Tux Machines

Do you waddle the waddle?

Other Sites

LinuxGizmos.com

GL.iNet Comet X Quad-Port Remote KVM with PoE and 4K HDMI

GL.iNet’s Comet X is a quad-port remote KVM designed for centralized management of up to four servers or PCs. The device features browser- or app-based remote access, Power over Ethernet, 4K HDMI passthrough, local console access, and onboard storage for system images or recovery files.

Axiomtek MANO330 SBC features Intel N97/N150, HDMI, VGA, and LVDS

Axiomtek’s MANO330 is a coming-soon Thin Mini-ITX single-board computer designed around Intel Processor N97 and N150 options, with DDR5 memory, multiple display interfaces, dual LAN, and M.2 expansion for compact embedded systems.

Solid Sands webinar to cover C++ multithreading qualification with SuperGuard

Solid Sands, an Amsterdam-based provider of compiler and library testing technology, will host a July 8 webinar titled “SuperGuard: Comprehensive Testing for C++ Multi-Threading Primitives,” focused on C++ multithreading qualification for safety-critical software.

Internet Society

The Organizations on the Front Lines of a Safer Internet Need Our Help

When telling the story of the Internet, people often place emphasis on notable entrepreneurs and tech companies and the economic value they create. But that’s just part of the story. An often-forgotten part is how much the Internet owes its design and success to the work of nonprofits, researchers, standards bodies, civil society groups, and public-interest institutions that believed the network should work for everyone.

9to5Linux

Proton 11 Officially Released with Support for More Games Running on Linux

Based on Wine 11, Proton 11 release promises support for more Windows games that you can now play on your Linux box, including Universe Generator: The Golden Sword, DCS World Steam Edition, Resident Evil (1996), Resident Evil 2 (1998), Dino Crisis, From Dust, Blaite, and Dino Crisis 2.

KDE Plasma 6.6.6 Released with Numerous Bug Fixes and Various Improvements

Coming two months after KDE Plasma 6.6.5, the KDE Plasma 6.6.6 release is a bugfix one that addresses numerous issues, including a clipboard-related issue that could make XWayland-using apps lag or freeze after locking the screen.

TUXEDO Computers Plans to Rebase TUXEDO OS on Debian Testing

Linux hardware vendor TUXEDO Computers announced today that they plan to rebase their TUXEDO OS distribution on Debian GNU/Linux, moving away from Ubuntu, but still shipping a custom KDE Plasma desktop environment.

9to5Linux Weekly Roundup: July 5th, 2026

I want to thank everyone who sent us donations; your generosity is greatly appreciated. I also want to thank all of you for your continued support by commenting, liking, sharing, and boosting the articles, following us on social media, and, last but not least, sending us feedback.

BleachBit 6.0.2 Adds Support for Cleaning AI Models from Google Chrome

Coming a little over two months after BleachBit 6.0, the BleachBit 6.0.2 release is here to introduce a DNS cache cleaner, a cleaner for Claude Code, support for cleaning AI models from Google Chrome, and support for cleaning multiple browser profiles on Google Chrome and Edge.

news

Microsoft Windows 11 Caches Exploitable Malware

posted by Roy Schestowitz on May 15, 2024

Fishtank PC builds

Reprinted with permission from Cybershow. Author: Helen Plews.

Figure 1: Tom's Hardware: Fishtank PC builds.

Malware is often thought of as a human interaction with a digital device that causes an infection such as a virus or worm. We assume a human used bad authentication, or the human clicked the bad link, the human downloaded the malware…

So if we have anti-virus and anti-phish educational campaigns we should be well protected right? What about the technical side of cybersecurity, where the hardware, network equipment, end device or software vulnerability is the cause?

This article will examine a case where an operating system is able to automatically open and store a phishing email attachment, leading to potential compromise. In this case Windows 11 has been caching attachments locally to provide synchronisation across devices with the Outlook Application. In many cases, it has cached exploitable malware. This is a growing issue brought to light by Windows 11 users and anti-virus providers, instead of the makers at Microsoft.

