Tux Machines

Do you waddle the waddle?

Other Sites

9to5Linux

Shelly GUI Package Manager for Arch Linux Now Lets You Install Apps from Flathub

Coming a week after Shelly 2.4.1, the Shelly 2.4.1.1 release may look like a small update, but, in fact, it introduces quite some exciting changes, such as the ability to install Flatpak apps directly from the Flathub website by clicking on the “Install” button.

First Look at Ubuntu Budgie 24.04.4 LTS for Raspberry Pi

Sam Lane, a member of the Ubuntu Budgie project, created a new Raspberry Pi image of the upcoming Ubuntu Budgie 24.04.4 LTS release, which is supported and optimized for both Raspberry Pi 4 and Raspberry Pi 5 single-board computers.

GNOME 51 Alpha Desktop Environment Is Now Available for Public Testing

Highlights of GNOME 51 “A Coruña” include a new API to generate QR codes, support for the input capture portal to integrate with the clipboard, improved screencasting by minimizing stage paints and buffer copies, support for elogind as libsystemd provider, and support for saving and restoring monitor brightness.

NetworkManager 1.58 Is Now Available for Public Testing with Many New Features

NetworkManager 1.58 promises support for the “6GHz” value to the “band” property on Wi-fi connections, support for CLAT (464XLAT) using a BPF program, support for the GENEVE interface, support for the iwd backend to the powersave property, and support for 64 hex-character PSK in WPS credentials.

Calibre 9.11 E-Book Manager Adds Support for Exporting Annotations as HTML Pages

Coming only a week after Calibre 9.10, the Calibre 9.11 release is a small one that only introduces the ability to export annotations as a standalone web page in the HTML format, which can be viewed in any web browser. The HTML pages feature support for light and dark themes, as well as searching and filtering by highlight style.

Internet Society

Connectivity Is a Lifeline in Venezuela’s Humanitarian Emergency

On 24 June 2026, two strong earthquakes, registering magnitudes of 7.2 and 7.5, hit Venezuela.

news

Microsoft Windows 11 Caches Exploitable Malware

posted by Roy Schestowitz on May 15, 2024

Fishtank PC builds

Reprinted with permission from Cybershow. Author: Helen Plews.

Figure 1: Tom's Hardware: Fishtank PC builds.

Malware is often thought of as a human interaction with a digital device that causes an infection such as a virus or worm. We assume a human used bad authentication, or the human clicked the bad link, the human downloaded the malware…

So if we have anti-virus and anti-phish educational campaigns we should be well protected right? What about the technical side of cybersecurity, where the hardware, network equipment, end device or software vulnerability is the cause?

This article will examine a case where an operating system is able to automatically open and store a phishing email attachment, leading to potential compromise. In this case Windows 11 has been caching attachments locally to provide synchronisation across devices with the Outlook Application. In many cases, it has cached exploitable malware. This is a growing issue brought to light by Windows 11 users and anti-virus providers, instead of the makers at Microsoft.

Dropper Investigation

I am a life-long gamer and from experimentation over the years, I know I have the best rig, a customisable gaming PC. It’s very nice hardware it looks stunning with rainbow glowing fans and it sounds like a mini jet engine, rendering most graphics on Ultra with a graphics card which is at most 2 years old. The only issue I have had with it is in the operating system, which of course for a big gamer is Windows 11 due to its age. After just two weeks of operation I was alerted to a dropper located in my Windows Appdata folder, it was not dropping any further viruses yet as it had been caught by my expensive AV - which is why it sounds like a jet engine due to the large use of CPU!!

Was it a false positive? Well I ran the offline scan myself as my machine took 8x longer to boot. It behaved as if rebooting after a major update. There were no updates carried out, which made me suspect something amiss.

The virus location was not new to me, it is an appdata folder present in Windows 10 and Windows 11 for Windows mail in particular it processes mail syncing across devices; the full path is:

C:\Users\’Username’\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\SO\

Now I have had viruses popping up here before, in fact it has been an ongoing problem since I adopted the Windows 11 operating system (OS) in 2022 on the household laptops. Since then, both of my son’s laptops have alerted me to droppers and Trojans in the same Appdata folder. I initially assumed my children were not so good with their cybersecurity (being aged 5 and 9 that makes sense). Maybe they had clicked an email notification. Maybe they had downloaded some Trojan in the style of a game from a requested and shoddy gaming store all parents know about, stealthy and all whilst under supervision. That was until my brand new gaming rig got one.

Examining the attack timeline of my gaming rig in detail showed that a phish had been ‘clicked’ from my Hotmail account which was logged in on my Outlook App, running in the background processes (not running in my taskbar) whilst I played some epic title the night before. This ‘click’ put an infected PDF invoice on my PC, and on boot the next day activated the dropper, slowing the machine right down - which gave me a clue.

