Microsoft confirms some Windows 10 source code has leaked

A portion of Microsoft’s Windows 10 source code has leaked online this week. Files related to Microsoft’s USB, storage, and Wi-Fi drivers in Windows 10 were posted to Beta Archive this week. Beta Archive is an enthusiast site that tracks Windows releases, and asks members to donate money or contribute something Windows-related if they access a free private FTP full of archived Windows builds. The leaked code was published to Beta Archive’s FTP, and is part of Microsoft's Shared Source Kit.

“Our review confirms that these files are actually a portion of the source code from the Shared Source Initiative and is used by OEMs and partners,” reveals a Microsoft spokesperson in an email to The Verge. While The Register claims 32TB of data, including unreleased Windows builds, has been leaked, The Verge understands most of the collection has been available for months, or even years. The Register also claims the source code leak is bigger than the Windows 2000 leak from 2004, but The Verge understands this is inaccurate and that the Windows 10 source code leak is relatively minor.

The leak will be embarrassing for Microsoft, but the source code itself is already shared with partners, enterprises, governments, and other customers who choose to license it through the Shared Source initiative. Microsoft’s Windows 10 Mobile Adaption Kit was also included in the leak, alongside some Windows 10 Creators Update builds, and some ARM-based versions of Windows 10.

Windows 10
Photo by Chris Welch / The Verge

Beta Archive owner Andrew Whyman has revealed the source code was just 1.2GB in size and has been removed. In an email to The Verge, Whyman says Microsoft has not forced the site to remove the code and that “we have removed the file under our own decision.”

The source code leak comes just a day after two men were arrested in the UK as part of an investigation into unauthorized access to Microsoft’s network. Detectives executed warrants to arrest a 22-year-old man from Lincolnshire, and a 25-year-old man from Bracknell. The Verge understands both men have been involved in collecting confidential Windows 10 builds, and that at least one is a donator to the Beta Archive site. A spokesperson for Thames Valley police refused to provide more information on the arrests to The Verge, and would not confirm the two identities of the individuals.

It’s not clear if the arrests are directly linked to the source code leak, but Microsoft is evidently concerned about some potential intrusions into its networks by Windows enthusiasts. The alleged offences took place between January and March, and a large dump of confidential Windows 10 builds was leaked to Beta Archive on March 24th. An administrator of Beta Archive, named only as "mrpijey," revealed "with the help of members (whose names shall never be mentioned) I've downloaded a whole lot of Windows Insider builds of Windows 10 directly from Microsoft" at the time of the leak. Ars Technica also reports that Microsoft’s build systems may have been hacked in March.

Microsoft has avoided, most of the time, lots of Windows 10 build leaks thanks to its Insider program that lets testers access early copies of the operating system. In the past, the software giant has aggressively pursued Windows leakers, and the company even scanned a bloggers Hotmail account to track down a Windows 8 leak once.

The Verge has reached out to Microsoft to comment further on the arrests, and we’ll update you accordingly.

Update, 6:25AM ET: Article updated to clarify Beta Archive description.

Comments

It would be useful if the article explained what that actually means. Like… what actually is the source code? Doesn’t every user have it when they install Windows?

Source code is what is used to compile binaries which are what the end user uses to run a program (or install Windows). Binaries are what comes on the disc or download or USB stick when you install Windows. When talking about closed source software like Windows, the source code is not made available, unlike open source software like Linux.

In the grand scheme of things, depending on what was actually leaked, this may represent a security issue, but it’s hard to say.

unlike open source software like Linux.

we get it…

The precision is useful for people who don’t know about it, and he/she wasn’t taking position on this stupid OS war, just stating facts. What’s wrong ?

I can’t stand Linux or most OSS, actually. I was just trying to explain.

Why is that, actually?

Poor/inconsistent UI, shoddy documentation, absolutely awful community.

I agree good-looking Linux distros are hard to come by but they do exist. I can’t speak for the community. However, I don’t think it’s really fair to derive a general dislike for OSS out of that.

Atleast Elementary OS community is really cool with new people coming to try it

Safari and Chrome are both heavily based around open-source software, and Firefox is entirely open source.

macOS and iOS are both based heavily on open source (and years ago was a fork of BSD, which is open source). Android is Linux at it’s "core," which is open source.

