Tux Machines

Do you waddle the waddle?

Other Sites

Internet Society

Community Snapshot—June

Around the world, our community works locally, regionally, and globally to keep the Internet a force for good: open, globally connected, secure, and trustworthy.

New ITU Report Finds Community Networks Are Key to Reaching the Unconnected

There are many reasons why communities worldwide still lack meaningful Internet access, even decades after the Internet has become a staple of everyday life for others. Technical and policy limitations, geographic barriers, and high costs all play a part. More often than not, multiple factors are at play.

9to5Linux

DXVK 3.0.2 Brings Fixes for Dying Light: The Beast, Halo CE, Overwatch, and More

Coming two weeks after DXVK 3.0.1, the DXVK 3.0.2 release is here to work around a performance regression in some video games that create a new DXGI factory every single frame, such as Dying Light: The Beast with FSR enabled, but other D3D12 games could be affected as well.

Wayland 1.26 Is Now Available for Download with New Features and Improvements

Highlights of Wayland 1.26 include a new wl_pointer.warp event to notify a new pointer position without an end-user-initiated motion event, a new wl_fixes.ack_global_remove request to address races related to global remove events, and a new wl_display_remove_socket_fd() function to remove sockets that were previously added via the wl_display_add_socket_fd() function.

LinuxGizmos.com

HackRF Pro SDR covers 100kHz to 6GHz with FPGA-based processing

The HackRF Pro follows the same general architecture as its predecessor but introduces several RF, processing, timing, and connectivity improvements. These include a flatter frequency response, removal of the characteristic center-frequency DC spike, an onboard temperature-compensated crystal oscillator, additional memory, RF shielding, and a USB Type-C connector.

news

Microsoft Windows 11 Caches Exploitable Malware

posted by Roy Schestowitz on May 15, 2024

Fishtank PC builds

Reprinted with permission from Cybershow. Author: Helen Plews.

Figure 1: Tom's Hardware: Fishtank PC builds.

Malware is often thought of as a human interaction with a digital device that causes an infection such as a virus or worm. We assume a human used bad authentication, or the human clicked the bad link, the human downloaded the malware…

So if we have anti-virus and anti-phish educational campaigns we should be well protected right? What about the technical side of cybersecurity, where the hardware, network equipment, end device or software vulnerability is the cause?

This article will examine a case where an operating system is able to automatically open and store a phishing email attachment, leading to potential compromise. In this case Windows 11 has been caching attachments locally to provide synchronisation across devices with the Outlook Application. In many cases, it has cached exploitable malware. This is a growing issue brought to light by Windows 11 users and anti-virus providers, instead of the makers at Microsoft.

Dropper Investigation

I am a life-long gamer and from experimentation over the years, I know I have the best rig, a customisable gaming PC. It’s very nice hardware it looks stunning with rainbow glowing fans and it sounds like a mini jet engine, rendering most graphics on Ultra with a graphics card which is at most 2 years old. The only issue I have had with it is in the operating system, which of course for a big gamer is Windows 11 due to its age. After just two weeks of operation I was alerted to a dropper located in my Windows Appdata folder, it was not dropping any further viruses yet as it had been caught by my expensive AV - which is why it sounds like a jet engine due to the large use of CPU!!

Was it a false positive? Well I ran the offline scan myself as my machine took 8x longer to boot. It behaved as if rebooting after a major update. There were no updates carried out, which made me suspect something amiss.

The virus location was not new to me, it is an appdata folder present in Windows 10 and Windows 11 for Windows mail in particular it processes mail syncing across devices; the full path is:

C:\Users\’Username’\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\SO\

Now I have had viruses popping up here before, in fact it has been an ongoing problem since I adopted the Windows 11 operating system (OS) in 2022 on the household laptops. Since then, both of my son’s laptops have alerted me to droppers and Trojans in the same Appdata folder. I initially assumed my children were not so good with their cybersecurity (being aged 5 and 9 that makes sense). Maybe they had clicked an email notification. Maybe they had downloaded some Trojan in the style of a game from a requested and shoddy gaming store all parents know about, stealthy and all whilst under supervision. That was until my brand new gaming rig got one.

Examining the attack timeline of my gaming rig in detail showed that a phish had been ‘clicked’ from my Hotmail account which was logged in on my Outlook App, running in the background processes (not running in my taskbar) whilst I played some epic title the night before. This ‘click’ put an infected PDF invoice on my PC, and on boot the next day activated the dropper, slowing the machine right down - which gave me a clue.

Now let's be clear about how Microsoft works, as I understand it, and why this is a gripe serious enough to warrant its own blog post.

You must sign in online to a Microsoft account to access the PC at all times, then it creates session keys for all applications that come installed as standard with the OS. So, unless you take some drastic measures I will discuss in a moment, you will undoubtedly be running sessions of Windows apps in the background; Outlook, OneDrive, Teams, Xbox, Photos, Office, Store, the list is quite extensive.