Dropper Investigation

I am a life-long gamer and from experimentation over the years, I know I have the best rig, a customisable gaming PC. It’s very nice hardware it looks stunning with rainbow glowing fans and it sounds like a mini jet engine, rendering most graphics on Ultra with a graphics card which is at most 2 years old. The only issue I have had with it is in the operating system, which of course for a big gamer is Windows 11 due to its age. After just two weeks of operation I was alerted to a dropper located in my Windows Appdata folder, it was not dropping any further viruses yet as it had been caught by my expensive AV - which is why it sounds like a jet engine due to the large use of CPU!!

Was it a false positive? Well I ran the offline scan myself as my machine took 8x longer to boot. It behaved as if rebooting after a major update. There were no updates carried out, which made me suspect something amiss.

The virus location was not new to me, it is an appdata folder present in Windows 10 and Windows 11 for Windows mail in particular it processes mail syncing across devices; the full path is:

C:\Users\’Username’\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\SO\

Now I have had viruses popping up here before, in fact it has been an ongoing problem since I adopted the Windows 11 operating system (OS) in 2022 on the household laptops. Since then, both of my son’s laptops have alerted me to droppers and Trojans in the same Appdata folder. I initially assumed my children were not so good with their cybersecurity (being aged 5 and 9 that makes sense). Maybe they had clicked an email notification. Maybe they had downloaded some Trojan in the style of a game from a requested and shoddy gaming store all parents know about, stealthy and all whilst under supervision. That was until my brand new gaming rig got one.

Examining the attack timeline of my gaming rig in detail showed that a phish had been ‘clicked’ from my Hotmail account which was logged in on my Outlook App, running in the background processes (not running in my taskbar) whilst I played some epic title the night before. This ‘click’ put an infected PDF invoice on my PC, and on boot the next day activated the dropper, slowing the machine right down - which gave me a clue.

Now let's be clear about how Microsoft works, as I understand it, and why this is a gripe serious enough to warrant its own blog post.

You must sign in online to a Microsoft account to access the PC at all times, then it creates session keys for all applications that come installed as standard with the OS. So, unless you take some drastic measures I will discuss in a moment, you will undoubtedly be running sessions of Windows apps in the background; Outlook, OneDrive, Teams, Xbox, Photos, Office, Store, the list is quite extensive.

Moving on, I look for the phish email I had. According to my AV "clicked on" log, I located the suspicious subject of the email. It was something akin to;

AMAZON ACCOUNT ###U$IIHknDBWON38383y4y29~~~

Now, you do not need to be a cybersecurity expert to tell that is a phish from the subject which was located using the now foreground Outlook app. And as expected, it was unread. It showed me that within a few minutes of receiving the unread email, the attached PDF invoice was added to the Windows Communication Appdata folder, which led to the dropper found by the offline scan.

It seemed that Outlook App was saving unread attachments to the appdata folder where the virus was located. Some of the located viruses over the past two years were found on multiple devices that used the same MS credentials which unless stated otherwise, auto sync application data. That is exactly what the

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

folder is for. It contains both the application data for Windows apps like Outlook to run and sync as well as data obtained in the process. I synced between my children's laptops as my account was the administrator for the network, it kept them safer online. Or so I thought.

Vulnerability Research

So I start down the usual process of researching the vulnerability to find a permanent mitigation. I find nothing at first, no CVE, no reports. I do find some details on the MS community website like this one from "2020 Trojan Found and Deleted"… but it Returns (Trojan: HTML/Phish.AB!MSR) . It is here I see the same problem and I see a response from an expert.

“The trojan is an email attachment synced to your PC. Do you have some Hotmail or Microsoft email setup in an email client applications like Outlook?” - Independent Expert, MS Community, 2020

So I search all around this topic and I cannot find anything from Microsoft about this issue right away, but I do find many victims. Anti-Virus companies, affected users and experts alike are all drawing attention to this problem. Eventually, thanks to Reddit I find a similar experience from a commentor who managed to find the reported exploit listed by Microsoft. You can find many more threads on the issue on Reddit with a search.

