The week started with Microsoft essentially boasting that Windows 10 S was invulnerable, claiming that "no known ransomware" would run on their latest, gimped version of the OS. That prompted ZDNet to test if such a bold claim would hold up under testing, and the results were somehow both slightly surprising and completely predictable:
Last week, on its debut day, we got our hands on a new Surface Laptop, the first device of its kind to run Windows 10 S. We booted it up, went through the setup process, created an offline account, and installed a slew of outstanding security patches -- like any other ordinary user would (hopefully) do.
And that's when we asked Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, a simple enough question: Will ransomware install on this operating system?
It took him a little over three hours to bust the operating system's various layers of security, but he got there.
"I'm honestly surprised it was this easy," he said in a call after his attack. "When I looked at the branding and the marketing for the new operating system, I thought they had further enhanced it. I would've wanted more restrictions on trying to run privileged processes instead of it being such a short process."Ouch. Microsoft, naturally, immediately claimed that black was white, saying that ZDNet's test results don't show what they clearly showed, while simultaneously subtly walking back the claim itself in comments made to Gizmodo:
Microsoft, meanwhile, roundly rejected ZDNet’s assertion that its test proved Windows 10 S is, in fact, vulnerable to ransomware attacks. “In early June we stated that Windows 10 S was not vulnerable to any known ransomware, and based on the information we received from ZDNet that statement holds true,” a spokesperson said.
Added the spokesperson: “We recognize that new attacks and malware emerge continually, which is why [we] are committed to monitoring the threat landscape and working with responsible researchers to ensure that Windows 10 continues to provide the most secure experience possible for our customers.”
Clearly, based on the test conducted by ZDNet and Hickey, Microsoft’s claim is specious at best. While Windows 10 S may be less vulnerable to attack because it will only run rigorously tested software approved by Microsoft, there *are* still ways to infect machines running the OS.
Although Microsoft never actually claimed to have built an unhackable machine, even implying that its OS is invulnerable to all “known ransomware” is pretty pretentious. Bold security claims invite challenge. Since Microsoft summarily dismissed ZDNet’s research without much explanation, I’d expect to see more egg on its face soon.That eggy expectation was realized later in the week, when a huge chunk of Windows 10's source code was discovered to have leaked online, as first reported by The Reg:
A massive trove of Microsoft's internal Windows operating system builds and chunks of its core source code have leaked online.
The data – some 32TB of official and non-public installation images and software blueprints that compress down to 8TB – were uploaded to betaarchive.com, the latest load of files provided just earlier this week. It is believed the confidential data in this dump was exfiltrated from Microsoft's in-house systems around March this year.
The leaked code is Microsoft's Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond's PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code.
Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide. The code runs at the heart of the operating system, at some of its most trusted levels. It is supposed to be for Microsoft, hardware manufacturers, and select customers' eyes only.The leak was later confirmed by Redmond to The Verge:
“Our review confirms that these files are actually a portion of the source code from the Shared Source Initiative and is used by OEMs and partners,” reveals a Microsoft spokesperson in an email to The Verge. While The Register claims 32TB of data, including unreleased Windows builds, has been leaked, The Verge understands most of the collection has been available for months, or even years.
[...]
The source code leak comes just a day after two men were arrested in the UK as part of an investigation into unauthorized access to Microsoft’s network. Detectives executed warrants to arrest a 22-year-old man from Lincolnshire, and a 25-year-old man from Bracknell. The Verge understands both men have been involved in collecting confidential Windows 10 builds, and that at least one is a donator to the Beta Archive site. A spokesperson for Thames Valley police refused to provide more information on the arrests to The Verge, and would not confirm the two identities of the individuals.
It’s not clear if the arrests are directly linked to the source code leak, but Microsoft is evidently concerned about some potential intrusions into its networks by Windows enthusiasts. The alleged offences took place between January and March, and a large dump of confidential Windows 10 builds was leaked to Beta Archive on March 24th. An administrator of Beta Archive, named only as "mrpijey," revealed "with the help of members (whose names shall never be mentioned) I've downloaded a whole lot of Windows Insider builds of Windows 10 directly from Microsoft" at the time of the leak. Ars Technica also reports that Microsoft’s build systems may have been hacked in March.Now can everyone stop pretending that Windows 10 is some sort of security silver bullet? Or that Microsoft are the very bestest experts in all matters relating to cyber security? Because, frankly, I'm a little sick of seeing and hearing the "Windows 10 is more secure" argument from every Microsoft apologist who's spent time scare-mongering for Microsoft, trying to terrify Windows 7 users into switching operating systems. This argument is not winning anyone over; it's time to let it go.
"There is no such thing as perfect security, only varying levels of insecurity."
- Salman Rushdie