Moving on, I look for the phish email I had. According to my AV "clicked on" log, I located the suspicious subject of the email. It was something akin to;

AMAZON ACCOUNT ###U$IIHknDBWON38383y4y29~~~

Now, you do not need to be a cybersecurity expert to tell that is a phish from the subject which was located using the now foreground Outlook app. And as expected, it was unread. It showed me that within a few minutes of receiving the unread email, the attached PDF invoice was added to the Windows Communication Appdata folder, which led to the dropper found by the offline scan.

It seemed that Outlook App was saving unread attachments to the appdata folder where the virus was located. Some of the located viruses over the past two years were found on multiple devices that used the same MS credentials which unless stated otherwise, auto sync application data. That is exactly what the

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

folder is for. It contains both the application data for Windows apps like Outlook to run and sync as well as data obtained in the process. I synced between my children's laptops as my account was the administrator for the network, it kept them safer online. Or so I thought.

Vulnerability Research

So I start down the usual process of researching the vulnerability to find a permanent mitigation. I find nothing at first, no CVE, no reports. I do find some details on the MS community website like this one from "2020 Trojan Found and Deleted"… but it Returns (Trojan: HTML/Phish.AB!MSR) . It is here I see the same problem and I see a response from an expert.

“The trojan is an email attachment synced to your PC. Do you have some Hotmail or Microsoft email setup in an email client applications like Outlook?” - Independent Expert, MS Community, 2020

So I search all around this topic and I cannot find anything from Microsoft about this issue right away, but I do find many victims. Anti-Virus companies, affected users and experts alike are all drawing attention to this problem. Eventually, thanks to Reddit I find a similar experience from a commentor who managed to find the reported exploit listed by Microsoft. You can find many more threads on the issue on Reddit with a search.

“Looking into the report we have a "Exploit:O97M/CVE-2017-11882.AZA!MTB" match, which doesn't seem to be that ominous since it requires the file to be executed on a non-updated Office/WordPad, still it ain't something I'd like to find lying around because the app found it was a good thing to download it, without my consent.” - JVMTG, Reddit, 2023

It is a known software error marked as severe on their own security intelligence website, with 24 exploits under the O97M CVE. I’d like to say I have more details from Microsoft but I do not, instead they offer very little default cybersecurity steps, such as "remain up to date and don’t click a phish".

This does seem rather severe. It locally caches attachments from emails including those which have not been opened to the windowscommunicationsapps folder from the Outlook App. It will then auto sync the data in the folder to all devices using the same credentials in their Outlook App on their phones, laptops, desktops, anywhere the Outlook App runs.

The only step missing for a full compromise is that infected files are auto-run… a feature I feel sure Microsoft are working on at this exact moment!

Attacks are becoming more complex, in 2022 they were able to add the dropper, which very slowly downloaded a fairly rubbish Trojan, which was easily removed. Recently there were 74 password protected files and multiple Trojans appearing as game applications in the same appdata folder. These were located only weeks after a fresh OS install and could not be explained by known activities on the machine or entirely resolved by AV due to the encryption of the folders they were located in.

Impact

Take a moment to think about how many commercial users of the Outlook application have auto-sync enabled in daily use. All those using Office 365 who sync between devices on their smartphone, personal devices and company equipment, or amongst family member's tablets and laptops. You should be concerned. And then get mad as hell, because it seems Microsoft have created their own quite special service for propagating malware, one that's been ongoing since at least 2020.

I have wasted countless hours re-installing OS’s, searching files, reading reports and researching this issue to find my only salvation in Reddit. Reddit of all places! This looks like something Microsoft rather wanted to sweep under the rug.

If you sync with Outlook App between devices with the same MS account, you are vulnerable to this malware propagation. Microsoft insist users take advantage of auto-synced features across devices and use this as a clear marketing tool especially for commercial settings. It seems my trust in this feature was misplaced.

Mitigation And Loss of Trust

Some will say that this is "just a feature" of sync. I disagree because like so many Microsoft processes it feels out of control. It does not just synchonise expected user data. It inappropriately populates and copies undocumented files into system folders and, without any knowledge or intervention from the user, replicates them across devices.

The mitigation is you must live without synchronisation in Microsoft applications. So far it has worked 100%. Turning off sync across applications does work. This can be done during an OS install by refusing all sync options when prompted. You must also make sure it is off in the account settings for the user. This can be done from the settings panel when logged on to Windows. There are many guides available like this one from Process.st. Even with sync off, you can still access email and other services using the web applications, which will sync files and emails but will not store these to the local machine.

