Security

Heaps of Windows 10 internal builds, private source code leak online

Unreleased 64-bit ARM versions, Server editions among dumped data


Exclusive A massive trove of Microsoft's internal Windows operating system builds and chunks of its core source code have leaked online.

The data – some 32TB of official and non-public installation images and software blueprints that compress down to 8TB – were uploaded to betaarchive.com, the latest load of files provided just earlier this week. It is believed the confidential data in this dump was exfiltrated from Microsoft's in-house systems around March this year.

The leaked code is Microsoft's Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond's PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code.

Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide. The code runs at the heart of the operating system, at some of its most trusted levels. It is supposed to be for Microsoft, hardware manufacturers, and select customers' eyes only.

Leaked ... Screenshot of a Beta Archives posting announcing on Monday, June 19, the addition of Microsoft's confidential source code archive

In addition to this, top-secret builds of Windows 10 and Windows Server 2016, none of which have been released to the public, have been leaked among copies of officially released versions. The confidential Windows team-only internal builds were created by Microsoft engineers for bug-hunting and testing purposes, and include private debugging symbols that are usually stripped out for public releases.

This software includes, for example, prerelease Windows 10 "Redstone" builds and unreleased 64-bit ARM flavors of Windows. There are, we think, too many versions now dumped online for Microsoft to revoke via its Secure Boot mechanism, meaning the tech giant can't use its firmware security mechanisms to prevent people booting the prerelease operating systems.

Also in the leak are multiple versions of Microsoft's Windows 10 Mobile Adaptation Kit, a confidential software toolset to get the operating system running on various portable and mobile devices.

Netizens with access to Beta Archive's private repo of material can, even now, still get hold of the divulged data completely for free. It is being described by some as a bigger leak than the Windows 2000 source code blab in 2004.

A spokesperson for Microsoft said: "Our review confirms that these files are actually a portion of the source code from the Shared Source Initiative and is used by OEMs and partners." ®

Updated to add

Beta Archive's administrators are in the process of removing non-public Microsoft components and builds from its FTP server and its forums.

For example, all mention of the Shared Source Kit has been erased from its June 19 post. We took some screenshots before any material was scrubbed from sight. You'll notice from the screenshot above in the article and the forum post that the source kit has disappeared between the Microsoft Windows 10 Debug Symbols and Diamond Monster 3D II Starter Pack.

The source kit is supposed to be available to only "qualified customers, enterprises, governments, and partners for debugging and reference purposes."

In a statement, Beta Archive said: "The 'Shared Source Kit' folder did exist on the FTP until [The Register's] article came to light. We have removed it from our FTP and listings pending further review just in case we missed something in our initial release. We currently have no plans to restore it until a full review of its contents is carried out and it is deemed acceptable under our rules."

Send us news
152 Comments

Wi-Fi hotspots and Windows on Arm broken by Microsoft's latest patches

Only way to resolve is a rollback – but update included security fixes

Updated Microsoft's latest set of Windows patches are causing problems for users.

Windows 10 and 11 are affected, with both experiencing similar issues (although the latter seems to be suffering a little more).

KB5014697, released on June 14 for Windows 11, addresses a number of issues, but the known issues list has also been growing. Some .NET Framework 3.5 apps might fail to open (if using Windows Communication Foundation or Windows Workflow component) and the Wi-Fi hotspot features appears broken.

Continue reading

Microsoft pulls Windows 10/11 installation websites in Russia

Big Tech sanctions continue to roll in, Putin retaliates with counter sanctions

Microsoft has blocked the installation of Windows 10 and 11 in Russia from the company's official website, Russian state media reported on Sunday.

Users within the country confirmed that attempts to download Windows 10 resulted in a 404 error message.

Continue reading

Microsoft readies Windows Autopatch to free admins from dealing with its fixes

I got 99 problems but a patch ain't one? Well, that is the hope anyway

If Windows Autopatch arrives in July as planned, some of you will be able to say goodbye to Patch Tuesday.

Windows Autopatch formed part of Microsoft's April announcements on updates to the company's Windows-in-the-cloud product. The tech was in public preview since May.

