Microsoft has confirmed that some of the secret code
underpinning its Windows NT and Windows 2000 operating systems has
been leaked on the internet.
Incomplete portions of Windows NT and Windows 2000 source code
were "illegally made available on the internet", said Microsoft
spokesman Tom Pilla.
Microsoft has no information on the source of the leak and has
called in the US Federal Bureau of Investigation.
There is no indication that the leak was the result of any
breach of the Microsoft corporate network or the company's internal
security. "At this point in time there is no known impact to
customers," Pilla said.
Source code is pre-compiled code in the form of readable lines
of text, usually with comments. It can be compiled into code that
can run but cannot be read. The Windows code on users' PCs is all
compiled code.
A breach of the Windows source code - a mix of assembler, C and
C++ code - could expose users to an increase in cyberattacks
because it would make it easier for hackers to find holes in the
operating systems that they can exploit.
It would also mean that Microsoft's closely guarded intellectual
property is now out in the open, said Joe Wilcox, a senior analyst
with Jupiter Research.
Those who said they have downloaded the source code claim to have a
200Mbyte compressed file that expands into roughly 600Mbytes of
code. Microsoft officials told industry analysts that this is
roughly correct and that it represents about 15% of Windows source
code.
However, Wilcox said that a much greater percentage of the
Windows code may have been leaked. Windows 2000 has about 35
million lines of code, and people who have seen the leaked
code said it contains about 13.5 million lines.
The code leak could lead to a host of new attacks on systems
running Windows 2000 and Windows NT, warned Thor Larholm, a senior
security researcher at PivX Solutions.
"Depending on what particular code was leaked I would say this
has a lot of potential for new security vulnerabilities. The next
weeks to come will confirm whether we see a rise in exploits," he
said.
But Rob Enderle, principal analyst at Enderle Group, said that
with the amount of Windows code already available through various
Microsoft programs, the security implications are limited.
"A release of source code on the web is more embarrassing in
these days of open source then it is damaging," he said.
The source code of the two OSes was rumoured to be available on
a peer-to-peer file-sharing network as well as on IRC (internet
relay chat).
This is not the first time that Microsoft has faced a leak of
its source code. In 2000, it confirmed that outsiders had accessed
some of the code underlying a version of Windows as well as
Office.
Joris Evers writes for IDG News Service