If like myself, you have lost trust in the applications themselves, removing windows apps entirely may be more fitting, this allows the folder

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

to be deleted and does not appear, like a lurking background threat at a later date just in case you change your mind. My gaming rig has only one MS app remaining, Xbox and that is the way it will stay until the situation is openly discussed by MS and the vulnerability resolved. No more Appdata Phishes please.

In summary, no amount of phishing training will prevent a bad design in the operating system. Caching malware infected attachments to system folders and replicating them is bad design in my opinion. In this case, the operating system has been phished, not the human.

Other Recent Tux Machines' Posts

Understanding the Foundation Board’s Role in the FreeBSD Ecosystem
During BSDCan, the FreeBSD Foundation holds its annual meeting and Board elections
 
Valve and Collabora Announce Official Arch Linux ARM64 Port for Steam Frame
Valve and Collabora announce Holo Core as the official Arch Linux ARM64 port for the Steam Frame gaming VR headset with an early preview for developers.
DXVK 3.0.2 Brings Fixes for Dying Light: The Beast, Halo CE, Overwatch, and More
DXVK 3.0.2 open-source Vulkan-based implementation of D3D8, D3D9, D3D10, and D3D11 for Linux / Wine is now available for download with more improvements for your favorite games.
today's leftovers
GNU/Linux picks and Haiku
Free, Libre, and Open Source Software Leftovers
FOSS and more
Ubuntu 26.04 Bugs (Too Busy Adding Buggy Clones That Don't Work), Ubuntu DDoS Attack Discussed
Ubuntu picks
IBM Red Hat Mostly Focused on Slop Plagiarism, Not Much About Linux These Days
IBM agenda
Server: Istio 1.30.3, Istio 1.29.6, and 10ZiG
3 more picks
Audiocasts/Shows: Linux Matters and BSD Now
two episodes for now
KDE Mega Sprint 2026 and Server-side Drop Shadows
KDE leftovers
Accessibility in GNOME and Icon for Demostage
last week's updates on GNOME
BSD: OpenZFS, OpenBSD, FreeBSD, and OPNsense
BSD leftovers
Open Hardware/Modding: Right to Repair, ESP32, RISC-V, and More
Hardware picks
Events/Education: Workshop Basel, EuroPython 2026, and IndieWeb Event for Southeast Asia
recent and upcoming
Technological Sovereignty, FSF Raising Money, and Paleoenshittification
FSF / Software Freedom / Digital Sovereignty leftovers
Programming Leftovers
Development leftovers
Standards/Consortia: ITU, USB, HEIC, and More
Standards and more
Security Leftovers and Windows TCO
Security picks
today's howtos
Instructionals/Technical leftovers
Games: RPCS3, Godot, Denuvo Workaround, and Performance
gaming leftovers
Slopfarms Rejoice as After Boss of Linus Torvalds Receives Millions to Promote Slop Plagiarism, Then Torvalds Becomes His Master's (Money) Voice
Really bad, Linus Torvalds
'Secure' Boot Redundant and Only a Net Loss for Security
2 more stories
Technical Computer Scientist and Free Software Expert Running for a Seat (Clacton-on-Sea by-Election) [original]
We envision he'll soon do some media interviews and some Web pages will help bring exposure to his message
GNU/Linux Rises to About a Quarter of OS Usage in Iraq [original]
For a long time Windows was measured at 100% there
Open Source Won’t Save Us
The FSF fights for your freedom.
Winner Takes It All, the Loser Can Take 'Bronze' [original]
There is a match tomorrow night. If England can get 'bronze', it'll a consolation prize for Thomas Tuchel, as France is a very potent opponent
Pocock-on-Sea: nomination for Clacton by-election, 13 August 2026 [original]
Reprinted with permission from Daniel Pocock
Wayland 1.26 Is Now Available for Download with New Features and Improvements
Wayland 1.26 open-source replacement for the X11 window system protocol is now available for download with support for new events, funxtions, and requests, and bug fixes.
Games: Steam Machines, Jagex, Humble Handhelds Bundle, and More
mostly from GamingOnLinux
Productivity on the Rise Again [original]
"...tasks expand to fill the time available"
Belize: GNU/Linux Up to About 10% [original]
Compared to about 8% internationally this month
Linux doesn't force me to use the terminal—these 3 tools prove it
I'm still a novice Linux user, but the more time I spend with it
AMD driver causing massive performance loss on all major Linux distros
Ubuntu warns an upcoming Linux kernel severely slows AMD down in certain compute workloads due to a drive issue
Does Linux really run faster than Windows? I tested both to find out
Linux users love to talk about how much faster their systems are compared to Windows
Free and Open Source Software
This is free and open source software
Vocalinux Turns Your Speech Into Text Without Giving Away Voice Data
