Tux Machines

Do you waddle the waddle?

Other Sites

Tor Project blog

New Release: Tails 7.9.1

This attack is unlikely, but could be performed by a strong attacker, such as a government or a hacking firm. We are not aware of this vulnerability being used in practice until now.

Arti 2.5.0 released: Stable Counter Galois Onion

This release marks Counter Galois Onion as a stable feature and includes it in full feature builds. Likewise, Congestion Control is now enabled in default builds of Arti, increasing the overall speed without any further configuration.

Internet Society

NDSS Symposium 2027 Heads to Seoul: Expanding Global Collaboration in Cybersecurity Research

For more than three decades, the Network and Distributed System Security (NDSS) Symposium has brought together leading cybersecurity researchers, academics, and practitioners from around the world to advance cutting-edge work.

9to5Linux

System76 Launches New Lemur Pro Linux Laptop with 18-Hour Battery Life

For the first time ever, the Lemur Pro laptop is available in two variants: a 14-inch model with a Full HD+ (1920×1200) display and a 16-inch model with a QHD+ (2560×1600) display. Both models feature a wide view angle, 72% NTSC, a matte finish, and a 16:10 aspect ratio. The new Lemur Pro also features a multitouch clickpad and a backlit US QWERTY keyboard.

Fwupd 2.1.6 Linux Firmware Updater Released with New Features and Bug Fixes

Coming three weeks after fwupd 2.1.5, the fwupd 2.1.6 release introduces support for Lenovo dual-bank accessory dongles and paired peripherals, parsing of Hayden Bridge Thunderbolt firmware, hashes for the latest DBX for offline machines, and a new HSI attribute for Coreboot verified boot.

COSMIC 1.2 Desktop Enables AVIF Support, Improves Support for Newer Intel GPUs

Coming only a week after COSMIC 1.1, the COSMIC 1.2 release is here to enable AVIF image support for COSMIC backgrounds, improve support for newer Intel GPUs in the COSMIC compositor, add small tweaks to the VPN, Network, Bluetooth, and Battery applets, and improve PipeWire support in the settings daemon.

KDE Plasma 6.7.2 Is Out Now to Improve Support for Chromium-Based Apps

Coming only a week after KDE Plasma 6.7.1, the KDE Plasma 6.7.2 point release promises to improve the full-screen video playback performance in Chromium-based apps, while also fixing a recent regression that could cause Chromium-based apps to freeze if another window was forced into a “Keep Above Others” mode.

Mageia 10 Officially Released with Linux Kernel 6.18 LTS, KDE Plasma 6.5, and More

Powered by the long-term supported Linux 6.18 LTS kernel series and the Mesa 26.0 graphics stack, Mageia 10 ships with the KDE Plasma 6.5.5, which is accompanied by the KDE Frameworks 6.22 and KDE Gear 25.12.1 software suites, GNOME 49, and Xfce 4.20 desktop environments as standalone flavors.

ParrotOS 7.3 Released with Linux 7.0, Optimized Builds, and Official Vagrant Boxes

Coming less than two months after Parrot 7.2, the Parrot 7.3 release is here as the third update in the Parrot 7.0 series, which was the first to move from using MATE to KDE Plasma as the default desktop environment. However, MATE and LXQt spins are also available, along with an Enlightenment spin that was introduced in the Parrot 7.1 release.

LinuxGizmos.com

NanoKVM-Go compact USB-C KVM supports WiFi 6 and 4K capture

Sipeed has launched the NanoKVM-Go on Kickstarter as a compact USB-C KVM device for remote access to laptops, mini PCs, tablets, phones, and other USB-C devices. The device combines video capture, keyboard and mouse control, WiFi 6 connectivity, and browser-based access through a single USB-C connection.

RootBoard open-hardware Linux handheld launches with Raspberry Pi Zero support

Kickstarter recently featured the RootBoard, a Raspberry Pi-powered handheld Linux computer aimed at makers, developers, educators, cyberdeck builders, and users interested in a compact open-hardware Linux terminal. The device combines a small display, integrated keyboard, speaker, power-management circuitry, and support for Raspberry Pi Zero-class boards.

news

Microsoft Windows 11 Caches Exploitable Malware

posted by Roy Schestowitz on May 15, 2024

Fishtank PC builds

Reprinted with permission from Cybershow. Author: Helen Plews.

Figure 1: Tom's Hardware: Fishtank PC builds.

Malware is often thought of as a human interaction with a digital device that causes an infection such as a virus or worm. We assume a human used bad authentication, or the human clicked the bad link, the human downloaded the malware…

So if we have anti-virus and anti-phish educational campaigns we should be well protected right? What about the technical side of cybersecurity, where the hardware, network equipment, end device or software vulnerability is the cause?

