Tux Machines

Do you waddle the waddle?

Other Sites

9to5Linux

Debian 13.6 “Trixie” Released with 124 Bug Fixes and 120 Security Updates

Coming less than two months after Debian 13.5, the Debian 13.6 release is here to provide users with updated ISOs for those who want to deploy the latest Debian 13 “Trixie” operating system series on new hardware without downloading lots of updates after the installation or those who had issues with the previous ISO releases.

KDE Frameworks 6.28 Released with Support for New KRunner Conversion Units

The monthly KDE Frameworks releases continue, and KDE Frameworks 6.28 adds support for converting between watt-hours, kilowatt-hours, and other similar energy units in KRunner-powered search fields, and improves the alignment of thumbnail previews in open/save dialogs across KDE apps.

Ubuntu 25.10 Reached End of Life, It’s Time to Upgrade to Ubuntu 26.04 LTS

Ubuntu 25.10 was released on October 9th, 2025, and, since it’s not an Ubuntu LTS (Long Term Support) release, it only received support for nine months, until July 2026. Ubuntu 25.10 was powered by the Linux 6.17 kernel series and featured the GNOME 49 desktop environment series with a Wayland-only session.

PipeWire 1.6.8 Improves JACK/MIDI Support for Ardour, SOFA Filter, and More

Coming three weeks after PipeWire 1.6.7, the PipeWire 1.6.8 release fixes a data race in JACK’s jack_port_get_buffer() function that could cause lost MIDI events in the Ardour DAW (Digital Audio Workstation) when called from concurrent threads, and adds normalize and latency options to the SOFA filter.

Wireshark 4.6.7 Released with Updated Protocol Support, Bug and Security Fixes

Coming a month and a half after Wireshark 4.6.6, the Wireshark 4.6.7 release updates support for the ALC, BACapp, C2P, Catapult DCT2000, COTP, CSN.1, DCERPC, DCERPC MAPI, DCERPC NSPI, DNS, DVB-S2-TABLE, eDonkey, EPL, FC ELS, FMP/NOTIFY, H.265, HiPerConTracer, IEEE 802.11, LLS, MEGACO, MIH, MPEG DSM-CC, MS-WSP, RELOAD, SGP.32, SSH, STANAG 4607, UMTS FP, WOWW, and Z39.50 protocols.

GStreamer 1.28.5 Multimedia Framework Adds Support for H.266/VVC Decoding

Coming about a month after GStreamer 1.28.4, the GStreamer 1.28.5 release is here to add support for H.266/VVC decoding to the gopbuffer element, fix subtitle green flickering with VA decoders on AMD GPUs, improve HEVC with alpha decoding in the H.265 decoder, and add ts-clocksync to the threadshare element.

Internet Society

Safety Over Bans: Internet Society Challenges App Store Age Verification

Imagine having to provide a government ID before downloading an app to clock in at work, submit homework, check the weather, or access your bank account. Under a new Texas law, that could become a reality for millions of people.

news

Microsoft Windows 11 Caches Exploitable Malware

posted by Roy Schestowitz on May 15, 2024

Fishtank PC builds

Reprinted with permission from Cybershow. Author: Helen Plews.

Figure 1: Tom's Hardware: Fishtank PC builds.

Malware is often thought of as a human interaction with a digital device that causes an infection such as a virus or worm. We assume a human used bad authentication, or the human clicked the bad link, the human downloaded the malware…

So if we have anti-virus and anti-phish educational campaigns we should be well protected right? What about the technical side of cybersecurity, where the hardware, network equipment, end device or software vulnerability is the cause?

This article will examine a case where an operating system is able to automatically open and store a phishing email attachment, leading to potential compromise. In this case Windows 11 has been caching attachments locally to provide synchronisation across devices with the Outlook Application. In many cases, it has cached exploitable malware. This is a growing issue brought to light by Windows 11 users and anti-virus providers, instead of the makers at Microsoft.

Dropper Investigation

I am a life-long gamer and from experimentation over the years, I know I have the best rig, a customisable gaming PC. It’s very nice hardware it looks stunning with rainbow glowing fans and it sounds like a mini jet engine, rendering most graphics on Ultra with a graphics card which is at most 2 years old. The only issue I have had with it is in the operating system, which of course for a big gamer is Windows 11 due to its age. After just two weeks of operation I was alerted to a dropper located in my Windows Appdata folder, it was not dropping any further viruses yet as it had been caught by my expensive AV - which is why it sounds like a jet engine due to the large use of CPU!!