Now let's be clear about how Microsoft works, as I understand it, and why this is a gripe serious enough to warrant its own blog post.

You must sign in online to a Microsoft account to access the PC at all times, then it creates session keys for all applications that come installed as standard with the OS. So, unless you take some drastic measures I will discuss in a moment, you will undoubtedly be running sessions of Windows apps in the background; Outlook, OneDrive, Teams, Xbox, Photos, Office, Store, the list is quite extensive.

Moving on, I look for the phish email I had. According to my AV "clicked on" log, I located the suspicious subject of the email. It was something akin to;

AMAZON ACCOUNT ###U$IIHknDBWON38383y4y29~~~

Now, you do not need to be a cybersecurity expert to tell that is a phish from the subject which was located using the now foreground Outlook app. And as expected, it was unread. It showed me that within a few minutes of receiving the unread email, the attached PDF invoice was added to the Windows Communication Appdata folder, which led to the dropper found by the offline scan.

It seemed that Outlook App was saving unread attachments to the appdata folder where the virus was located. Some of the located viruses over the past two years were found on multiple devices that used the same MS credentials which unless stated otherwise, auto sync application data. That is exactly what the

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

folder is for. It contains both the application data for Windows apps like Outlook to run and sync as well as data obtained in the process. I synced between my children's laptops as my account was the administrator for the network, it kept them safer online. Or so I thought.

Vulnerability Research

So I start down the usual process of researching the vulnerability to find a permanent mitigation. I find nothing at first, no CVE, no reports. I do find some details on the MS community website like this one from "2020 Trojan Found and Deleted"… but it Returns (Trojan: HTML/Phish.AB!MSR) . It is here I see the same problem and I see a response from an expert.

“The trojan is an email attachment synced to your PC. Do you have some Hotmail or Microsoft email setup in an email client applications like Outlook?” - Independent Expert, MS Community, 2020

So I search all around this topic and I cannot find anything from Microsoft about this issue right away, but I do find many victims. Anti-Virus companies, affected users and experts alike are all drawing attention to this problem. Eventually, thanks to Reddit I find a similar experience from a commentor who managed to find the reported exploit listed by Microsoft. You can find many more threads on the issue on Reddit with a search.

“Looking into the report we have a "Exploit:O97M/CVE-2017-11882.AZA!MTB" match, which doesn't seem to be that ominous since it requires the file to be executed on a non-updated Office/WordPad, still it ain't something I'd like to find lying around because the app found it was a good thing to download it, without my consent.” - JVMTG, Reddit, 2023

It is a known software error marked as severe on their own security intelligence website, with 24 exploits under the O97M CVE. I’d like to say I have more details from Microsoft but I do not, instead they offer very little default cybersecurity steps, such as "remain up to date and don’t click a phish".

This does seem rather severe. It locally caches attachments from emails including those which have not been opened to the windowscommunicationsapps folder from the Outlook App. It will then auto sync the data in the folder to all devices using the same credentials in their Outlook App on their phones, laptops, desktops, anywhere the Outlook App runs.

The only step missing for a full compromise is that infected files are auto-run… a feature I feel sure Microsoft are working on at this exact moment!

Attacks are becoming more complex, in 2022 they were able to add the dropper, which very slowly downloaded a fairly rubbish Trojan, which was easily removed. Recently there were 74 password protected files and multiple Trojans appearing as game applications in the same appdata folder. These were located only weeks after a fresh OS install and could not be explained by known activities on the machine or entirely resolved by AV due to the encryption of the folders they were located in.

Impact

Take a moment to think about how many commercial users of the Outlook application have auto-sync enabled in daily use. All those using Office 365 who sync between devices on their smartphone, personal devices and company equipment, or amongst family member's tablets and laptops. You should be concerned. And then get mad as hell, because it seems Microsoft have created their own quite special service for propagating malware, one that's been ongoing since at least 2020.

I have wasted countless hours re-installing OS’s, searching files, reading reports and researching this issue to find my only salvation in Reddit. Reddit of all places! This looks like something Microsoft rather wanted to sweep under the rug.

If you sync with Outlook App between devices with the same MS account, you are vulnerable to this malware propagation. Microsoft insist users take advantage of auto-synced features across devices and use this as a clear marketing tool especially for commercial settings. It seems my trust in this feature was misplaced.

Mitigation And Loss of Trust

Some will say that this is "just a feature" of sync. I disagree because like so many Microsoft processes it feels out of control. It does not just synchonise expected user data. It inappropriately populates and copies undocumented files into system folders and, without any knowledge or intervention from the user, replicates them across devices.

