, it’s pretty much the same as for the E20C router with the E52C board running Debian Linux
Kdenlive 24.08.3 Arrives with Subtitle and Timeline Stability Fixes: Kdenlive 24.08.3 open-source video editor addresses codec crashes, timeline bugs, and clip removal issues
Security Leftovers: Windows TCO and Integrity
Best Free and Open Source Software: They are all free and open source goodness
Desktop icons are surprisingly hard!: I spent past three weeks working on refactoring and fixing legacy code (the oldest of which was from 2013) that handled positioning Plasma desktop icons
Samsung A54 smartphone review, a year later: This is the sixth long-term report of my usage of one Samsung A54 device
MYC LR3576 SoM with Octa-Core RK3576 for Embedded Applications: To support developers, the MYC-LR3576 runs on Debian 12 or Linux 6.1 and includes a suite of software resources
This lightweight Linux distro is the best (and easiest) way to revive your old computer. Here's how: If you want to breathe life back into a slow or aging computer, Linux Lite 7.0 is a lightweight
Games: Steam Deck, The Spell Brigade, and More: GamingOnLinux: the latest eight articles
today's leftovers: only half a dozen for now
BarryK's Latest Development Updates From EasyOS: Some of his latest
Today in Techrights: Some of the latest articles
Windows Gets Infected, Media Blames "Linux": Fear, Uncertainty, Doubt/Fear-mongering/Dramatisation
Canonical/Ubuntu Leftovers: Canonical/Ubuntu stories
Security Leftovers: Security links, only 3 for now
today's leftovers: mixture of topics of less importance
Programming Leftovers: Programming with various paradigms
Red Hat and Fedora Leftovers: Inc. Red Hat's official site
Education Leftovers: FreeBSD, LANOG, Eleventy, and OpenFest
PCBs, Purism, Arduino, Retro and More: hardware themed stories for today
Release of curl 8.11.0 and Daniel Stenberg at FLOSS Weekly: curl news
NetBSD, FreeBSD, and More: BSD news collection
today's howtos: long list of howtos
GIMP 3.0 Release Candidate Is Now Available for Public Testing: The development team behind the popular GIMP open-source image editing software announced today the general availability of the Release Candidate (RC) milestone of the highly anticipated GIMP 3.0 release.
Android Leftovers: The secret to summarizing notifications on Android
Immich Celebrates 50K Stars on GitHub with v1.120: Immich celebrates 50K GitHub stars with v1.120, which now includes auto-database backups, faster HDR transcoding, and a timeline scroll indicator
Forty years of commitment to software freedom: We're planning a jam-packed anniversary year and we hope you'll join us for the festivities
Inkscape Turned 21, Happy Birthday!: Inkscape's 21st anniversary
What’s new for Fedora Atomic Desktops in Fedora 41: So let’s see what arrives with the new releases for the Fedora Atomic Desktops variants (Silverblue, Kinoite, Sway Atomic and Budgie Atomic)
What happens to Linux when Linus Torvalds dies?: The Linux kernel is at the heart of countless operating systems, powering everything from smartphones to servers
Why we're still waiting for Canonical's immutable Ubuntu Core Desktop: 'First impressions matter' but a KDE flavor is in the making – and more publicly at that
Forlinx launches NXP i.MX 95 SoM and development board with 10GbE, CAN Bus, RS485, and more: Only Linux is supported, and the company says its module targets the automotive, industrial, and commercial IoT markets
Andes QiLai quad-core AX45MP RISC-V SoC with NX27V vector processor powers micro-ATX Voyager Development Platform: Andes explains the NX27V core can cooperate with the AX45MP cluster and make QiLai a heterogeneous software development platform where a Linux SMP system and an RTOS or bare-metal system can run simultaneously
Best Free and Open Source Software: The ratings only relate to the Flickr functionality offered by each program
Little Wayland Things: While I do have a Qt git build on my machine that I use for development
HDR and color management in KWin, part 5: HDR on SDR laptops: This one required a few other features to be implemented first, so let’s jump right in
Kubuntu 24.04, it's been a few months now ...: Rough start. Very much so. A time travel back into the past, but not in a good way, if you will. I was not very happy the first time I tried Kubuntu 24.04
