[BreachExchange] Heaps of Windows 10 internal builds, private source code leak online
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Jun 26 20:46:02 EDT 2017
https://www.theregister.co.uk/2017/06/23/windows_10_leak/
A massive trove of Microsoft's internal Windows operating system builds and
chunks of its core source code have leaked online.
The data – some 32TB of official and non-public installation images and
software blueprints that compress down to 8TB – were uploaded to
betaarchive.com, the latest load of files provided just earlier this week.
It is believed the confidential data in this dump was exfiltrated from
Microsoft's in-house systems around March this year.
The leaked code is Microsoft's Shared Source Kit: according to people who
have seen its contents, it includes the source to the base Windows 10
hardware drivers plus Redmond's PnP code, its USB and Wi-Fi stacks, its
storage drivers, and ARM-specific OneCore kernel code.
Anyone who has this information can scour it for security vulnerabilities,
which could be exploited to hack Windows systems worldwide. The code runs
at the heart of the operating system, at some of its most trusted levels.
It is supposed to be for Microsoft, hardware manufacturers, and select
customers' eyes only.
In addition to this, top-secret builds of Windows 10 and Windows Server
2016, none of which have been released to the public, have been leaked
among copies of officially released versions. The confidential Windows
team-only internal builds were created by Microsoft engineers for
bug-hunting and testing purposes, and include private debugging symbols
that are usually stripped out for public releases.
This software includes, for example, prerelease Windows 10 "Redstone"
builds and unreleased 64-bit ARM flavors of Windows. There are, we think,
too many versions now dumped online for Microsoft to revoke via its Secure
Boot mechanism, meaning the tech giant can't use its firmware security
mechanisms to prevent people booting the prerelease operating systems.
Also in the leak are multiple versions of Microsoft's Windows 10 Mobile
Adaptation Kit, a confidential software toolset to get the operating system
running on various portable and mobile devices.
Netizens with access to Beta Archive's private repo of material can, even
now, still get hold of the divulged data completely for free. It is being
described by some as a bigger leak than the Windows 2000 source code blab
in 2004.
A spokesperson for Microsoft said: "Our review confirms that these files
are actually a portion of the source code from the Shared Source Initiative
and is used by OEMs and partners." ®
Updated to add
Beta Archive's administrators are in the process of removing non-public
Microsoft components and builds from its FTP server and its forums.
For example, all mention of the Shared Source Kit has been erased from its
June 19 post. We took some screenshots before any material was scrubbed
from sight. You'll notice from the screenshot above in the article and the
forum post that the source kit has disappeared between the Microsoft
Windows 10 Debug Symbols and Diamond Monster 3D II Starter Pack.
The source kit is supposed to be available to only "qualified customers,
enterprises, governments, and partners for debugging and reference
purposes."
In a statement, Beta Archive said: "The 'Shared Source Kit' folder did
exist on the FTP until [The Register's] article came to light. We have
removed it from our FTP and listings pending further review just in case we
missed something in our initial release. We currently have no plans to
restore it until a full review of its contents is carried out and it is
deemed acceptable under our rules."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170626/9a2754bb/attachment.html>
More information about the BreachExchange
mailing list