False alarm! (Windows 10 source code leaked)

Windows 10 already has a bad reputation for its myriad security issues. I don’t think Microsoft will be able to patch everything. They are already hurting bad.

I am still using Windows 7, though that probably means zilch.

Would’ve been nice if it was all of it then people could see exactly what telemetry and other callbacks are in the code and exactly what kind of data is siphoned.

  • Maybe you could then compile a version without the bad parts.

The Source leak is what is called the Shared Source initiative:
https://www.microsoft.com/en-us/sharedsource/

Getting the .PDB files would be handy for RE’ing

Le sigh. We’re boned now, I presume.

Well, this may be the biggest “open source increases security because of all the eyeballs” test in history.

This appears to be typical Register heavy breathing. The Verge is quite a bit more measured.

“Our review confirms that these files are actually a portion of the source code from the Shared Source Initiative and is used by OEMs and partners,” reveals a Microsoft spokesperson in an email to The Verge. While The Register claims 32TB of data, including unreleased Windows builds, has been leaked, The Verge understands most of the collection has been available for months, or even years. The Register also claims the source code leak is bigger than the Windows 2000 leak from 2004, but The Verge understands this is inaccurate and that the Windows 10 source code leak is relatively minor.

The leak will be embarrassing for Microsoft, but the source code itself is already shared with partners, enterprises, governments, and other customers who choose to license it through the Shared Source initiative. Microsoft’s Windows 10 Mobile Adaption Kit was also included in the leak, alongside some Windows 10 Creators Update builds, and some ARM-based versions of Windows 10.

Bear in mind “The Verge understands” means 'Microsoft told us off the record". It’s spin.

My ex-MS programmer friend says “debugging symbols” leaking is Very Bad News for exploit crafting. Not sure what that entails.

Symbols are great for debugging stuff, but you did not have access to all of the win debugging symbols from their public repository. I recall stuff like the GFWL PDB’s being hard to obtain in the past for example.

It will make it somewhat easier for exploits I am sure, but also for any other RE’ing purposes; so it isn’t all bad.

The Register usually have a tabloidish/‘fun’ title but when you read the article they pretty much say the same thing that the verge did - i.e. it was some source code that they share with partners, internal builds, etc… I’m sure the Russian/Chinese government have access to a lot more source code than just this - as they require full access afaik.

I am just curious if the code is well written and documented or is it the kind of code that will make your eyes bleed.

If OEMs already had access to this kind of thing for years I doubt a single vulnerability would be made from this particular leak. Why? Because all it takes a single person to copy it and send it off to a group which then quickly gets spread around etc.

i.e. the people making hacks that you need to worry about probably already have it and had it years ago.

And governments demand and get the source code from Microsoft directly to “inspect” it. Usually part of the deal if MS wants any government contracts.

@YakAttack, why did you change the title of this thread? Were the reports false? I looked at the link in the OP, but it didn’t seem to have any new info.

If it’s just the Shared Source Initiative stuff, then it’s no big deal, right?

*yawns*