Tux Machines

Do you waddle the waddle?

Other Sites

LinuxGizmos.com

Z100-0dB Fanless Mini PC with N100 Intel Processor & 2.5GbE LAN Port

The Z100-0dB fanless mini PC is engineered for quiet performance, thanks to its passive cooling system. Equipped with the Intel Alder Lake-N Quad-Core N100 processor, this device is optimal for web browsing and office applications, making it ideal for any environment where noise reduction is important.

Olimex’s Open Source iMX8MPlus SOM & EVB for Industrial, ML, and Vision Applications with 2.3 TOPS NPU

The iMX8MP-SOM-4GB-IND is a system on module developed by Olimex, designed for use in industrial applications, machine learning, and machine vision. It operates within an industrial-grade temperature range of -45 to +85°C, which makes it suitable for environments with extreme conditions.

Armbian 24.5.1: Emphasizing Stability & User Experience For Diverse Hardware Platforms

Armbian 24.5.1 Havier features an improved build framework capable of creating customized Debian or Ubuntu environments. This release eliminates unnecessary elements such as Canonical’s snapd, adopting a minimalistic approach while maintaining a comprehensive package base. It supports the mainline kernel 6.6.y and delivers optimized builds tailored for specific hardware platforms, aiming to enhance both stability and performance.

9to5Linux

KaOS Linux 2024.05 Brings Bcachefs Support, Marknote Note-Taking App

KaOS 2024.05 is here almost three months after KaOS 2024.03 and ships with the latest and greatest KDE software, including the KDE Plasma 6.0.5 desktop environment, as well as the recently released KDE Gear 24.05 and KDE Frameworks 6.2 software suites, all built on the Qt 6.7.1 application development framework.

Ubuntu 24.04 LTS Is Now Optimized for the Milk-V Mars RISC-V SBC

Dubbed as the world’s first credit-card-size high-performance RISC-V SBC from Milk-V, the Milk-V Mars board is powered by the StarFive JH7110 processor with an integrated 3D GPU. It is the ideal hardware platform for RISC-V developers and enthusiasts.

Armbian 24.5 Released with Orange Pi 5 Pro and Radxa ROCK 5 ITX Support

Armbian 24.5 is here almost two months after Armbian 24.2 and introduces support for new devices, including Orange Pi 5 Pro, Radxa ROCK 5 ITX, Allwinner T527 Avaota-A1, Radxa ZERO 3E, Radxa ZERO 3W, FriendlyElec CM3588, 4G Phytium Pi, Sakura Pi RK3308B, SK-AM68, TQMa8MPxL, and CoolPi CM5 EVB.

9to5Linux Weekly Roundup: May 26th, 2024

I want to thank all the people who sent us donations. You guys are awesome and your help is very much appreciated! I also want to thank you all for your continued support by commenting, liking, sharing, and boosting the articles, following us on social media, and last but not least thank you for sending us feedback.

Internet Society

It Takes a Community to Defend the Internet

Although the Internet governance scene is typically quite active, this year presents meaningful opportunities to engage in ways that will have long-lasting effects. Unfortunately, not all these opportunities allow full multistakeholder participation, but effective collaboration can deliver positive results in defending the Internet.

Ubuntu Buzz !

How To Install Packages Easily with Synaptic on Ubuntu 24.04

After you have Synaptic installed and you are ready, now this tutorial will quickly introduce and help you to practice installing, removing, and upgrading software packages with examples on Ubuntu 24.04 "Noble Numbat" using Synaptic Package Manager. You will learn by exercises, without knowing too much details about Synaptic. We hope with this tutorial you can work immediately with your new Ubuntu machine by having applications, games and utilities you need the most at the same time getting to know more about Ubuntu itself. Now let's start the exercise!

news

Microsoft Windows 11 Caches Exploitable Malware

posted by Roy Schestowitz on May 15, 2024

Fishtank PC builds

Reprinted with permission from Cybershow. Author: Helen Plews.

Figure 1: Tom's Hardware: Fishtank PC builds.

Malware is often thought of as a human interaction with a digital device that causes an infection such as a virus or worm. We assume a human used bad authentication, or the human clicked the bad link, the human downloaded the malware…

So if we have anti-virus and anti-phish educational campaigns we should be well protected right? What about the technical side of cybersecurity, where the hardware, network equipment, end device or software vulnerability is the cause?