This article will examine a case where an operating system is able to automatically open and store a phishing email attachment, leading to potential compromise. In this case Windows 11 has been caching attachments locally to provide synchronisation across devices with the Outlook Application. In many cases, it has cached exploitable malware. This is a growing issue brought to light by Windows 11 users and anti-virus providers, instead of the makers at Microsoft.

Dropper Investigation

I am a life-long gamer and from experimentation over the years, I know I have the best rig, a customisable gaming PC. It’s very nice hardware it looks stunning with rainbow glowing fans and it sounds like a mini jet engine, rendering most graphics on Ultra with a graphics card which is at most 2 years old. The only issue I have had with it is in the operating system, which of course for a big gamer is Windows 11 due to its age. After just two weeks of operation I was alerted to a dropper located in my Windows Appdata folder, it was not dropping any further viruses yet as it had been caught by my expensive AV - which is why it sounds like a jet engine due to the large use of CPU!!

Was it a false positive? Well I ran the offline scan myself as my machine took 8x longer to boot. It behaved as if rebooting after a major update. There were no updates carried out, which made me suspect something amiss.

The virus location was not new to me, it is an appdata folder present in Windows 10 and Windows 11 for Windows mail in particular it processes mail syncing across devices; the full path is:

C:\Users\’Username’\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\SO\

Now I have had viruses popping up here before, in fact it has been an ongoing problem since I adopted the Windows 11 operating system (OS) in 2022 on the household laptops. Since then, both of my son’s laptops have alerted me to droppers and Trojans in the same Appdata folder. I initially assumed my children were not so good with their cybersecurity (being aged 5 and 9 that makes sense). Maybe they had clicked an email notification. Maybe they had downloaded some Trojan in the style of a game from a requested and shoddy gaming store all parents know about, stealthy and all whilst under supervision. That was until my brand new gaming rig got one.

Examining the attack timeline of my gaming rig in detail showed that a phish had been ‘clicked’ from my Hotmail account which was logged in on my Outlook App, running in the background processes (not running in my taskbar) whilst I played some epic title the night before. This ‘click’ put an infected PDF invoice on my PC, and on boot the next day activated the dropper, slowing the machine right down - which gave me a clue.

Now let's be clear about how Microsoft works, as I understand it, and why this is a gripe serious enough to warrant its own blog post.

You must sign in online to a Microsoft account to access the PC at all times, then it creates session keys for all applications that come installed as standard with the OS. So, unless you take some drastic measures I will discuss in a moment, you will undoubtedly be running sessions of Windows apps in the background; Outlook, OneDrive, Teams, Xbox, Photos, Office, Store, the list is quite extensive.

Moving on, I look for the phish email I had. According to my AV "clicked on" log, I located the suspicious subject of the email. It was something akin to;

AMAZON ACCOUNT ###U$IIHknDBWON38383y4y29~~~

Now, you do not need to be a cybersecurity expert to tell that is a phish from the subject which was located using the now foreground Outlook app. And as expected, it was unread. It showed me that within a few minutes of receiving the unread email, the attached PDF invoice was added to the Windows Communication Appdata folder, which led to the dropper found by the offline scan.

It seemed that Outlook App was saving unread attachments to the appdata folder where the virus was located. Some of the located viruses over the past two years were found on multiple devices that used the same MS credentials which unless stated otherwise, auto sync application data. That is exactly what the

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

folder is for. It contains both the application data for Windows apps like Outlook to run and sync as well as data obtained in the process. I synced between my children's laptops as my account was the administrator for the network, it kept them safer online. Or so I thought.

Vulnerability Research

So I start down the usual process of researching the vulnerability to find a permanent mitigation. I find nothing at first, no CVE, no reports. I do find some details on the MS community website like this one from "2020 Trojan Found and Deleted"… but it Returns (Trojan: HTML/Phish.AB!MSR) . It is here I see the same problem and I see a response from an expert.

“The trojan is an email attachment synced to your PC. Do you have some Hotmail or Microsoft email setup in an email client applications like Outlook?” - Independent Expert, MS Community, 2020

So I search all around this topic and I cannot find anything from Microsoft about this issue right away, but I do find many victims. Anti-Virus companies, affected users and experts alike are all drawing attention to this problem. Eventually, thanks to Reddit I find a similar experience from a commentor who managed to find the reported exploit listed by Microsoft. You can find many more threads on the issue on Reddit with a search.

