Has Microsoft really lost vital source code?
Rumours swirl around significant leak of Windows 10 source code, with potentially serious results.
A massive reported Microsoft Windows source code leak has raised serious security questions, with claim and counter-claim threatening to obscure the gravity of the issue.
The first report of a problem came from The Register, which reported that “some 32TB of official and non-public installation images and software blueprints that compress down to 8TB” had been uploaded to betaarchive.com. The publication stated that “The leaked code is Microsoft's Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond's PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code.” The files have now been taken down from Beta Archive.
Anyone downloading the data dump would be able to hunt for security vulnerabilities at their leisure, before using the attacks on Microsoft systems across the globe. Moreover, the publication reported that “There are, we think, too many versions now dumped online for Microsoft to revoke via its Secure Boot mechanism, meaning the tech giant can't use its firmware security mechanisms to prevent people booting the pre-release operating systems.”
However, Microsoft issued a statement downplaying the leak: “Our review confirms that these files are actually a portion of the source code from the Shared Source Initiative and is used by OEMs and partners.” The company has been extremely active in addressing security issues for some time now, and has made enhanced security a big sales point for Windows 10.
Microsoft claims that the bulk of the 32TB material has been available online for some time, and that the newly leaked material totals 1.2GB of source code, which reportedly relate to the USB, storage and Wi-Fi drivers of Windows 10. The Shared Source Initiative is a scheme whereby Microsoft licenses product source code to qualified customers, enterprises, governments, and partners for debugging and reference purposes, so that vendors can optimize their drivers, for example.
If the leak is indeed just Shared Source Initiative information about Windows drivers, then it offers much less in the way of interest to attackers than originally thought, although there are undoubtedly vulnerabilities to be found. As is often the case, the leak demonstrates just how easily the industry - and especially the media - can get carried away by the latest ‘big thing’ in threat terms.
As Ilia Kolochenko, security expert and CEO of High-Tech Bridge said: “Companies prefer to spend on mysterious APTs and other highly exaggerated threats, leaving main doors to their companies (web apps) open to everyone. We need to understand that the modern web application is not just a website, but provides direct access to internal and highly sensitive infrastructure. We need to wake up, otherwise while we are spending millions on the wrong threats, hackers will steal everything we have via forgotten web applications.”
It is certainly true that conducting a thorough holistic digital risk assessment, and then implement appropriate security controls to mitigate related threats and vulnerabilities will be more productive than worrying about this leak, especially in the medium-to-long term...