“Looking into the report we have a "Exploit:O97M/CVE-2017-11882.AZA!MTB" match, which doesn't seem to be that ominous since it requires the file to be executed on a non-updated Office/WordPad, still it ain't something I'd like to find lying around because the app found it was a good thing to download it, without my consent.” - JVMTG, Reddit, 2023

It is a known software error marked as severe on their own security intelligence website, with 24 exploits under the O97M CVE. I’d like to say I have more details from Microsoft but I do not, instead they offer very little default cybersecurity steps, such as "remain up to date and don’t click a phish".

This does seem rather severe. It locally caches attachments from emails including those which have not been opened to the windowscommunicationsapps folder from the Outlook App. It will then auto sync the data in the folder to all devices using the same credentials in their Outlook App on their phones, laptops, desktops, anywhere the Outlook App runs.

The only step missing for a full compromise is that infected files are auto-run… a feature I feel sure Microsoft are working on at this exact moment!

Attacks are becoming more complex, in 2022 they were able to add the dropper, which very slowly downloaded a fairly rubbish Trojan, which was easily removed. Recently there were 74 password protected files and multiple Trojans appearing as game applications in the same appdata folder. These were located only weeks after a fresh OS install and could not be explained by known activities on the machine or entirely resolved by AV due to the encryption of the folders they were located in.

Impact

Take a moment to think about how many commercial users of the Outlook application have auto-sync enabled in daily use. All those using Office 365 who sync between devices on their smartphone, personal devices and company equipment, or amongst family member's tablets and laptops. You should be concerned. And then get mad as hell, because it seems Microsoft have created their own quite special service for propagating malware, one that's been ongoing since at least 2020.

I have wasted countless hours re-installing OS’s, searching files, reading reports and researching this issue to find my only salvation in Reddit. Reddit of all places! This looks like something Microsoft rather wanted to sweep under the rug.

If you sync with Outlook App between devices with the same MS account, you are vulnerable to this malware propagation. Microsoft insist users take advantage of auto-synced features across devices and use this as a clear marketing tool especially for commercial settings. It seems my trust in this feature was misplaced.

Mitigation And Loss of Trust

Some will say that this is "just a feature" of sync. I disagree because like so many Microsoft processes it feels out of control. It does not just synchonise expected user data. It inappropriately populates and copies undocumented files into system folders and, without any knowledge or intervention from the user, replicates them across devices.

The mitigation is you must live without synchronisation in Microsoft applications. So far it has worked 100%. Turning off sync across applications does work. This can be done during an OS install by refusing all sync options when prompted. You must also make sure it is off in the account settings for the user. This can be done from the settings panel when logged on to Windows. There are many guides available like this one from Process.st. Even with sync off, you can still access email and other services using the web applications, which will sync files and emails but will not store these to the local machine.

If like myself, you have lost trust in the applications themselves, removing windows apps entirely may be more fitting, this allows the folder

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

to be deleted and does not appear, like a lurking background threat at a later date just in case you change your mind. My gaming rig has only one MS app remaining, Xbox and that is the way it will stay until the situation is openly discussed by MS and the vulnerability resolved. No more Appdata Phishes please.

In summary, no amount of phishing training will prevent a bad design in the operating system. Caching malware infected attachments to system folders and replicating them is bad design in my opinion. In this case, the operating system has been phished, not the human.

Other Recent Tux Machines' Posts

Software Freedom, a Japanese Perspective - Part IV: GNU/Linux at 3.2% [original]
It was barely 1% not so long ago
KDE Plasma 6.6.6 Released with Numerous Bug Fixes and Various Improvements
KDE Plasma 6.6.6 is now available as the sixth and last maintenance update in the KDE Plasma 6.6 desktop environment series with a couple of improvements and numerous bug fixes.
Linux 7.2-rc2
It's Sunday afternoon, and rc2 is out. Things look very normal - it's not a small rc2, but it's in line with recent releases, and slightly smaller than rc2 was in 7.1.
A brand-new release of Hannah Montana Linux features a KDE Plasma 6 base and a lot of pink
The Linux community is full of distro creativity. Some distros are created to solve a specific problem, while others are made for fun
System76 Launches New Lemur Pro Linux Laptop with 18-Hour Battery Life
System76 launches new Lemur Pro ultraportable Linux laptop with all-day battery life, Intel Core Ultra processors, and a 16-inch variant.
 