This article will examine a case where an operating system is able to automatically open and store a phishing email attachment, leading to potential compromise. In this case Windows 11 has been caching attachments locally to provide synchronisation across devices with the Outlook Application. In many cases, it has cached exploitable malware. This is a growing issue brought to light by Windows 11 users and anti-virus providers, instead of the makers at Microsoft.

Dropper Investigation

I am a life-long gamer and from experimentation over the years, I know I have the best rig, a customisable gaming PC. It’s very nice hardware it looks stunning with rainbow glowing fans and it sounds like a mini jet engine, rendering most graphics on Ultra with a graphics card which is at most 2 years old. The only issue I have had with it is in the operating system, which of course for a big gamer is Windows 11 due to its age. After just two weeks of operation I was alerted to a dropper located in my Windows Appdata folder, it was not dropping any further viruses yet as it had been caught by my expensive AV - which is why it sounds like a jet engine due to the large use of CPU!!

Was it a false positive? Well I ran the offline scan myself as my machine took 8x longer to boot. It behaved as if rebooting after a major update. There were no updates carried out, which made me suspect something amiss.

The virus location was not new to me, it is an appdata folder present in Windows 10 and Windows 11 for Windows mail in particular it processes mail syncing across devices; the full path is:

C:\Users\’Username’\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\SO\

Now I have had viruses popping up here before, in fact it has been an ongoing problem since I adopted the Windows 11 operating system (OS) in 2022 on the household laptops. Since then, both of my son’s laptops have alerted me to droppers and Trojans in the same Appdata folder. I initially assumed my children were not so good with their cybersecurity (being aged 5 and 9 that makes sense). Maybe they had clicked an email notification. Maybe they had downloaded some Trojan in the style of a game from a requested and shoddy gaming store all parents know about, stealthy and all whilst under supervision. That was until my brand new gaming rig got one.

Examining the attack timeline of my gaming rig in detail showed that a phish had been ‘clicked’ from my Hotmail account which was logged in on my Outlook App, running in the background processes (not running in my taskbar) whilst I played some epic title the night before. This ‘click’ put an infected PDF invoice on my PC, and on boot the next day activated the dropper, slowing the machine right down - which gave me a clue.

Now let's be clear about how Microsoft works, as I understand it, and why this is a gripe serious enough to warrant its own blog post.

You must sign in online to a Microsoft account to access the PC at all times, then it creates session keys for all applications that come installed as standard with the OS. So, unless you take some drastic measures I will discuss in a moment, you will undoubtedly be running sessions of Windows apps in the background; Outlook, OneDrive, Teams, Xbox, Photos, Office, Store, the list is quite extensive.

Moving on, I look for the phish email I had. According to my AV "clicked on" log, I located the suspicious subject of the email. It was something akin to;

AMAZON ACCOUNT ###U$IIHknDBWON38383y4y29~~~

Now, you do not need to be a cybersecurity expert to tell that is a phish from the subject which was located using the now foreground Outlook app. And as expected, it was unread. It showed me that within a few minutes of receiving the unread email, the attached PDF invoice was added to the Windows Communication Appdata folder, which led to the dropper found by the offline scan.

It seemed that Outlook App was saving unread attachments to the appdata folder where the virus was located. Some of the located viruses over the past two years were found on multiple devices that used the same MS credentials which unless stated otherwise, auto sync application data. That is exactly what the

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

folder is for. It contains both the application data for Windows apps like Outlook to run and sync as well as data obtained in the process. I synced between my children's laptops as my account was the administrator for the network, it kept them safer online. Or so I thought.

Vulnerability Research

So I start down the usual process of researching the vulnerability to find a permanent mitigation. I find nothing at first, no CVE, no reports. I do find some details on the MS community website like this one from "2020 Trojan Found and Deleted"… but it Returns (Trojan: HTML/Phish.AB!MSR) . It is here I see the same problem and I see a response from an expert.

“The trojan is an email attachment synced to your PC. Do you have some Hotmail or Microsoft email setup in an email client applications like Outlook?” - Independent Expert, MS Community, 2020

So I search all around this topic and I cannot find anything from Microsoft about this issue right away, but I do find many victims. Anti-Virus companies, affected users and experts alike are all drawing attention to this problem. Eventually, thanks to Reddit I find a similar experience from a commentor who managed to find the reported exploit listed by Microsoft. You can find many more threads on the issue on Reddit with a search.