Windows TCO Leftovers: True cost of Microsoft/Windows
Games: Vampire Hunters, Bye Sweet Carole, and More: Latest 7 from GamingOnLinux
Focusing on Free Software, Political Sites Will Do Politics [original]: We'll try to keep this site politics-free and focus on Free software
today's leftovers: GNU/Linux, howtos, security
Programming: Ruby 3.3.6 Released, Perl, and More: Programming related picks
LWN Articles on Graphics, OSI's Openwashing, and Rust: outside the paywall as of hours ago
Today in Techrights: Some of the latest articles
Audiocasts/Shows/Videos About GNU/Linux: Some from days ago
LWN Articles About Linux Kernel: Now outside the paywall
Peropesis 2.8: OpenSSH: Peropesis 2.8 is released
Linuxfx 11.24.04: new version of the operating system based on Kubuntu 24.04.1 LTS
Parted Magic 2024.11.03: This version of Parted Magic updates the kernel to linux-6.11 and adds/updates various program
NethSecurity project milestone 8.3: We are excited to announce the release of NethSecurity project milestone 8.3
Release of Pisi GNU/Linux 2.4: Inspired by the rare flowers of Anatolia, Pisi GNU/Linux delivers the 2.4 version 'Karagül' to its users
BackBox Linux 9 released!: The BackBox Team is happy to announce the updated release of BackBox Linux
Br OS 24.10: Brazilian Linux distribution based on Ubuntu
Linux Lite 7.2 Released with Lite Theme Manager, Based on Ubuntu 24.04 LTS: Linux Lite creator Jerry Bezencon announced today the release and general availability of Linux Lite 7.2 as the latest stable version of this Ubuntu-based distribution using the lightweight Xfce desktop environment.
4MLinux 46.1 STABLE released.: This is a minor (point) release in the 4MLinux STABLE channel
Release of Dr.Parted 24.11: This release is based on the Debian testing repository (2024/November/01).
Open Hardware/Modding: Robot, Arduino, Raspberry Pi, and More: Some hardware picks
Security Leftovers: Security stories
The Bitcoin Mailing List and its history is erased from Linux: Swathes of Bitcoin’s history have been erased from the internet forum that hosted communications between developers for nearly a decade
Events: Capitole du Libre, Free Software Directory, and All Thing Open: 3 events in the blogs today
7 Reasons Why NU/Linux Is the Best Tool For Programming: Explore why GNU/Linux is the top choice for developers and programmers
today's leftovers: FOSS and more for now
ScummVM and Games; PicoROM, A DIP-32 8-Bit ROM Emulator: Gaming centric news
Security Leftovers: Security picks
Free Applications and Free Software: FOSS picks
Programming Leftovers: many picks for today
LXQt 2.1 Desktop Environment Released with Initial Wayland Support: The development team behind the lightweight LXQt desktop environment written in Qt announced today the release and general availability of LXQt 2.1 as a major update bringing exciting new features.
today's howtos: many howtos for now
HowTos, Red Hat, and FSF: today's leftovers
Open Hardware, Raspberry Pi, and Retro: Mostly Raspberry Pi
Windows TCO Leftovers: The true cost of Microsoft reliance
Android Leftovers: The best PSP emulator on Android just got even better
KDE Plasma 6.2.3 Brings Better Support for HDR Displays, Various Bug Fixes: The KDE Project released today KDE Plasma 6.2.3 as the third maintenance update to the latest KDE Plasma 6.2 desktop environment series with more bug fixes and various improvements.
Tor and Tails Team Up for Better Online Privacy Protections: The merger of two popular open-source communities could sharpen the focus on bolstering online privacy and web-surfing anonymity
GIMP 3.0 Release Candidate Arrives with Major Features in Tow: If it feels like the next major release of open source image editor The GIMP has been in the works forever
Best Free and Open Source Software: Only free and open source software is included
Games: Stardew Valley 1.6.9, SuperTuxKart 1.5, and More: Latest from GamingOnLinux
Manjaro Considers Embedding a Telemetry Tool: Manjaro’s new MDD telemetry tool will collect user data for better metrics, yet automatic sharing concerns users
Today in Techrights: Some of the latest articles
Gnome OS is Changing: "I would like to turn GNOME OS, GNOME’s home-grown distro for testing and development of the GNOME Desktop, into a daily-drivable general purpose OS."