I literally can’t imagine the modern Internet without open source software; everything from the majority of servers to a lot of the libraries used to build web pages, not to mention browsers and a lot of other things, are either open source or based around open source.

It’s true that Linux distributions and user-facing software like GIMP have tended to have a worse UI than commercial alternatives, but that doesn’t mean that open source is inherently worse.

But, but my Open Source using friend is always telling me public visibility of source code is a good thing for security! (In between rebuilding their Linux webserver because it got hacked yet again)….

If we really are going there, open source is a good thing, not only for security, but for improvements, features, bug fixes, a plethora of new applications, etc. If you’re smart, you’d actually use a server based on Linux. Linux is the "superior" OS for networking. You’d not have MacOS if not for UNIX, which is open-source. You’d not have Chrome browser if not for Firefox, which is open-source. You’d not have Android, if not for linux kernel, which is open-source. There are a ton of developer tools, which wouldn’t exist, and which are open-source. I’m sure I’m missing a lot more that exist because of open-source, but I hope you get the idea.

NO software is immune to hacking. Any and every software WILL have bugs as long as they exist. Nothing stops at version 1.0.

It’s very likely not a security problem. Windows is secure these days, and looking at a secure program’s source code should not make vulnerabilities obvious.

I would disagree with that. That is actually the exact threat we face anytime source code leaks. The compiled binaries are typically encrypted and impossible to figure out how the underlying code that was inputted works. If you have the original source code it is easy to start picking apart and finding flaws in how it was programmed. The threat here, specifically, is that the WiFi source code leaked, which could mean a whole slew of new viruses and malware to infect machines maliciously. An OS being secure does not fundamentally make the source code somehow secure, exploits are just programming mistakes that haven’t been fixed yet.

Actually it’s widely accepted in the security community that a system isn’t secure if knowing how it works weakens it. Windows’s source code is already reviewed internally, and recent versions include a ton of mitigation techniques that make it way harder to exploit the majority of bugs. It’s not "easy" to find flaws, because the "easy" flaws have already been detected and corrected by Microsoft. Look at Linux.

What is your definition of a "secure" OS if it doesn’t include "the source code being secure" ? What can be secure in a software except its source code ? That doesn’t make sense unless you consider obscurity as security, which it isn’t. Fortunately, Microsoft doesn’t rely on obscurity these days.

If you have the original source code it is easy to start picking apart and finding flaws in how it was programmed.

Bingo! And this is exactly what we want people to do.

Whatttt – not a security problem? this is alway’s a huge concern for security. once you know how it defends, it’s way, millions of time easier.

Everyone already knew how it defends, you can’t distribute a system to hundreds of millions of customers without someone reverse-engineering it. Properly secured systems don’t depend on obscurity to stay secure. Everyone knows how a shitton of open-source software defends itself, yet Linux distributions are considered secure.

Obscurity isn’t security. Even if the whole Windows source code leaked tomorrow, you could still trust it. That’s what "secure" means.

this is no-sense, for a compiled system this is completly, utterly wrong.

Linux is also compiled when it runs on your PC. What do you even mean?

No, it’s entirely correct.

I’ll repeat : Obscurity is not Security. Reverse-engineering exists. Do you think that compiling prevents anyone from studying a program’s behavior ?

If Windows relied on obscurity, it would get pwned every month.

A system isn’t secure because people don’t know how it "defends itself". It is common wisdom that a system whose source code is publicly available is more robust against attacks since everybody pokes around the code trying to find ways it could be weak.

Take the example of Bitlocker: few people actually trust it completely since nobody knows how it works (unless you’re one of the select few who were granted a look under NDA). Now take the example of Signal Protocol: everybody knows what it does, everybody feels safe using it (and it’s pretty damn secure).

But you have to trust that the people looking at the code are doing it for altruistic purposes rather than for nefarious purposes.

How would I be sure which it is?

You don’t know, however, people have the ability to check your codebase to check for errors, so it prevents a lot of them. Tipically, when big vulnerabilities where found on the software that is used in servers, it hasn’t been used, but is patched between a day, and can be found ready to in less than a week on software repositories.

View All Comments
Back to top ↑