The mitigation is you must live without synchronisation in Microsoft applications. So far it has worked 100%. Turning off sync across applications does work. This can be done during an OS install by refusing all sync options when prompted. You must also make sure it is off in the account settings for the user. This can be done from the settings panel when logged on to Windows. There are many guides available like this one from Process.st. Even with sync off, you can still access email and other services using the web applications, which will sync files and emails but will not store these to the local machine.

If like myself, you have lost trust in the applications themselves, removing windows apps entirely may be more fitting, this allows the folder

microsoft.windowscommunicationsapps_8wekyb3d8bbwe

to be deleted and does not appear, like a lurking background threat at a later date just in case you change your mind. My gaming rig has only one MS app remaining, Xbox and that is the way it will stay until the situation is openly discussed by MS and the vulnerability resolved. No more Appdata Phishes please.

In summary, no amount of phishing training will prevent a bad design in the operating system. Caching malware infected attachments to system folders and replicating them is bad design in my opinion. In this case, the operating system has been phished, not the human.

Other Recent Tux Machines' Posts

GNOME 51 Alpha Desktop Environment Is Now Available for Public Testing
GNOME 51 Alpha desktop environment is now available for public testing with support for saving and restoring monitor brightness, improved app grid accessibility, support for elogind as libsystemd provider, and much more.
Today in Techrights
Some of the latest articles
All-Time Low for Windows in India [original]
This is part of a global trend
GNU/Linux at 5% in France, Independence Delivered Little by Little [original]
France instructs, then orders, government agencies to adopt GNU/Linux
 
