Windows Source Code Security Breach Troubles Experts

Portions of the source code of Microsoft Corp.'s Windows NT and Windows 2000 operating systems have leaked onto the Web, but technology experts Friday disagreed over the level of risk the security breach presented to the software maker's customers.

The Redmond, Wash.-based company confirmed the unauthorized release late Thursday, marking yet another security blow to Microsoft in a week that saw worm attacks and major vulnerabilities in Windows revealed.

"It's illegal for third parties to post Microsoft source code, and we take such activity very seriously," Microsoft said in a statement posted on its Web site. "We are currently investigating these postings and are working with the appropriate law-enforcement authorities."

News of the leaked source code circulated on Windows enthusiast Web sites and throughout the cracker underground Thursday. Estimates ranged from 15 percent to almost half of the operating systems' code were available. The code, however, could not be compiled, making it impossible for someone to recreate Windows for illegal distribution.

Security firms, however, were quick to raise the alarm."We expect to see more vulnerabilities and exploits occur as a result of this serious breach," Ken Dunham, director of malicious code research at security firm iDefense Inc., said. "Even though it's a partial breach of source code, it's significant in the fact that attackers can now look at the code."

Other experts, however, disagreed, pointing out that the source code of open source software, such as the Linux operating system, has always been available, yet some experts consider those programs more secure than some proprietary products.

"Simply releasing source, in and of itself, does not necessarily constitute a major security breach," Rob Enderle, principal analyst with the Enderle Group, said. "Now, if it had been the entire product, there could be the likelihood of clone products that contained hostile code."

However, Oliver Friedrichs, senior manager for anti-virus software maker Symantec Corp., said the major difference with open source software is that its source code is available to everyone. In the latest incident, hackers are the ones most likely to download the Windows code, while mainstream developers would stay clear of it to avoid copyright violations.

"With open source, both white hats and black hats have equal access to the source code," Friedrichs said.Even if hackers discovered vulnerabilities in the operating systems, however, that doesn't mean it would be technologically possible to exploit them, John Pescatore, security analyst for Gartner Inc., said.

"The source code definitely helps you understand what's going on inside the software, but that doesn't mean you can attack the software any better," Pescatore said. "You still have to attack from the outside."

Microsoft said in its statement that no one at the company appeared responsible for the leak. "At this point it does not appear that this is the result of any breach of Microsoft's corporate network or internal security," the company said.

Interestingly, the Microsoft investigation is being headed by its Shared Source program, not by its security division. The Shared Source program consists of a number of licensing arrangements whereby enterprises, governments, and other approved parties can access operating system and application source code for development purposes.

If it's determined that the leak came out of a shared code licensee, Microsoft will be caught between a rock and a hard place, said Michael Cherry, a lead analyst with Directions on Microsoft."I'm not sure what people want from Microsoft," he said. "People want Microsoft to open their code, and they have, with all the best intentions. But if this leaked from that program, Microsoft may just say, 'Maybe we shouldn't let people see our source code after all.'"