“Looking into the report we have a "Exploit:O97M/CVE-2017-11882.AZA!MTB" match, which doesn't seem to be that ominous since it requires the file to be executed on a non-updated Office/WordPad, still it ain't something I'd like to find lying around because the app found it was a good thing to download it, without my consent.” - JVMTG, Reddit, 2023

It is a known software error marked as severe on their own security intelligence website, with 24 exploits under the O97M CVE. I’d like to say I have more details from Microsoft but I do not, instead they offer very little default cybersecurity steps, such as "remain up to date and don’t click a phish".

This does seem rather severe. It locally caches attachments from emails including those which have not been opened to the windowscommunicationsapps folder from the Outlook App. It will then auto sync the data in the folder to all devices using the same credentials in their Outlook App on their phones, laptops, desktops, anywhere the Outlook App runs.

The only step missing for a full compromise is that infected files are auto-run… a feature I feel sure Microsoft are working on at this exact moment!

Attacks are becoming more complex, in 2022 they were able to add the dropper, which very slowly downloaded a fairly rubbish Trojan, which was easily removed. Recently there were 74 password protected files and multiple Trojans appearing as game applications in the same appdata folder. These were located only weeks after a fresh OS install and could not be explained by known activities on the machine or entirely resolved by AV due to the encryption of the folders they were located in.

Impact

Take a moment to think about how many commercial users of the Outlook application have auto-sync enabled in daily use. All those using Office 365 who sync between devices on their smartphone, personal devices and company equipment, or amongst family member's tablets and laptops. You should be concerned. And then get mad as hell, because it seems Microsoft have created their own quite special service for propagating malware, one that's been ongoing since at least 2020.

I have wasted countless hours re-installing OS’s, searching files, reading reports and researching this issue to find my only salvation in Reddit. Reddit of all places! This looks like something Microsoft rather wanted to sweep under the rug.

If you sync with Outlook App between devices with the same MS account, you are vulnerable to this malware propagation. Microsoft insist users take advantage of auto-synced features across devices and use this as a clear marketing tool especially for commercial settings. It seems my trust in this feature was misplaced.

Mitigation And Loss of Trust

Some will say that this is "just a feature" of sync. I disagree because like so many Microsoft processes it feels out of control. It does not just synchonise expected user data. It inappropriately populates and copies undocumented files into system folders and, without any knowledge or intervention from the user, replicates them across devices.

The mitigation is you must live without synchronisation in Microsoft applications. So far it has worked 100%. Turning off sync across applications does work. This can be done during an OS install by refusing all sync options when prompted. You must also make sure it is off in the account settings for the user. This can be done from the settings panel when logged on to Windows. There are many guides available like this one from Process.st. Even with sync off, you can still access email and other services using the web applications, which will sync files and emails but will not store these to the local machine.

If like myself, you have lost trust in the applications themselves, removing windows apps entirely may be more fitting, this allows the folder

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

to be deleted and does not appear, like a lurking background threat at a later date just in case you change your mind. My gaming rig has only one MS app remaining, Xbox and that is the way it will stay until the situation is openly discussed by MS and the vulnerability resolved. No more Appdata Phishes please.

In summary, no amount of phishing training will prevent a bad design in the operating system. Caching malware infected attachments to system folders and replicating them is bad design in my opinion. In this case, the operating system has been phished, not the human.

