On Friday, A portion of Microsoft’s Windows 10 source code has leaked online this week. Files related to Microsoft’s USB, storage, and Wi-Fi drivers in Windows 10 were posted to Beta Archive this week. Beta Archive is an enthusiast site that tracks Windows releases, and asks members to donate money or contribute something Windows-related if they access a free private FTP full of archived Windows builds. The leaked code was published to Beta Archive’s FTP, and is part of Microsoft’s Shared Source Kit.
In a statement to The Verge, Microsoft said:
“Our review confirms that these files are actually a portion of the source code from the Shared Source Initiative and is used by OEMs and partners.”
It looks like Microsoft Windows 10 S, which the company says has been streamlined for security, is vulnerable to exploits by hackers. Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House was able to break through several security levels of Microsoft’s new operating system in over three hours. The hacker successfully managed to remotely control Surface Laptop, though he didn’t install ransomware on the device.
A report in ZDNet quoted Hickey, who said, “If I wanted to install ransomware, that could be loaded on,”It’s game over,” he added. According to the report, the hacker didn’t install ransomware on Surface Laptop since it could potentially risk other device connected to the same network.
While Hickey did manage to crack Windows 10 S, he admits the task wasn’t as easy as he expected. Since the OS allows users to run apps only from the Windows Store, he couldn’t use command prompt, scripting tools or PowerShell to break into the system.
Hickey finally found a common attack point, which let him exploit Microsoft Word and gain control of Surface Laptop remotely. “Hickey created a malicious, macro-based Word document on his own computer that when opened would allow him to carry out a reflective DLL injection attack, allowing him to bypass the app store restrictions by injecting code into an existing, authorized process,” the report explains.
Windows 10 S was announced along side Surface Laptop in May. The operating system lets users download apps directly from the Windows Store, which the company says are verified to ensure consistence performance of the system. Microsoft Edge is the default browser in Windows 10 S. With Windows 1O S users can only run the apps that Microsoft has verified. To run something from outside of the store, users will have to upgrade to Windows 10 Pro and the company will give them the option.