Was it a false positive? Well I ran the offline scan myself as my machine took 8x longer to boot. It behaved as if rebooting after a major update. There were no updates carried out, which made me suspect something amiss.

The virus location was not new to me, it is an appdata folder present in Windows 10 and Windows 11 for Windows mail in particular it processes mail syncing across devices; the full path is:

C:\Users\’Username’\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\SO\

Now I have had viruses popping up here before, in fact it has been an ongoing problem since I adopted the Windows 11 operating system (OS) in 2022 on the household laptops. Since then, both of my son’s laptops have alerted me to droppers and Trojans in the same Appdata folder. I initially assumed my children were not so good with their cybersecurity (being aged 5 and 9 that makes sense). Maybe they had clicked an email notification. Maybe they had downloaded some Trojan in the style of a game from a requested and shoddy gaming store all parents know about, stealthy and all whilst under supervision. That was until my brand new gaming rig got one.

Examining the attack timeline of my gaming rig in detail showed that a phish had been ‘clicked’ from my Hotmail account which was logged in on my Outlook App, running in the background processes (not running in my taskbar) whilst I played some epic title the night before. This ‘click’ put an infected PDF invoice on my PC, and on boot the next day activated the dropper, slowing the machine right down - which gave me a clue.

Now let's be clear about how Microsoft works, as I understand it, and why this is a gripe serious enough to warrant its own blog post.

You must sign in online to a Microsoft account to access the PC at all times, then it creates session keys for all applications that come installed as standard with the OS. So, unless you take some drastic measures I will discuss in a moment, you will undoubtedly be running sessions of Windows apps in the background; Outlook, OneDrive, Teams, Xbox, Photos, Office, Store, the list is quite extensive.

Moving on, I look for the phish email I had. According to my AV "clicked on" log, I located the suspicious subject of the email. It was something akin to;

AMAZON ACCOUNT ###U$IIHknDBWON38383y4y29~~~

Now, you do not need to be a cybersecurity expert to tell that is a phish from the subject which was located using the now foreground Outlook app. And as expected, it was unread. It showed me that within a few minutes of receiving the unread email, the attached PDF invoice was added to the Windows Communication Appdata folder, which led to the dropper found by the offline scan.

It seemed that Outlook App was saving unread attachments to the appdata folder where the virus was located. Some of the located viruses over the past two years were found on multiple devices that used the same MS credentials which unless stated otherwise, auto sync application data. That is exactly what the

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

folder is for. It contains both the application data for Windows apps like Outlook to run and sync as well as data obtained in the process. I synced between my children's laptops as my account was the administrator for the network, it kept them safer online. Or so I thought.

Vulnerability Research

So I start down the usual process of researching the vulnerability to find a permanent mitigation. I find nothing at first, no CVE, no reports. I do find some details on the MS community website like this one from "2020 Trojan Found and Deleted"… but it Returns (Trojan: HTML/Phish.AB!MSR) . It is here I see the same problem and I see a response from an expert.

“The trojan is an email attachment synced to your PC. Do you have some Hotmail or Microsoft email setup in an email client applications like Outlook?” - Independent Expert, MS Community, 2020

So I search all around this topic and I cannot find anything from Microsoft about this issue right away, but I do find many victims. Anti-Virus companies, affected users and experts alike are all drawing attention to this problem. Eventually, thanks to Reddit I find a similar experience from a commentor who managed to find the reported exploit listed by Microsoft. You can find many more threads on the issue on Reddit with a search.

“Looking into the report we have a "Exploit:O97M/CVE-2017-11882.AZA!MTB" match, which doesn't seem to be that ominous since it requires the file to be executed on a non-updated Office/WordPad, still it ain't something I'd like to find lying around because the app found it was a good thing to download it, without my consent.” - JVMTG, Reddit, 2023

It is a known software error marked as severe on their own security intelligence website, with 24 exploits under the O97M CVE. I’d like to say I have more details from Microsoft but I do not, instead they offer very little default cybersecurity steps, such as "remain up to date and don’t click a phish".

This does seem rather severe. It locally caches attachments from emails including those which have not been opened to the windowscommunicationsapps folder from the Outlook App. It will then auto sync the data in the folder to all devices using the same credentials in their Outlook App on their phones, laptops, desktops, anywhere the Outlook App runs.

The only step missing for a full compromise is that infected files are auto-run… a feature I feel sure Microsoft are working on at this exact moment!