“Looking into the report we have a "Exploit:O97M/CVE-2017-11882.AZA!MTB" match, which doesn't seem to be that ominous since it requires the file to be executed on a non-updated Office/WordPad, still it ain't something I'd like to find lying around because the app found it was a good thing to download it, without my consent.” - JVMTG, Reddit, 2023

It is a known software error marked as severe on their own security intelligence website, with 24 exploits under the O97M CVE. I’d like to say I have more details from Microsoft but I do not, instead they offer very little default cybersecurity steps, such as "remain up to date and don’t click a phish".

This does seem rather severe. It locally caches attachments from emails including those which have not been opened to the windowscommunicationsapps folder from the Outlook App. It will then auto sync the data in the folder to all devices using the same credentials in their Outlook App on their phones, laptops, desktops, anywhere the Outlook App runs.

The only step missing for a full compromise is that infected files are auto-run… a feature I feel sure Microsoft are working on at this exact moment!

Attacks are becoming more complex, in 2022 they were able to add the dropper, which very slowly downloaded a fairly rubbish Trojan, which was easily removed. Recently there were 74 password protected files and multiple Trojans appearing as game applications in the same appdata folder. These were located only weeks after a fresh OS install and could not be explained by known activities on the machine or entirely resolved by AV due to the encryption of the folders they were located in.

Impact

Take a moment to think about how many commercial users of the Outlook application have auto-sync enabled in daily use. All those using Office 365 who sync between devices on their smartphone, personal devices and company equipment, or amongst family member's tablets and laptops. You should be concerned. And then get mad as hell, because it seems Microsoft have created their own quite special service for propagating malware, one that's been ongoing since at least 2020.

I have wasted countless hours re-installing OS’s, searching files, reading reports and researching this issue to find my only salvation in Reddit. Reddit of all places! This looks like something Microsoft rather wanted to sweep under the rug.

If you sync with Outlook App between devices with the same MS account, you are vulnerable to this malware propagation. Microsoft insist users take advantage of auto-synced features across devices and use this as a clear marketing tool especially for commercial settings. It seems my trust in this feature was misplaced.

Mitigation And Loss of Trust

Some will say that this is "just a feature" of sync. I disagree because like so many Microsoft processes it feels out of control. It does not just synchonise expected user data. It inappropriately populates and copies undocumented files into system folders and, without any knowledge or intervention from the user, replicates them across devices.

The mitigation is you must live without synchronisation in Microsoft applications. So far it has worked 100%. Turning off sync across applications does work. This can be done during an OS install by refusing all sync options when prompted. You must also make sure it is off in the account settings for the user. This can be done from the settings panel when logged on to Windows. There are many guides available like this one from Process.st. Even with sync off, you can still access email and other services using the web applications, which will sync files and emails but will not store these to the local machine.

If like myself, you have lost trust in the applications themselves, removing windows apps entirely may be more fitting, this allows the folder

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

to be deleted and does not appear, like a lurking background threat at a later date just in case you change your mind. My gaming rig has only one MS app remaining, Xbox and that is the way it will stay until the situation is openly discussed by MS and the vulnerability resolved. No more Appdata Phishes please.

In summary, no amount of phishing training will prevent a bad design in the operating system. Caching malware infected attachments to system folders and replicating them is bad design in my opinion. In this case, the operating system has been phished, not the human.

Other Recent Tux Machines' Posts

Red Hat Parrots Buzzwords and Promotes Plagiarism (IBM's Goal) - to the Point of Censoring and Killing Communities
Self inflicted wound
System76 Launches New Lemur Pro Linux Laptop with 18-Hour Battery Life
System76 launches new Lemur Pro ultraportable Linux laptop with all-day battery life, Intel Core Ultra processors, and a 16-inch variant.
Kali Linux 2026.2 Released with GNOME 50, KDE Plasma 6.6, and New Tools
Kali Linux 2026.2 ethical hacking and penetration testing distribution is now available for download with GNOME 50 and KDE Plasma 6.6 desktop offerings, new tools, Kali NetHunter uUpdates, and more.
Samsung A54 report 12 - One UI 8.5 update and more
It's not like I'm going to grab some other Android and go
Linus Torvalds Announces First Linux Kernel 7.2 Release Candidate
Linus Torvalds announced the general availability of the first Release Candidate version of the upcoming Linux 7.2 kernel series for public testing. Here’s what to expect!
HamsterOS Crams Complete Graphical Desktop onto 1.44 MB Floppy
It’s not every day that there’s a new OS in the works for 386 and 486-era hardware, but [John Swiderski] let us know he working hard to bring HamsterOS to retrocomputing enthusiasts everywhere
Mageia 10 Released
Mageia 10 is a GNU/Linux distribution for your computer, released by the Mageia community
Wine 11.12
The Wine development release 11.12 is now available
 
