Security

Heaps of Windows 10 internal builds, private source code leak online

Unreleased 64-bit ARM versions, Server editions among dumped data

152 Got Tips?

Exclusive A massive trove of Microsoft's internal Windows operating system builds and chunks of its core source code have leaked online.

The data – some 32TB of official and non-public installation images and software blueprints that compress down to 8TB – were uploaded to betaarchive.com, the latest load of files provided just earlier this week. It is believed the confidential data in this dump was exfiltrated from Microsoft's in-house systems around March this year.

The leaked code is Microsoft's Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond's PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code.

Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide. The code runs at the heart of the operating system, at some of its most trusted levels. It is supposed to be for Microsoft, hardware manufacturers, and select customers' eyes only.

Leaked ... Screenshot of a Beta Archives posting announcing on Monday, June 19, the addition of Microsoft's confidential source code archive

In addition to this, top-secret builds of Windows 10 and Windows Server 2016, none of which have been released to the public, have been leaked among copies of officially released versions. The confidential Windows team-only internal builds were created by Microsoft engineers for bug-hunting and testing purposes, and include private debugging symbols that are usually stripped out for public releases.

This software includes, for example, prerelease Windows 10 "Redstone" builds and unreleased 64-bit ARM flavors of Windows. There are, we think, too many versions now dumped online for Microsoft to revoke via its Secure Boot mechanism, meaning the tech giant can't use its firmware security mechanisms to prevent people booting the prerelease operating systems.

Also in the leak are multiple versions of Microsoft's Windows 10 Mobile Adaptation Kit, a confidential software toolset to get the operating system running on various portable and mobile devices.

Netizens with access to Beta Archive's private repo of material can, even now, still get hold of the divulged data completely for free. It is being described by some as a bigger leak than the Windows 2000 source code blab in 2004.

A spokesperson for Microsoft said: "Our review confirms that these files are actually a portion of the source code from the Shared Source Initiative and is used by OEMs and partners." ®

Updated to add

Beta Archive's administrators are in the process of removing non-public Microsoft components and builds from its FTP server and its forums.

For example, all mention of the Shared Source Kit has been erased from its June 19 post. We took some screenshots before any material was scrubbed from sight. You'll notice from the screenshot above in the article and the forum post that the source kit has disappeared between the Microsoft Windows 10 Debug Symbols and Diamond Monster 3D II Starter Pack.

The source kit is supposed to be available to only "qualified customers, enterprises, governments, and partners for debugging and reference purposes."

In a statement, Beta Archive said: "The 'Shared Source Kit' folder did exist on the FTP until [The Register's] article came to light. We have removed it from our FTP and listings pending further review just in case we missed something in our initial release. We currently have no plans to restore it until a full review of its contents is carried out and it is deemed acceptable under our rules."

Sign up to our NewsletterGet IT in your inbox daily

152 Comments

Keep Reading

Canary-build Microsoft browser blocks Microsoft extension from inflicting Microsoft search engine

Virtue is its own reward

Microsoft 365 Business to gain more Azure Active Directory toys... oh, and it's called Microsoft 365 Business Premium (from 21 April)

Because this Office branding shake-up isn't confusing at all

Wow, Microsoft's Windows 10 always runs Edge on startup? What could cause that? So strange, tut-tuts Microsoft

Punters asked to hand over their logs if browser keeps coming to life against their wishes

Microsoft: 14 January patch was the last for Windows 7. Also Microsoft: Actually...

Wallpaper-stripping bug will be fixed

Russia-linked Gamaredon hacker crew using Microsoft's Visual Basic for Applications to pwn Microsoft's Outlook

From targeting Ukraine to random mailboxes: how the mighty have fallen

Here's a headline we never thought we'd write 20 years ago: Microsoft readies antivirus for Linux, Android

Redmond knows a thing or two about tackling malware – amirite, Windows fans?!

Non-human Microsoft Office users get their own special licences

Automated operators can pay up like anyone – or anything – else

Microsoft disbands three-ring Windows Insider circus and replaces it with 'channels'

Redmond decides volunteer crash-test dummies care about quality, not speed

Microsoft loosens Teams' necktie as platform courts your forensic accountant relatives

Just look at the time. Looks like I can't attend the family meeting about our calendar!

No more installing Microsoft's Chromium-centered Edge by hand: Windows 10 will do it for you automatically

Something something pushing us over the Edge

Tech Resources

Building an Incident Response Plan

A well-crafted IR plan will help your organization perform at its best by preparing for the worst.

Unlocking the Cloud-Native Data Layer

Being able to exceed customer expectations is essential to a successful business.

The Definitive Guide to Sharing Threat Intelligence

Sharing threat intelligence is gradually becoming an accepted component in information security defense but there are still ways we can gain more.

SANS Institute: Cloud Security Survey Results

How do you close visibility gaps, integrate conflicting datasets from different providers and adjust your current incident response strategies to respond to cloud-specific threats?