Security

Heaps of Windows 10 internal builds, private source code leak online

Unreleased 64-bit ARM versions, Server editions among dumped data


Exclusive A massive trove of Microsoft's internal Windows operating system builds and chunks of its core source code have leaked online.

The data – some 32TB of official and non-public installation images and software blueprints that compress down to 8TB – were uploaded to betaarchive.com, the latest load of files provided just earlier this week. It is believed the confidential data in this dump was exfiltrated from Microsoft's in-house systems around March this year.

The leaked code is Microsoft's Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond's PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code.

Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide. The code runs at the heart of the operating system, at some of its most trusted levels. It is supposed to be for Microsoft, hardware manufacturers, and select customers' eyes only.

Leaked ... Screenshot of a Beta Archives posting announcing on Monday, June 19, the addition of Microsoft's confidential source code archive

In addition to this, top-secret builds of Windows 10 and Windows Server 2016, none of which have been released to the public, have been leaked among copies of officially released versions. The confidential Windows team-only internal builds were created by Microsoft engineers for bug-hunting and testing purposes, and include private debugging symbols that are usually stripped out for public releases.

This software includes, for example, prerelease Windows 10 "Redstone" builds and unreleased 64-bit ARM flavors of Windows. There are, we think, too many versions now dumped online for Microsoft to revoke via its Secure Boot mechanism, meaning the tech giant can't use its firmware security mechanisms to prevent people booting the prerelease operating systems.

Also in the leak are multiple versions of Microsoft's Windows 10 Mobile Adaptation Kit, a confidential software toolset to get the operating system running on various portable and mobile devices.

Netizens with access to Beta Archive's private repo of material can, even now, still get hold of the divulged data completely for free. It is being described by some as a bigger leak than the Windows 2000 source code blab in 2004.

A spokesperson for Microsoft said: "Our review confirms that these files are actually a portion of the source code from the Shared Source Initiative and is used by OEMs and partners." ®

Updated to add

Beta Archive's administrators are in the process of removing non-public Microsoft components and builds from its FTP server and its forums.

For example, all mention of the Shared Source Kit has been erased from its June 19 post. We took some screenshots before any material was scrubbed from sight. You'll notice from the screenshot above in the article and the forum post that the source kit has disappeared between the Microsoft Windows 10 Debug Symbols and Diamond Monster 3D II Starter Pack.

The source kit is supposed to be available to only "qualified customers, enterprises, governments, and partners for debugging and reference purposes."

In a statement, Beta Archive said: "The 'Shared Source Kit' folder did exist on the FTP until [The Register's] article came to light. We have removed it from our FTP and listings pending further review just in case we missed something in our initial release. We currently have no plans to restore it until a full review of its contents is carried out and it is deemed acceptable under our rules."

Send us news
152 Comments
Get our Security newsletter

Watch this: Ingenuity – Earth's first aircraft to fly on another planet – take off on Mars

History in the making for the tiny open-source-powered whizzing chopper

Video Ingenuity has successfully performed a solar-powered autonomous flight on Mars, NASA confirmed on Monday.

The dual-bladed helicopter took off from the Jezero Crater at 0734 UTC, marking the first time in history an Earth-built aircraft has flown in skies away from Sol d. NASA has now named the patch of Martian surface that Ingenuity hovered over as the Wright Brothers Field, after human flight pioneers Orville and Wilbur Wright.

Continue reading

Bank of England ponders minting ‘Britcoin’ to sit alongside the Pound

Taskforce and two forums to consider Central Bank Digital Currency

The Bank of England and HM Treasury have formed a Taskforce to “coordinate the exploration of a potential UK Central Bank Digital Currency (CDBC).”

Let’s call it “Britcoin”.

A Bank of England announcement quickly points out that no decision has been taken to green-light Britcoin and omits any mention of why the time is right to ponder a digital currency.

Continue reading

Foxconn and Wisconsin reach new deal to do something different at Donald Trump's favourite (flop of a) factory

Speculation of shift to EVs swirls as Governor who once said $3bn subsidy plan was a con now thinks it 'works for taxpayers'

Wisconsin governor Tony Evers and Foxconn board member Dr. Jay Lee have announced a new agreement to revive and remodel the notorious high-tech plant that attracted billions in incentives but appears not to have delivered promised economic benefits.

The plant was announced in 2017, amidst much fanfare that Foxconn would spend US$10B facility to make LCD displays in Wisconsin. The State government tipped in over US$3B of incentives and then-President Donald Trump hailed the deal as a prime example of his policy to bring manufacturing jobs back to the USA. Trump even dug in with a shovel at the factory's launch and proclaimed it would become the eighth wonder of the world.

The plant was originally promised to employ 3,000 locals and climb to 13,000 once opened. But the number of jobs promised fell to 5,200.