Aimed at enterprise users running Windows 10 and 11, Autopatch can, in theory, be used to replace the traditional Patch Tuesday to which administrators have become accustomed over the years. A small set of devices will get the patches first before Autopatch moves on to gradually larger sets, gated by checks to ensure that nothing breaks.

Continue reading

Microsoft unboxes Exchange Online certification in bid to push customers off-prem

More support engineers needed to keep the email flowing, it seems

Microsoft has added a certification to augment the tired eyes and haunted expressions of Exchange support engineers.

The "Microsoft 365 Certified: Exchange Online Support Engineer Specialty certification" was unveiled yesterday and requires you to pass the "MS-220: Troubleshooting Microsoft Exchange Online" exam.

Continue reading

Microsoft postpones shift to New Commerce Experience subscriptions

The whiff of rebellion among Cloud Solution Providers is getting stronger

Microsoft has indefinitely postponed the date on which its Cloud Solution Providers (CSPs) will be required to sell software and services licences on new terms.

Those new terms are delivered under the banner of the New Commerce Experience (NCE). NCE is intended to make perpetual licences a thing of the past and prioritizes fixed-term subscriptions to cloudy products. Paying month-to-month is more expensive than signing up for longer-term deals under NCE, which also packs substantial price rises for many Microsoft products.

Channel-centric analyst firm Canalys unsurprisingly rates NCE as better for Microsoft than for customers or partners.

Continue reading

Azure issues not adequately fixed for months, complain bug hunters

Redmond kicks off Patch Tuesday with a months-old flaw fix

Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

Continue reading

Start using Modern Auth now for Exchange Online

Before Microsoft shutters basic logins in a few months

The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

"Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

Continue reading

FabricScape: Microsoft warns of vuln in Service Fabric

Not trying to spin this as a Linux security hole, surely?

Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

Continue reading

PowerShell pusher to log off from Microsoft: Write-Host "Bye bye, Jeffrey Snover"

'If you ever were rooting for somebody, please do him a favor and go tell him'

Jeffrey Snover's lengthy and occasionally controversial term at Microsoft is to come to an end this week, as the PowerShell inventor sets off for pastures new after more than two decades at the Windows giant.

Continue reading

Microsoft promises to tighten access to AI it now deems too risky for some devs

Deep-fake voices, face recognition, emotion, age and gender prediction ... A toolbox of theoretical tech tyranny

Microsoft has pledged to clamp down on access to AI tools designed to predict emotions, gender, and age from images, and will restrict the usage of its facial recognition and generative audio models in Azure.

The Windows giant made the promise on Tuesday while also sharing its so-called Responsible AI Standard, a document [PDF] in which the US corporation vowed to minimize any harm inflicted by its machine-learning software. This pledge included assurances that the biz will assess the impact of its technologies, document models' data and capabilities, and enforce stricter use guidelines.

This is needed because – and let's just check the notes here – there are apparently not enough laws yet regulating machine-learning technology use. Thus, in the absence of this legislation, Microsoft will just have to force itself to do the right thing.

Continue reading

Microsoft Surface Laptop Studio: Too edgy for comfort?

And perhaps too heavy, which is a weighty issue for a machine that turns into a tablet

Desktop Tourism My 20-year-old son is an aspiring athlete who spends a lot of time in the gym and thinks nothing of lifting 100 kilograms in various directions. So I was a little surprised when I handed him Microsoft’s Surface Laptop Studio and he declared it uncomfortably heavy.

At 1.8kg it's certainly not among today's lighter laptops. That matters, because the device's big design selling point is a split along the rear of its screen that lets it sit at an angle that covers the keyboard and places its touch-sensitive surface in a comfortable position for prodding with a pen. The screen can also fold completely flat to allow the laptop to serve as a tablet.

Below is a .GIF to show that all in action.

Continue reading

Microsoft Defender goes cross-platform for the masses

Redmond's security brand extended to multiple devices without stomping on other solutions

Microsoft is extending the Defender brand with a version aimed at families and individuals.

"Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."

The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

Continue reading