KDE Gear 26.04.3 Released as the Last Update in the KDE Gear 26.04 Series
KDE Gear 26.04.3 open-source software suite is now available with various bug fixes and small improvements for your favorite KDE applications.
Android Leftovers
This 11-inch Android Auto screen might be overkill, but it's fantastic for the price
6 Backup Tools for Linux Users of All Kind
From desktop servers, from single machine to a fleet, here are the backup tools you could explore for your Linux system(s)
We're campaigning for free software. We need your help
I'm Greg Farough, the campaigns manager of the Free Software Foundation (FSF)
I turned my old Galaxy phone into a pocket Linux server with Termux
I decided to use an old Samsung phone, specifically my wife's old Samsung phone, to build a pocket Linux server
This is the Linux distro that convinced me to finally uninstall Windows
For nearly 10 years, I dual-booted Linux and Windows
Best Free and Open Source Software: June 2026 Updates
We’re here to champion free and open-source software, celebrate the projects that deserve wider attention, and help readers find the very best tools the community has to offer
Games: DRM, PlayStation 5 Linux Project, Microsoft XBox "Bloodbath"
mostly GamingOnLinux
Threats to Kill [original]
Death threads are a serious matter
This month in KDE Linux: June 2026
Welcome to another edition of “This month in KDE Linux” — KDE’s in-progress operating system
RootBoard open-hardware Linux handheld launches with Raspberry Pi Zero support
Kickstarter recently featured the RootBoard, a Raspberry Pi-powered handheld Linux computer aimed at makers
Shutdowns at Microsoft [original]
Microsoft is not as powerful as it used to be
I've tested many portable Linux distros, but PorteuX is the one I keep on my USB drive
Ever longed for a Linux distro to have with you at all times
Won't be Censored [original]
These are clearly censorship attempts
In 5 Years Microsoft's Vista 11 Secured Very Small Share, GNU/Linux Growing [original]
GNU/Linux is measured at 5.5%
Distributions and Operating Systems Leftovers
LWN and more
Programming Leftovers
Development picks
Today in Techrights
Some of the latest articles
LWN on Linux Kernel, BPF, and Power Management and Scheduling in the Linux Kernel Summit
LWN articles
Recent Videos/Audiocasts/Shows About GNU/Linux
via Invidious
Hurricane in DR Congo [original]
Harry Kane saved the day today
Security Leftovers
Security patches, breaches, more
today's leftovers
Free, Libre, and Open Source Software and more
Red Hat Trying to Sell Slop Instead of GNU/Linux (IBM Sells False Promises)
as usual, again
K Desktop Environment/KDE Development Updates
3 KDE picks
Canonical/Ubuntu: ROS 2, Pushing Rust Everywhere, and Old Gimmicks Rebranded as "Hey Hi"
Ubuntu based things
New Videos About EasyOS
EasyOS the distro
Games: Steam Machines, Godot News, and Linux on Consoles
gaming picks
today's howtos
Instructionals/Technical leftovers
Kernel Space: Bugs, Patches, and Engineering
Linux leftovers
EuroBSDCon 2026 Travel Grant and Dan Langille on FreeBSD
BSD leftovers
Open Hardware/Modding: Arduino, ESP32, and More
hardware picks
Programming Leftovers
Development related picks
Fwupd 2.1.6 Linux Firmware Updater Released with New Features and Bug Fixes
Fwupd 2.1.6 Linux firmware updater is now available for download with a new HSI attribute for coreboot verified boot, hashes for the latest DBX for offline machines, as well as various other improvements.
Games: Steam Deck, Blending Vampire Survivors, and More
latest from GamingOnLinux
Red Hat: Lightspeed and LLM Slop
Lightspeed and bad stuff
Open Hardware Leftovers
mostly Hackaday
Android Leftovers
I stopped an Android Auto disconnect loop by modifying one background power setting
Latest Raspberry Pi OS Release Is Powered by Linux Kernel 6.18 LTS
Raspberry Pi OS 2026-06-18 is now available for download with Linux kernel 6.18 LTS, new default touchscreen associations, new icons, updated Labwc Wayland compositor, and more.
I found the Linux tool that shows what's using your disk space — and lets you clean it up instantly
For these use cases, it's become my go-to tool for finding and purging bloat on Linux
GNOME or KDE Plasma: Choosing the wrong one can ruin your Linux experience
If you’re thinking about switching to Linux, you’re probably comparing distros like Ubuntu, Fedora
LibrePhone update, organizing locally, and more in issue 48 of the digital Bulletin