An open source, speech-to-text tool for Linux called Vocalinux has just introduced its 0.14 beta release
Today in Techrights
Some of the latest articles
Free, Libre, and Open Source Software / Digital Sovereignty Leftovers
FOSS and more
WordPress 7.1 Beta is Out, But WordPress Has Become Slop-ware
WordPress picks
Web Browsers/Web Servers/Feed Readers Leftovers
Mozilla, Abuse, and More
Programming Leftovers
Development picks
Proprietary Linux or Non-free (Proprietary) Things on GNU/Linux
Linux leftovers
Graphics and Games: Torvalds Versus NVIDIA, Weston 16.0, and More
misc. links
FreeBSD Makes a Point or Takes Stance Against Reciprocal Licensing
FreeBSD showing its true colours
Operating Systems: A Look Back at Plan 9, Modernizing Haiku’s Bluetooth Handling
oddball OSes
Linux Devices/Open Hardware/Modding: 3D Printer, Adafruit, and More
hardware projects mostly
The Linux Tax is real—and it's holding desktop Linux back
There's a famous quote that Jamie Zawinski that goes "...Linux is only free if your time has no value
Half of Red Hat's Latest Official Pages Are Promotion of Slop Plagiarism (IBM's Agenda)
latest in redhat.com
KDE: Akademy 2026 Program and digiKam for Natural Language Search
KDE picks
GNOME: Report on Crosswords 0.3.18 and GNOME OS Tip
GNOME picks
today's howtos
only a few more for now
Debian: DebConf26, dpkg, Freexian, and "final release of Debian on x86-32"
Debian leftovers
Security Leftovers
Security picks
"Linux" Brand Tarnished by Slop, "Linux" Foundation (LF) Gets Paid to Muddy the Water/Linux Mark
Slopfarms and more slop-promoting junk for LF
UEFI 'Secure Boot' is Not Security, Another Farce Demonstrated This Week
2 picks
Windows vs. Linux gaming: Test reveals clear winner, but community disagrees
Linux has evolved into a serious alternative for PC gamers in recent years
Linus Torvalds and Greg Kroah-Hartman (Linux Foundation) Promote Slop Plagiarism, Proprietary Microsoft GitHub, and CoC
really sad
FSF Fundraiser Extended, Free Software Directory Meetings Planned
FSF news
GNU/Linux on More Than 1 in 10 Laptops/Desktops in Israel, Based on statCounter [original]
Windows continues to fall
Sixty Days [original]
In less than 60 days from now this laptop will reach 1,000 days of uptime
statCounter Reckons Over a Quarter of Laptops/Desktops in Yemen Run GNU/Linux [original]
It's hard to tell why so many people there move to GNU/Linux but understandable that not many people purchase a new PC with Windows preloaded
Three Years, Three Americans Conniving Against Us [original]
It didn't work. It never worked.
Android Leftovers
Google ordered to open Android and Search to rivals in Europe
This one tweak made my Linux PC closer to a Steam machine
Part of what makes SteamOS feel polished is its controller-first Game Mode UI, first popularized on the Steam Deck
COSMIC 1.3 Desktop Environment Released with Frosted Glass Effect
COSMIC 1.3 desktop environment is now available with support for the Frosted Glass effect, updated components and translations, as well as various improvements and bug fixes.
From Days to Hours: IPFire's RISC-V Builds Get a Real Machine
Despite these smaller issues, our Milk-V Jupiter 2 has now been added to our build system for IPFire 2 and it has started to compile the nightly builds
Free and Open Source Software, Benchmark, and Review
This is a new series looking at the Beelink EQi Core 3 304 mini PC running Linux
Programming Leftovers
Development related news and views
Games: PSP, Gaming Diary, Medieval Tournaments, GOG, and GNU/Linux
today's gaming picks
Android Leftovers
I found this Android Auto feature so useful it made me switch from CarPlay
Pickford's Error [original]
Maybe in 2030 England will bring home an international trophy
I switched to COSMIC and discovered the dual-monitor workspace feature KDE should have shipped with
So I've been caught up on the COSMIC hype train. I've been a loyal KDE user for about a year now
I removed GNOME and my laptop battery lasted 40 minutes longer — this is what I replaced it with
There’s a common misconception that battery life on Linux is far superior to that of Windows
GNU/Linux Leftovers
today's leftovers
Free, Libre, and Open Source Software / Programming / Standards Leftovers
FOSS and more
Blender 5.2 LTS Released with New Fill Tool and Thin Wall Mode, Other Changes
Blender 5.2 LTS open-source 3D graphics software is now available for download with new Fill tool, new Thin Wall mode, new Sample Sound node, a new Bevel node, and many other changes.
Free and Open Source Software
This is free and open source software
Kubuntu 24.04 has finally become really neat
Here's a somewhat sad philosophical question: how long does it take for Ubuntu-based LTS to truly become LTS stable
Linux Associated With Ads, Fake Currencies, Some Graphics News
kernel and more
Today in Techrights
Some of the latest articles