Continue reading

If your internet wobbled last weekend, you have Vodafone India to thank for it

It’s always BGP (when it’s not DNS). Absent route filtering didn't help, either

Vodafone Idea, the Indian limb of the mega-carrier, has been fingered as the source of what’s been described as a “major BGP hijack” by Mutually Agreed Norms for Routing Security (MANRS), an organisation that “provides crucial fixes to reduce the most common routing threats.”

Early on Saturday, net-watchers noticed that an autonomous system number (ASN) held by Vodafone Idea published over 30,000 bogus border gateway protocol (BGP) prefixes.

Continue reading

Microsoft pledges Malaysian Azure region after winning government cloud gig

Complete with availability zones, coming real soon now after it turns local kids onto the cloud

Microsoft has announced a new Azure region in Malaysia.

As is often the case, Microsoft hasn’t said when its new data centres will fire up or if they’ll offer a complete range of Azure services. The company has said that Azure, Microsoft 365 and the Dynamics 365 and Power Platform will be offered.

Microsoft has also pledged to build Availability Zones, suggesting at least three data centres will be constructed.

Continue reading

Far-right internet haven Parler to be allowed back onto Apple's App Store with added content moderation

Social network for web outcasts can be downloaded again from next week for iThings, we're told

Parler is set to return to Apple's App Store next week after the social network agreed to moderate hate speech on its platform.

In a letter [PDF] to Congress on Monday, Apple’s senior director of government affairs in the Americas, Tim Powderly, confirmed a duly updated version of Parler will be allowed into the iGiant's software souk.

The decision comes months after the self-described “free speech social network” was deplatformed by Big Tech over concerns it was used by far-right netizens to spread hate speech and whip up violence, particularly around the January 6 insurrection attempt at the US Capitol.

Continue reading

Lock up your Peloton smart treadmills, watchdog warns families, following one death, numerous injuries

Trendy exercise gear 'poses serious risks to children', says CPSC

America's Consumer Product Safety Commission (CPSC) has urged owners of the hi-tech Peloton Tread+ treadmill to use caution after a child was killed by one of the machines last month.

"CPSC is aware of 39 incidents including one death," the US government agency said in a statement on Saturday.

"CPSC staff believes the Peloton Tread+ poses serious risks to children for abrasions, fractures, and death.

Continue reading

Who knew Uncle Sam had strike teams for SolarWinds, Exchange flaws? Well, anyway, they are disbanded

Lessons learned and mission accomplished, apparently

The US government's response groups for dealing with recent SolarWinds and Microsoft Exchange vulnerabilities have reached the end of the road.

In a statement on Monday, US Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said the two Unified Coordination Groups (UCGs) formed in January and March respectively will be disbanded.

"Due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling further responses through standard incident management procedures," said Neuberger.

Continue reading

'There was no one driving that vehicle': Texas cops suspect Autopilot involved after two men killed in Tesla crash

Model S took corner at high speed, left road, and smashed into a tree

Updated Authorities are investigating a Tesla crash in Texas in which two men were killed this weekend. The authorities are probing whether the vehicle was operating in its Autopilot mode with neither occupant in control.

According to reports, the collision happened at 23:25 local time on 17 April in the Houston suburb of The Woodlands.

Neither of the two unnamed victims – born in 1962 and 1951 – were in the driver's seat at the time of the accident, according to Sgt Cynthia Umanzor of the Harris County Constable Precinct 4, who spoke to local TV station Khou-TV (geo-restricted).

Continue reading

WordPress core contributor proposes treating Google FLoC as a security vulnerability

Let's opt every WordPress site out of FLoC. Nice idea, but security update? Really?

A proposal by a WordPress core contributor to treat Google's FLoC ad tech as a security vulnerability, and therefore backport an automatic opt-out to previous WordPress versions, shows the depth of community opposition to the technology.

FLoC (Federated Learning of Cohorts) is Google’s scheme to replace third-party cookies with an ad personalisation system based on groups of users. It has run into wide opposition from privacy advocates and browser makers, but Google has nonetheless pressed ahead with trials in the current version of Chrome.

Now a WordPress Core contributor has proposed treating “FLoC as a security concern.”

Continue reading

Brit Salesforce exec Gavin Patterson becomes transfer target for controversial European Super League

Ex-BT boss is familiar with the football lifestyle – being paid millions for doing very little

Gavin Patterson, former boss of BT, is in the frame to lead a proposed European football league at the centre of a storm of criticism.

According to Sky News, Patterson was approached informally several weeks ago about the role.

Proposals for the European Super League – which UK football clubs Arsenal, Chelsea, Liverpool, Manchester City, Manchester United and Tottenham Hotspur have agreed to join – include a "new midweek competition" with teams continuing to "compete in their respective national leagues". AC Milan, Atletico Madrid, Barcelona, Inter Milan, Juventus and Real Madrid have also agreed to join the controversial league, which plans say will have 20 teams: the 12 founding members plus the three unnamed clubs they expect to join soon, and five teams who qualify annually according to their domestic achievements.

Continue reading