SteamOS, Steam Machines, and More Gaming News
Games and more
Audiocasts/Shows: Linus Tech Tips, Linux Tech Segment, Linux Saloon, EasyOS YouTube Videos
videos and episodes
today's howtos
Instructionals/Technical picks
Slackel MATE 9.0
Slackel MATE 9.0 is the latest major release branch of the Greek-developed Linux distribution Slackel
Windows Under 60% as Linux Hits a Yearly High: Full Breakdown
numbers for June 2026 put worldwide desktop market share for backdoored Windows at 56.61%
Android Leftovers
I transformed my Android phone after finding a file manager that saves me time
Everyone forgot about these 6 Linux desktops, but they might be better than what you use now
One of the first things you’ll notice when trying out Linux for the first time is the sheer number of options available for its desktop environments (DEs)
LankeOS – Linux distribution built from scratch
LankeOS is a Linux distribution built from scratch using Linux From Scratch (LFS)
Free and Open Source Software
This is free and open source software
Stable kernels: Linux 7.1.3, Linux 6.18.38, Linux 6.12.95, Linux 6.6.144, Linux 6.1.177, Linux 5.15.211, and Linux 5.10.260
I'm announcing the release of the 7.1.3 kernel
Statement on the Response to Last Week's DDoS Attacks [original]
Sites that attract DDoS attacks because of their message are sites that are difficult to debunk or debate
Shelly GUI Package Manager for Arch Linux Now Lets You Install Apps from Flathub
Shelly 2.4.1.1 graphical package manager for Arch Linux distributions is now available for download with support for installing apps directly from the Flathub website, and other changes.
American Independence From Windows? GNU/Linux at 8%. [original]
Culled to exclude mobile platforms, GNU/Linux would likely be above 8%
First Look at Ubuntu Budgie 24.04.4 LTS for Raspberry Pi
A first look at the Ubuntu Budgie 24.04.4 LTS distribution on the Raspberry Pi 4 computer with 8GB RAM, featuring the Budgie desktop environment.
Windows Plunging to New Lows in Africa's Largest Nation [original]
Windows is getting out of Algeria, so that's a consolation prize
Moving Forward [original]
Next week the mass layoffs at Microsoft become official
Free Software and Standards Leftovers
FOSS and sharing
GNU/Linux Leftovers
GNU/Linux and distros
Programming Leftovers
Development with R, Raku, and Golang
SFC Says Boycott GitHub (Microsoft), Grafana Labs and Licensing Rug-Pulls
Licensing / Legal leftovers
The Document Foundation on the Calendar and the Invoice, LibreOffice News
LibreOffice leftovers
Mozilla Pretending to Value Privacy, Waterfox Android 1.2.5 Released (New Gecko)
Firefox and more
Colin Watson and Julian Andres Klode on Debian/Ubuntu Work
Two reports from DDs
Open Hardware/Modding: Single-Board Computers, Projects, and More
hardware leftovers
OMG Ubuntu on Canonical/Ubuntu News: Rust Mania, Slop, and Snap 'Store'
bad trajectory
Red Hat Leftovers, Mostly From Official Red Hat Site
Red Hat news
Fedora: Community News (What's Left of the Community After IBM Takeover), PHP Updates, and a Look at Fedora 45 (F45)
Fedora leftovers
OpenSUSE Planet News Roundup and Tumbleweed's Weekly Review
some SUSE picks
KDE and GNOME Updates: This Week in GNOME, Dolphin, and More
desktop development
Games: 3D Printing, Discounts, and More
gaming leftovers
today's howtos
Instructionals/Technical picks
GNU/Linux Desktop/Laptop: Hesitancy, Halloween Documents, and NotebookLM
3 Valnet articles
Security in Linux and Security Leftovers
Security breaches and bugs
Juno Tab 4 Wi-Fi Linux Tablet Is Now Available to Order for $989 USD
Juno Computers launches the Juno Tab 4 Wi-Fi Linux-powered tablet with a 2K display, 16GB RAM, an Intel Ultra 5-115U processor, four desktop environments, and Debian GNU/Linux or Ubuntu.
ParrotOS 7.3 Released with Linux 7.0, Optimized Builds, and Official Vagrant Boxes
ParrotOS 7.3 security-oriented distribution is now available for download with Linux kernel 7.0, updated tools, optimized builds, official Vagrant boxes, and other changes.
Android Leftovers
Google is finally fixing a confusing Android Auto connection roadblock
These 5 ancient Linux distros are still teaching modern users how systems actually work
There are lots of Linux distros to choose from
Free and Open Source Software
This is free and open source software
Gamma Linux – ultra-light Linux distribution
Gamma Linux is an ultra-light Linux distribution designed to revive older computers and low-spec hardware
This Week in Plasma: Better Animations
This week Plasma 6.7 received a few more stabilization bug-fixes while attention turned towards the upcoming 6.8 release
Fairphone 6 with /e/OS - The perfect un-Android experience?
What I would like to do today is show you what Android feels like - without being too Android
Today in Techrights
Some of the latest articles
NetworkManager 1.58 Is Now Available for Public Testing with Many New Features
NetworkManager 1.58 open-source network connection manager for Linux-based operating systems is now available for public testing as a major update with many new features and improvements.
Security Leftovers
Security related picks
Free, Libre, and Open Source Software and Standards
FOSS and more
Programming Leftovers
Development related picks
Distributions and Operating Systems: KolibriOS, Gentoo, Ubuntu, and Android
GNU/Linux mostly
CalyxOS 7.2.2.0 Released
CalyxOS comes back
KDE and GNOME Leftovers
3 simple posts
Killing Fedora Community, Promoting Slop, and More IBM Red Hat Puff Pieces
Red Hat leftovers
BSD: EuroBSDCon and FreeBSD Leftovers
BSD picks for today
Games: ESP32-based Game Boy, Steam Deck, and "Sony announces plans to stop making PlayStation game discs"
gaming leftovers
today's howtos
Instructionals/Technical picks
Audiocasts/Shows: Raspberry Pi and BSD Now
only 2 news ones
Linux Kernel: Konstantin Ryabitsev Restoring Content, Trademark Scam, Linux Virtual Appliance
Linux related picks
China's Neighbours (Which China Asserts It Has Some Territorial Rights Over) Are Evading Microsoft Windows [original]
Vietnam has some territorial disputes (islands) with China
Ultramarine 44 Is Out Based on Fedora Linux 44, Linux 7.0, and KDE Plasma 6.7
Ultramarine 44 Linux distribution is now available for download based on Fedora Linux 44 and Linux kernel 7.0, and featuring the latest KDE Plasma 6.7 desktop environment.
Games: SteamOS 3.8, Steam Survey, and More
Steam and GamingOnLinux picks
DDOS Attacks on Techrights Also Impacted Tux Machines [original]
DDoS attacks are not a "badge of honour". They are a nuisance.
Slow News Ahead [original]
holiday in the US
GNU/Linux Rises to 5% in Panama [original]
It seems to have increased this month
Android Leftovers
Google Wallet on Android rolling out order tracking dashboard using Gmail
Free and Open Source Software
This is free and open source software
GnuPG 2.5.21 Released With Kyber Support as 2.4 Reaches End of Life
On Thursday Werner Koch, the chief technology officer for the GnuPG project
If you like COSMIC Desktop, you'll love its new system monitor
If you like to see and manage your system processes on Linux
GNU/Linux in Jamaica in 2026 [original]
some bumps for GNU/Linux
Calibre 9.11 E-Book Manager Adds Support for Exporting Annotations as HTML Pages
Calibre 9.11 open-source e-book manager is now available for download with support for exporting annotations as a standalone web page in the HTML format and other changes.
Today in Techrights
Some of the latest articles
Announcing AnduinOS 2.0 Beta: The Declarative Revolution and the New Era of Distro Engineering
This is not just another system update; it is a fundamental, ground-up architectural rewrite of our entire operating system