Other Recent Tux Machines' Posts

Windows in Mauritania: From 100% to 51% on Desktops/Laptops (Or Down to 8% Across All Form Factors) [original]
Western media almost never talks about this
Linux Kernel 6.9 Officially Released, This Is What’s New
Linus Torvalds announced today the release and general availability of Linux kernel 6.9, the latest stable version of the Linux kernel that introduces several new features and improved hardware support.
Alpine Linux 3.20.0 Released
We are pleased to announce the release of Alpine Linux 3.20.0, the first in the v3.20 stable series
Canonical releases Ubuntu 24.04 Server image for Milk-V Mars RISC-V SBC
Canonical has been releasing Ubuntu RISC-V images for SBCs and QEMU at least since 2021
KaOS Linux 2024.05 Brings Bcachefs Support, Marknote Note-Taking App
The development team behind the independently developed KaOS Linux distribution based on KDE software announced the release and general availability of KaOS 2024.05.
Aeon Desktop Brings New Features in RC2 Release
Contributors developing the Aeon Desktop are happy to announce a major milestone with the launch of Release Candidate 2 (RC2) images
General Availability of AlmaLinux 8.10 Stable!
The AlmaLinux OS Foundation is announcing the general availability of AlmaLinux OS 8.10 codenamed “Cerulean Leopard”
Meet TUXEDO Stellaris Slim 15 Gen6, a Thin and Light Linux Gaming Ultrabook
Linux hardware vendor TUXEDO Computers unveiled today the 6th generation of the TUXEDO Stellaris Slim 15 Linux-powered laptop as a thin and lightweight gaming ultrabook focusing on high performance.
 
