Windows 10 users could potentially be faced with more security problems as the source code behind the Microsoft operating system accidentally got leaked online.
The code contained files related to USB storage and Wi-Fi and was on a site called Beta Archive. This website keeps track of Windows releases and often contains archived builds of the OS. Such code is only shared with Microsoft's most trusted partners and customers.
It was originally thought that 32TB of data had been leaked onto the site. But in a statement to The Verge, Microsoft said that “just 1.2GB” was posted online.
“Our review confirms that these files are actually a portion of the source code from the Shared Source Initiative and is used by OEMs and partners,” said a spokesperson.
Since then, Beta Archive voluntarily pulled the code which contained details on Windows 10's USB, storage, Wi-Fi drivers and ARM-specific OneCore kernel code. It also contains versions of the Windows 10 Mobile Adaptation Kit, which is used to build system images for Windows on phones.
The code also featured private debugging symbols, which developers use to see what functions and data are being used by certain code. Such symbols are removed from the OS before being released to the public.
An administrator on Beta Archive said in a forum posting that he didn't believe there was any connection between this incident and the arrest of two British men following an alleged hack of networks belonging to Microsoft.
Lee Munson, security researcher at Comparitech.com told SC Media UK that any leaking of operating system source code is a huge problem due to the potential vulnerabilities it could reveal.
“The fact that the Windows 10 source code leaked last week centred around storage devices and Wi-Fi is especially worrying, however, due to the potentially potent attacks that could be developed,” he said.
“In the short-term, I would expect to see a range of new attacks created around USB storage devices and perhaps some new man-in-the-middle techniques to take advantage of newly discovered flaws in the source code, though I would expect Microsoft to take swift action through a raft of new patches.”
Leigh-Anne Galloway, Cyber Security Resilience lead at Positive Technologies, told SC Media UK that leaked code in question is a small part of a SDK (software development kit) so it's unlikely to cause any serious security problems.
“When speaking about vulnerabilities, there is no direct correlation between the number of vulnerabilities and the ‘openness' of the code,” she said.
“A couple of months ago, Positive Technologies experts found a dangerous seven-year-old vulnerability (CVE-2017-2636) in the Linux kernel that allowed local users to gain privilege escalation or cause a denial of service. The issue affects the majority of popular Linux distributions including Fedora, Debian, and Ubuntu. However, this flaw existed undetected for seven years, even though the source code was available,” added Galloway.
David Kennerley, director of Threat Research at Webroot, told SC Media UK, that we may possibly see more Windows vulnerabilities in the open, some used for malicious purposes,
“I'm sure others will quite quickly be reported to Microsoft. Much of the source code was already shared with Microsoft partners, and even governments – so a lot of this code will already have been seen by non-Microsoft eyes,” he said.