Attacks are becoming more complex, in 2022 they were able to add the dropper, which very slowly downloaded a fairly rubbish Trojan, which was easily removed. Recently there were 74 password protected files and multiple Trojans appearing as game applications in the same appdata folder. These were located only weeks after a fresh OS install and could not be explained by known activities on the machine or entirely resolved by AV due to the encryption of the folders they were located in.

Impact

Take a moment to think about how many commercial users of the Outlook application have auto-sync enabled in daily use. All those using Office 365 who sync between devices on their smartphone, personal devices and company equipment, or amongst family member's tablets and laptops. You should be concerned. And then get mad as hell, because it seems Microsoft have created their own quite special service for propagating malware, one that's been ongoing since at least 2020.

I have wasted countless hours re-installing OS’s, searching files, reading reports and researching this issue to find my only salvation in Reddit. Reddit of all places! This looks like something Microsoft rather wanted to sweep under the rug.

If you sync with Outlook App between devices with the same MS account, you are vulnerable to this malware propagation. Microsoft insist users take advantage of auto-synced features across devices and use this as a clear marketing tool especially for commercial settings. It seems my trust in this feature was misplaced.

Mitigation And Loss of Trust

Some will say that this is "just a feature" of sync. I disagree because like so many Microsoft processes it feels out of control. It does not just synchonise expected user data. It inappropriately populates and copies undocumented files into system folders and, without any knowledge or intervention from the user, replicates them across devices.

The mitigation is you must live without synchronisation in Microsoft applications. So far it has worked 100%. Turning off sync across applications does work. This can be done during an OS install by refusing all sync options when prompted. You must also make sure it is off in the account settings for the user. This can be done from the settings panel when logged on to Windows. There are many guides available like this one from Process.st. Even with sync off, you can still access email and other services using the web applications, which will sync files and emails but will not store these to the local machine.

If like myself, you have lost trust in the applications themselves, removing windows apps entirely may be more fitting, this allows the folder

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

to be deleted and does not appear, like a lurking background threat at a later date just in case you change your mind. My gaming rig has only one MS app remaining, Xbox and that is the way it will stay until the situation is openly discussed by MS and the vulnerability resolved. No more Appdata Phishes please.

In summary, no amount of phishing training will prevent a bad design in the operating system. Caching malware infected attachments to system folders and replicating them is bad design in my opinion. In this case, the operating system has been phished, not the human.

Other Recent Tux Machines' Posts

Miami's Heat [original]
Today it was 30C or higher in Manchester
Open Hardware, Linux Devices, and LineageOS
hardware centric picks
In an Angry Fit, Dev ‘Sabotages’ OpenMandriva Repository
A dust-up in OpenMandriva’s dev ranks escalates from abusive chats to vanished repositories and a ‘saboteur’ package that threatens Gnome and Cosmic users
Linux Mint’s Cinnamon 6.8 Desktop Environment Will Fully Support Wayland
Cinnamon 6.8 will fully support Wayland in the next major Linux Mint release, along with various other improvements and new features.
KDE Frameworks 6.28 Released with Support for New KRunner Conversion Units
KDE Frameworks 6.28 open-source software suite is out now with support for using the Meta key to trigger KWin’s Overview screen, Kicker/Kickoff improvements, and new KRunner features.
 