Linux Mint’s Cinnamon 6.8 Desktop Environment Will Fully Support Wayland
Cinnamon 6.8 will fully support Wayland in the next major Linux Mint release, along with various other improvements and new features.
Today in Techrights
Some of the latest articles
Switzerland: GNU/Linux All-Time Record [original]
Maybe Switzerland can beat Argentina next
Free and Open Source Software
This is free and open source software
postmarketOS in 2026-06: Plasma 6.7
This June Plasma 6.7 was released and found its way into Alpine Linux and postmarketOS thanks to Bart who maintains KDE in both distros
Proton 11 Officially Released with Support for More Games Running on Linux
Proton 11 is now available with support for Breath of Fire IV, Unknown Faces, Gothic 1 Classic, X-Plane 12, and many other Windows games that are now playable on Linux.
GNU/Linux Distributions and Operating Systems: ArchBang, Galactic Mandate Linux, and More
some new releases included
Videos/Audiocasts/Shows: Recent GNU/Linux Material in Invidious
or via Invidious
No Pain, No Glory [original]
When we return home we'll be stronger and more active
Recent Coverage About GNU/Linux and BSD in Valnet
half a dozen more articles
Raves About Docker Containers and Portainer
a pair of articles
Proxmox and Home Assistant OS 18.0 Coverage
From Valnet only
Raspberry Pi Projects: Storage and Other Uses
a couple of recent articles
Valnet Articles on GNU/Linux Games/Gaming
Games picks
GNU/Linux Leftovers
GNU/Linux picks
Free, Libre, and Open Source Software Leftovers
FOSS leftovers
Barry Kauler on EasyOS: Unmount-all-mounted-partitions bug and yff audio video utility version 3.1
a couple of updates this week
Games: Steam Deck, Steam Machine, and Godot 4.8 Dev 1
gaming picks
Security Leftovers
Security related picks
Hardware Projects: ESP32 and More
several new Linux-ish news picks
Kernel Space or Linux News
Kernel leftovers
today's howtos
Instructionals/Technical picks
IBM Unix Lawsuit Back, IBM Red Hat Promotes LLM Slop and Other Slop
IBM Red Hat leftovers
Android Leftovers
Your Android work profile is finally coming to Wear OS smartwatches
Audiocasts/Shows: Dirk and Linus, LINUX Unplugged, Late Night Linux, and More
episodes and more
4 ways to run a full Linux desktop on your Android phone
Android is based on Linux
Free and Open Source Software, and Benchmark
In this series, I put the BOSGAME mini PC through its paces from a Linux perspective
GlouOS – Arch-based Linux distribution
GlouOS is an Arch-based Linux distribution designed for gaming
TUXEDO Computers Plans to Rebase TUXEDO OS on Debian Testing
TUXEDO Computers is moving away from Ubuntu and plans to rebase their TUXEDO OS distribution on Debian GNU/Linux, but still using the KDE Plasma desktop environment.
OpenSSH 10.4 Released
OpenSSH 10.4 is out
GNU/Linux Leftovers
3 leftover stories
Free, Libre, and Open Source Software Leftovers
FOSS and more
Programming Leftovers
Development with Python, Raku, and more
Hardware: Linux Devices, Purism, and More
a handful of picks
Software Freedom, a Japanese Perspective - Part III: Proprietary Software Suboptimal [original]
Free software does not have such artificial limitations
New PostgreSQL Related Releases and Talks
4 new PostgreSQL picks
7 tricks to make learning the Linux command line easier
The Linux command line can seem impenetrable, with arcane instructions and a focus on text interfaces
Free and Open Source Software
This is free and open source software
5 tiny Linux tools I can't live or work without
Linux has a wealth of applications
Games: Mario Kart World, Microsoft Mass Layoffs, OpenRCT, DXVK, and More
mostly from GamingOnLinux
Today in Techrights
Some of the latest articles
