Windows code leaked
Kate Mackenzie and wires
FEBRUARY 13, 2004
MICROSOFT has confirmed that portions of its Windows 2000 source code have been leaked over the internet, as speculation grows about the ramifications of the incident and the contents of the file.
An early statement from Microsoft called the report that code for both Windows 2000 and its predecessor Windows NT was a "rumour" which was "based on the speculation of an individual who saw a small section of un-identified code and thought it looked like Windows code".
However a short time later, Microsoft issued a statement saying it had "aware that incomplete portions of the Windows 2000 source code were illegally made available on the internet".
"We are currently investigating the illegitimate posting and are working with the appropriate law enforcement authorities," the statement said.
Microsoft does not know how much of the code had been leaked or how many people may have gained access to it. The company could not immediately pinpoint the source of the leak, but said there was "no indication" it was a breach of Microsoft's own security.
The company was at pains to point out that governments, companies, developers and universities from around the world have had access to some Windows source code under Microsoft's "Shared Source" initiative during the past three years.
The leaked source code files are believed to be only about 660MB - a fraction of the total volume of Windows code.
Nevertheless, news of the leak spread like wildfire around the internet technical community, with iconic tech news website Slashdot receiving in excess of 2000 postings about the incident within a few hours of mentioning it.
Unconfirmed reports about the contents of the source code file, which is believed to be about 200MB, abounded on the internet. One claimed that comments in the code made references such as "potentially off-by-1, but who cares..." and that various profanities also appeared.
There were more outlandish claims about the code - such as one which said there were references to the GNU General Public Licence, which is widely used in open source software.
Some observers have speculated that it could be a hoax, or even a deliberate attempt by Microsoft to discredit the open source movement by simultaneously planing Windows source code into Linux in order to launch a SCO-style legal attack on its open source nemesis.
Australian security expert Matt Barrie, who heads Sensory Networks, said there had been numerous instances of parts of Windows source code posted over the internet, dating back to at least 1997.
"There's been other software too, like Cisco's IOS - anything you can think of is out there."
Some analysts said Microsoft's Shared Source and other source code initiatives meant it wasn't too surprising for such a leak to occur at some point — either intentionally or unintentionally.
"It seems unlikely this is going to create a material, significant security problem, said Rob Enderle, a technology expert and principal analyst with the Enderle Group. "It's more embarrassing than anything else because it makes it look like Microsoft can't control its code."
Although the release of the source code could have security ramifications, the effect of the leak is likely to hit Microsoft's own reputation much harder than it will affect Windows users.
Daniel Zatz of Computer Associates as it appeared to be only a small portion of the source code, Microsoft's main problem could be a public relations disaster.
"For example if people find holes in Windows 2000 that should've been fixed as part of (Microsoft's) trustworthy computing intiative, obviously there'll be some backpedalling from Microsoft," he said.
Mr Zatz also said the publicity around the leak meant there was a risk the leak could spark a new round of email viruses and worms using social engineering tactics to target more tech-savvy users.
"The IT community are generally fairly security-savvy and wouldn't (open infected emails), but the fact that it's the geeks that will be looking for the code," he said.
Link