Thought for the day: Code leaked, sky to fall?

Exposure of Windows code is not the end of the world, says Jay Heiser

New Asset  

Bill Gates will deliver a major speech today. He may have been embarrassed by the appearance of Microsoft source code on the internet, but Jay Heiser insists it was no big deal.



After the ludicrous estimates of MyDoom damage were proven false, you might think that Chicken Little would have the good grace to spend some quiet time in the coop.

Unfortunately, the double whammy of Microsoft releasing a "critical" security patch and the leakage of some of its source code has wound the hype mill right back up again. Expect falling skies and the end of life as we know it.

Before taking Chicken Little's fowl advice and shutting down your e-commerce site, let us be realistic about the significance of the source code theft. Yes, it is security relevant, but it is not an event of life-changing significance.

Having access to source code is useful in finding bugs, but it does not mean that any vulnerabilities it contains are immediately apparent, let alone exploitable. Years of debate within the specialist community over the security ramifications of releasing source code have yet to reach any useful conclusions, but it is important to remember that the December 2000 release of much of the Solaris 8 source code did not result in a spate of new Unix attacks.

Second, in "internet years" this stolen Windows 2000 and NT 4.0 code has been around for a while. Presumably much of it remains within XP, but a fully-patched XP box today benefits from a significant number of security fixes and re-engineering in security code. Thousands of people have been poking and prodding the binary version of this code for years, so it is pretty well picked over.

Third, of all announced vulnerabilities, fewer than 1% is ever exploited in significant ways. Even if access to this source results in the discovery of 100 new "vulnerabilities", the odds would be against any of them representing a significant opportunity for widespread attacks. It is a needless burden to assume that all vulnerabilities must be immediately fixed.

We have already seen one, and over the coming weeks, more hackers and "security researchers" will announce that they have discovered security holes in this source code, claiming profound ramifications. History demonstrates that these people are much cleverer at hacking than at estimating risk implications for the business.

Interpreting every piece of bad news as the precursor to disaster is counterproductive, sending the message to the user-base, management, law enforcement and general public that everything they read about information security is hype. The next time a real information security wolf arrives, I hope the much-abused internet villagers do not ignore the warnings.

If you are concerned about this latest Microsoft embarrassment, maybe it is a legitimate subconscious concern that your security house is not in order. The most important thing you can do is concentrate on the basics. Organisations that figure out which practices are essential and implement them consistently across the enterprise will maintain a low rate of security failure, even in an ever-changing threatscape.

What do you think?

Did the latest Microsoft alert worry you? Tell us in an e-mail >> reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.

Jay Heiser is principal analyst at TruSecure

Read more on IT risk management