Xsnow "protestware" in Debian
The xsnow application, which generates an animated snowfall effect (and other pleasant diversions) for X11 desktops, does not seem like an obvious channel for political statements
Keep on Looking, There Are Better Choices Out There [original]
Staying in London is expensive
Software Freedom, a Japanese Perspective - Part V: How GNU/Linux Leaped Above 5% in Japan [original]
The message matters a great deal
A Network Incident [original]
We are gradually returning to a normal publication pace
GNU/Linux at Over 10% in the United States of America [original]
What can explain a sharp increase?
GNU/Linux and Free Software Leftovers
misc. links from last week
Mozilla Thunderbird and Firefox Leftovers
Mozilla picks
Programming Leftovers
Development related picks
Open Hardware/Modding: Old Devices and Linux Gadgets
hardware leftovers
today's howtos
Instructionals/Technical picks
Hot Match in Northern Europe [original]
he site has taken no meaningful break for a very long time
Debian 13.6 “Trixie” Released with 124 Bug Fixes and 120 Security Updates
Debian 13.6 is now available for download as a new point release to Debian 13 “Trixie” with 124 bug fixes and 120 security updates.
Do I prefer Linux now?
I needed to do something using macOS yesterday and the whole time I just wanted to get back to my Linux desktop
Today in Techrights
Some of the latest articles
GNU/Linux Leftovers
GNU/Linux picks
Audiocasts/Shows: FLOSS Weekly, Hackaday Podcast, BSD Now, and More
4 episodes
BSD Leftovers, Mostly OpenBSD
Some BSD picks
Free, Libre, and Open Source Software Leftovers
FOSS and more
Programming Leftovers
Development related news
Games: Chess, Tempest Rising, and Lots More
recently in GamingOnLinux
today's howtos
many howtos for the week
Red Hat Leftovers
Red Hat's official site mostly
Android Leftovers
I miss Windows Phone, but this incredible Android launcher resurrected my dream setup
I moved my PC to an immutable distro, and the thing I was most afraid of turned out to be the best part
When I was getting to grips with Linux after using Windows for decades
Free and Open Source Software
This is free and open source software
This Week in Plasma: Audio Recording in Spectacle
This week was busy! We’ve got some great new features to share, improved theming compatibility, UI improvements, bug fixes… and lots more
Interview with Nara Oliveira, Free Software Artist
GIMP is Free and Libre Open Source Software, but none of it is possible without the people who create with and contribute to it
Android Leftovers
Android secretly saves every notification you swipe away, and turning it on saved me twice
Linux Mint vs Ubuntu: This is the better option for Linux newcomers in 2026
Linux newcomers in 2026 have a much easier time than people did 10 or 15 years ago
Today in Techrights
Some of the latest articles
Today in Techrights
Some of the latest articles
No Place Like Home [original]
We'll travel again on Monday but should be back the same day
Free and Open Source Software
This is free and open source software
Ubuntu 25.10 Reached End of Life, It’s Time to Upgrade to Ubuntu 26.04 LTS
Ubuntu 25.10 “Questing Quokka” has reached end of life on July 9th, 2026, and users are now recommended to upgrade to Ubuntu 26.04 LTS “Resolute Raccoon”.
Android Leftovers
Google Photos is finally getting its bottom bar redesign on Android
Good news for Linux Mint fans: Full Wayland support is coming to Cinnamon
Linux Mint's next Cinnamon release will fully support Wayland
PipeWire 1.6.8 Improves JACK/MIDI Support for Ardour, SOFA Filter, and More
PipeWire 1.6.8 audio/video server for Linux is now available for download with improved JACK support for Ardour, filter-graph improvements, memory leak fixes, and more.
This Linux distro treats your PC like source code—and it almost works
Operating systems, Linux or otherwise
TUXEDO Computers Plans to Rebase TUXEDO OS on Debian Testing
TUXEDO Computers is moving away from Ubuntu and plans to rebase their TUXEDO OS distribution on Debian GNU/Linux, but still using the KDE Plasma desktop environment.
I gave Ubuntu another chance, and now I'm tempted to leave Zorin OS behind
Early this year, I installed Zorin OS on a couple of older PCs that originally ran Windows 10, and it turned out to be exactly what I needed
Linux Mint 23 Getting New Cinnamon Screenshots Tool, Network Improvements
Linux Mint 23 is getting a new Cinnamon Screenshots tool, network improvements, Nemo enhancements, theme improvements, and more.
Free and Open Source Software
This is free and open source software
Umbra Linux – lightweight distribution
Umbra Linux is a lightweight Linux distribution built from Linux From Scratch (LFS)
A brand-new release of Hannah Montana Linux features a KDE Plasma 6 base and a lot of pink
The Linux community is full of distro creativity. Some distros are created to solve a specific problem, while others are made for fun
An exciting future with the Librem 16
With the recent launch of the Librem 16, I’m excited
Another German State Swaps Microsoft for ‘Born in the EU’ Open Source
The EU is slowly but surely going open source
In Linux, things are often upside down
For me, the last couple of months in the open-source software world have been rather wild
Collabora Office 26.04 Takes On Open Source’s Office Disrupter Wannabes
We get down and dirty with Collabora Office 26.04, the new desktop twin to Collabora Online
I've used Linux for 30 years - here's how I'd rank DistroWatch's top 10
DistroWatch says these are the top Linux distros. I say this order is better
Wireshark 4.6.7 Released with Updated Protocol Support, Bug and Security Fixes
Wireshark 4.6.7 open-source network protocol analyzer is now available for download with updated protocol and capture file support, as well as various bug and security fixes.
GStreamer 1.28.5 Multimedia Framework Adds Support for H.266/VVC Decoding
GStreamer 1.28.5 open-source multimedia framework is now available for download with support for H.266/VVC decoding, HEVC with alpha decoding improvements, and more.