'Linux' Foundation and Openwashing Leftovers
The latest corporate openwash festival
Programming Leftovers
Programming/coding links
today's leftovers
GNU/Linux, Ubuntu, and more
Android Leftovers
Wallpaper Wednesday: More great phone wallpapers for all to share (May 29)
Security Leftovers
Security related links, mostly breaches
Open Hardware: Arduino, Raspberry Pi, and More
Some hardware related and gadget news
today's howtos
many howtos for today
GStreamer 1.24.4 Rolls Out with a Focus on Bug Fixes
The latest GStreamer 1.24.4 open-source multimedia framework fixes bugs across many plugins and improves security
Mobifree’s Open Source Strategy Challenging the Tech Giants
The new Mobifree initiative fights Big Tech with ethical mobile software that respects privacy, labor standards, and the environment
Opt Green: KDE Eco's New Sustainable Software Project
Inspired by the successes of the "Blauer Engel Für FOSS" (BE4FOSS) project and KDE's ongoing Sustainable Software goal
Devices and Open Hardware
Some hardware with Linux/FOSS slant
today's leftovers
many links with FOSS focus
Programming Leftovers
Programming links
Security and Windows TCO Leftovers
some security patches, incidents etc.
today's howtos
many howtos for today
Rhino Linux 2024.1 Goes Live Overcoming Challenges
Rhino Linux 2024.1: Revamped with community-driven goals, a fresh organizational structure
ravynOS: A macOS-Inspired FreeBSD-Based Desktop
ravynOS, a macOS-like open-source OS that aims to be compatible with the Apple apps ecosystem
Games: "NEODUEL: Backpack Monsters", "Zelda 64: Recompiled", and More
The latest 10 from gamingonlinux
Mozilla Firefox 126.0.1 Fixes Drag and Drop Quirk on Linux
This month’s Firefox 126 release brought with it a modest set of improvements for Linux users
Jack Wallen's howtos
Ultramarine Linux is Fedora made easy
Best Free and Open Source Software
We recommend the best free and open source alternatives
Today in Techrights
Some of the latest articles
today's leftovers
only 3 more assorted links
Programming Leftovers
Programming and CMS links
Open Hardware and Other Hardware
Hardware news for today
Sahil Dhiman and Thomas Koch on Debconf23
Some debconf coverage
Ubuntu Leftovers
Some Ubuntu news
Security and Windows TCO Leftovers
Not much Windows TCO for today
Applications: Bartib, Productivity Tools, and Ansible
Some software news
Audiocasts/Shows: Linux User Space, Late Night Linux, WordPress Briefing, Destination Linux
4 new episodes
Microsoft Windows in Belize (America): From 98% to Just 17% [original]
Microsoft fell from dominance to obscurity
Ubuntu 24.04 LTS Is Now Optimized for the Milk-V Mars RISC-V SBC
Canonical, the company behind the popular Ubuntu Linux distribution, announced today that they now offer an optimized image of Ubuntu 24.04 LTS for the Milk-V Mars RISC-V single-board computer.
KaOS Linux 2024.05 Released, Here’s What’s New
KaOS 2024.05 debuts with a full Qt6 integration, Plasma 6.0.5, KDE Gear 24.05, removal of X11 dependencies
RHEL 8.10 Released as the Last Update in the 8th Series
Red Hat Enterprise Linux 8.10 brings much-anticipated software updates
Programming Leftovers
half a dozen picks
Track Time Differently with ‘Day Progress’ for GNOME Shell
Day Progress is a new GNOME Shell extension that does something appreciable simple
FreeBSD 14.1-RC1 Now Available
Please note, the release notes page is not yet complete
Olimex’s Open Source iMX8MPlus SOM & EVB for Industrial, ML, and Vision Applications with 2.3 TOPS NPU
The iMX8MP-SOM-4GB-IND is a system on module developed by Olimex
3 Best Free and Open Source Lua Static Site Generators
While we employ built-in server caching which creates static versions of the site
One-Click-Backup – Qt-based simple backup software
Even though Linux is less at risk of nasties like ransomware attacks than other operating systems
Maui Report 23
Today, we bring you a new report on the Maui Project’s progress after our previous 3.1.0 release
Security and Windows TCO Leftovers
Some security related news
GNU/Linux Laptop and Linux Weekly Roundup
misc. GNU/Linux links
today's howtos
and some older ones from Linux Made Simple
Armbian 24.5 Released with Orange Pi 5 Pro and Radxa ROCK 5 ITX Support
The Armbian community announced today about the availability of Armbian 24.5, codenamed Havier, as the latest stable release of this Debian/Ubuntu-based distribution for ARM devices.
Games: From Steam to Free & open source RPG 'Veloren'
half a dozen articles from gamingonlinux
Today in Techrights
Some of the latest articles
Double for Manchester [original]
The 20-year party is now less than two weeks away
Africa Sent Microsoft Packing [original]
nobody in corporate/mainstream in the West bothers to mention it
Android Leftovers
Chipolo delays trackers for Android’s Find My Device network to July
7 Features Windows 12 Should Steal From Linux
Here are 7 surprisingly advanced, quality-of-life features that Linux offers
Switch from Windows 11 to Linux this Memorial Day with Ultramarine 40
As Memorial Day weekend approaches, many people might be considering a fresh start with their tech
Microsoft Has Slipped Out of Control in Myanmar, GNU/Linux Rose From 0.1% to 3% [original]
Myanmar or Burma
Best Free and Open Source Software
We only feature open source goodness here
VyOS – router and firewall platform
VyOS is a network operating system based on Debian
Linus Torvalds Announces First Linux Kernel 6.10 Release Candidate
As expected, Linus Torvalds announced today the general availability for public testing of the first Release Candidate (RC) development milestone of the upcoming Linux 6.10 kernel series.
today's leftovers
on Git and security
hardware: Zmod SDR, ESP32, and ANAVI Handle
Some hackable hardware news picks
Software: Planify, GNOME OS Installer, XRechnung Viewer
3 picks about FOSS on GNU/Linux
today's howtos
only 3 howtos for now
Audiocasts/Shows: This Week in Linux, Free Software Security Podcast, Lunduke Journal, LINUX Unplugged, GNU World Order
a handful of new episodes
/e/OS v2 live launch on Thursday May 16th
Super happy to announce that /e/OS V2 is just around the corner and is coming with the next update! On this occasion we are going LIVE on next Thursday
Damn Small Linux 2024 Release Candidate 4 Now Available
made a torrent available
4MLinux Releases: 4MLinux 46.0 BETA released.
4MLinux 46.0 BETA is ready for testing
MX Linux 23.3 “Libretto” Released with Linux Kernel 6.8 and Updated Components
The MX Linux team announced today the release and general availability of MX Linux 23.3 as the third stable update to the latest MX Linux 23 “Libretto” series.
Phosh 0.39.0
Some release details
9to5Linux Weekly Roundup: May 26th, 2024
The 189th installment of the 9to5Linux Weekly Roundup is here for the week ending on May 26th, 2024.
Open Hardware and Programming Leftovers
coding and hacking, devices included
Security and Windows TCO Leftovers
back doors and breaches
YARA 4.5.1 Release and Steam
Some software and gaming news
Openwashing, AI-washing, and Red Hat
not so free after all
Android Leftovers
Doogee T20 tablet review: A great display for just $160
today's howtos
some howtos, first batch
Review: Manjaro Linux 24.0
Manjaro Linux is an Arch-based distribution which works to be a user-friendly, desktop-oriented operating system
Today in Techrights
Some of the latest articles
Security Leftovers
mostly CISA