Software Freedom, a Japanese Perspective - Part II: Managers Who Don't Understand Code and Never Coded [original]
Decision-making figures need to understand what they decide on
Android Leftovers
My expensive earbuds sounded average until I changed one Android audio setting
Want to convince a Windows user to try Linux? Here's how I do it
I've used Linux for 30 years. This is how I show Windows users what they're missing
I tested the top 5 Linux distros on DistroWatch—here’s how I rank them
There are a ton of Linux distributions out there
In three days, Ubuntu 25.10 will reach end of life, upgrade now
Ubuntu 25.10 "Questing Quokka" will reach end of life on July 9, meaning it will no longer get security updates
Free and Open Source Software, howtos and Installations
This is free and open source software
Kdenlive 26.04.3 released
The last maintenance release of the 26.04 series is out
Another German State Swaps Microsoft for ‘Born in the EU’ Open Source
The EU is slowly but surely going open source
I tested the new Claude Desktop on Linux - here's how it compares to rival apps
Claude Code finally has an official Linux desktop app
Microsoft Layoffs Have Begun, News Coverage Misleading [original]
The "official" numbers are Microsoft spin
In Finland, GNU/Linux and Android Surpass Windows [original]
Windows at all-time low last month
listnr is an ActivityPub bridge for static blogs
in 2012, hosting a comments section had already started being less rewarding than it used to be
FSF / Software Freedom News and GNU / Digital Sovereignty
4 stories for now
GNU/Linux Leftovers
5 misc. stories
KDE and Debian Leftovers
4 overlapping stories
Proprietary Vendors Make Open Standards Look Broken and BitTorrent's History
Standards news
Programming Leftovers
Development, half a dozen picks
PostgreSQL-Related Releases and News
Database picks
Ubuntu 25.10 EoL, Embrace of Slop by Canonical
Canonical/Ubuntu leftovers
Games: DXVK, Ridiculous Space Battles, Rolisteam, and More
gaming leftovers
Hardware: Slop, ESP32, and More
Open Hardware/Modding for the most part
Videos/Audiocasts/Shows: This Week in Linux, Emacs, and EasyOS Package Managers
3 new videos/episodes
today's howtos
Instructionals/Technical picks
Nature and Health, or How Not to Let Technology Ruin Your Life [original]
Looking for balance
Software Freedom Day Plans Underway, New Zealand Has a "Digital Freedom Foundation" [original]
The "SFD" is now 2 months away
Android Leftovers
I never use Gmail on Android without changing these 6 settings
Using Flatpak To Run A 1996 Version Of The GIMP On Modern Linux
Although there’s probably no good reason to want to run image editing software from 1996 other than for nostalgia’s sake
BleachBit 6.0.2 Adds Support for Cleaning AI Models from Google Chrome
BleachBit 6.0.2 open-source and free disk space cleaner, privacy manager, and computer system optimizer software is now available for download with new features and improvements.
Free and Open Source Software
This is free and open source software
In Norway, Google (Android/Linux) and Apple (iOS and OS X) Caught Up With Windows [original]
To Norway, Microsoft is no longer so dominant
Impact as a Function of Negative Energy Devoted to Attacks [original]
This month Rianne got several very good professional news and next month
Review: FreeBSD 15.1 with an install-time desktop
Back in December I reviewed FreeBSD 15.0
Europeans Beating South Americans [original]
If England beats Norway, then it seems likely it'll play Argentina next
July Edition of PCLinuxOS Magazine
or "Issue"
Today in Techrights
Some of the latest articles
9to5Linux Weekly Roundup: July 5th, 2026
The 299th installment of the 9to5Linux Weekly Roundup is here for the week ending July 5th, 2026.