Our user freedoms are in serious danger. From multiple different Big Tech companies claiming they want to protect us while they steal our rights
Free and Open Source Software
This is free and open source software
Enzo's First Test Can be His First Brass [original]
Today it is the first of July
Kubuntu Focus Goes Ultra
The Kubuntu Focus team has upped the performance ante of its M2 and Zr laptops with the latest, greatest CPUs from Intel
Purism: A tale of two releases
Welcome back! In our last update, we announced the release of PureOS Crimson
Europe's Exit From Windows/Microsoft Has Accelerated [original]
Europe is well positioned to lead a migration to GNU/Linux and BSDs
KDE Plasma 6.7.2 Is Out Now to Improve Support for Chromium-Based Apps
KDE Plasma 6.7.2 is now available as the second point release to the latest KDE Plasma 6.7 desktop environment series with various improvements and bug fixes.
Gymware Running Linux Not Cheap [original]
There goes a stigma
Microsoft Layoffs Announced July 1, as Expected [original]
This helps show that the era of Windows is coming to an end, little by little...
Today in Techrights
Some of the latest articles
COSMIC 1.2 Desktop Enables AVIF Support, Improves Support for Newer Intel GPUs
COSMIC 1.2 desktop environment is now available with improvements to COSMIC Files, COSMIC Term, COSMIC Edit, COSMIC Applets, COSMIC Setings, COSMIC Store, COSMIC Monitor, and COSMIC Greeter.
Free, Libre, and Open Source Software Leftovers
FOSS centric news
GNU/Linux Leftovers
Purism and more
Mozilla, Firefox, and Tor Browser
Mozilla focus
BSD: FreeBSD, BSDCan, and OpenBSD
BSD leftovers
Security Incidents, Patches, New Bugs
Security with focus on Linux
Programming Leftovers
Development related links
Open Hardware/Modding: ESP32, Banana Pi, and More
hardware projects, gadgets etc.
Red Hat, RHEL, and Fedora-Based Qubes
IBM and more
KDE: Latest Work on Krita and Kdenlive (Student Project)
some technical details
Audiocasts/Shows: Late Night Linux and Wonders of Web Weaving Podcast
2 new episodes
today's howtos
Instructionals/Technical picks
It’s Linux, on a Sega Megadrive
The Motorola 68000 series of chips was the first porting target for Linux
Games: Rewarding Clickbait, Mouse Lag in KDE Plasma, Pong, and More
gaming related picks
Microsoft in Freefall This Week [original]
Many layoffs happening
United Arab Emirates: Microsoft's Irrelevance [original]
Mass layoffs at Microsoft are expected later today or some time tomorrow
Aruba: Another New Low for Microsoft Windows [original]
Windows sank to 47.88%
Mageia 10 Officially Released with Linux Kernel 6.18 LTS, KDE Plasma 6.5, and More
Mageia 10 is now available for download powered by Linux kernel 6.18 LTS and featuring the KDE Plasma 6.5, GNOME 49, and Xfce 4.20 desktop environments as standalone flavors.
ParrotOS 7.3 Released with Linux 7.0, Optimized Builds, and Official Vagrant Boxes
ParrotOS 7.3 security-oriented distribution is now available for download with Linux kernel 7.0, updated tools, optimized builds, official Vagrant boxes, and other changes.
GNU/Linux Reaches All-Time High in South America [original]
If one annuls that "OS X" spike, then it's also an all-time low for Windows
Android Leftovers
You don't need to free up RAM on your Android phone (in fact, you shouldn't)
Free and Open Source Software
This is free and open source software
GNU/Linux Leftovers
GNU/Linux related picks
Purism Announces Librem 16 as World’s Most Private and Secure Linux Laptop
Purism announced the launch of Librem 16 as the world’s most private and secure Linux laptop designed to protect your digital life.
Money Does Not Make Free Software Activists Happy [original]
But sometimes it can help
Overcoming Barriers [original]
Misogyny is a barrier in almost every facet and discipline
Valnet on GNU/Linux and Free Software
more recent articles
GNU/Linux on the Desktop/Laptop: Recent Coverage by Valnet
3 recent articles
Games: Steam Deck, Alternatives to Bazzite, and Valve's Steam Machine
gaming picks
COSMIC's new design might just give Apple a run for its money, COSMIC is doing things KDE and GNOME still can’t
COSMIC coverage
FreeBSD 15 reminded me that boring operating systems are sometimes the whole point
FreeBSD 15 does not feel designed to win a screenshot contest, and honestly, that’s part of why it caught my attention
Today in Techrights
Some of the latest articles