Secret Windows code leaked on internet

Microsoft has confirmed that some of the secret code underpinning its Windows NT and Windows 2000 operating systems has been...

Microsoft has confirmed that some of the secret code underpinning its Windows NT and Windows 2000 operating systems has been leaked on the internet.

Incomplete portions of Windows NT and Windows 2000 source code were "illegally made available on the internet", said Microsoft spokesman Tom Pilla.

Microsoft has no information on the source of the leak and has called in the US Federal Bureau of Investigation.

There is no indication that the leak was the result of any breach of the Microsoft corporate network or the company's internal security. "At this point in time there is no known impact to customers," Pilla said.

Source code is pre-compiled code in the form of readable lines of text, usually with comments. It can be compiled into code that can run but cannot be read. The Windows code on users' PCs is all compiled code.

A breach of the Windows source code - a mix of assembler, C and C++ code - could expose users to an increase in cyberattacks because it would make it easier for hackers to find holes in the operating systems that they can exploit.

It would also mean that Microsoft's closely guarded intellectual property is now out in the open, said Joe Wilcox, a senior analyst with Jupiter Research.
Those who said they have downloaded the source code claim to have a 200Mbyte compressed file that expands into roughly 600Mbytes of code. Microsoft officials told industry analysts that this is roughly correct and that it represents about 15% of Windows source code.

However, Wilcox said that a much greater percentage of the Windows code may have been leaked. Windows 2000 has about 35 million lines of code, and people who have seen the leaked code said it contains about 13.5 million lines.

The code leak could lead to a host of new attacks on systems running Windows 2000 and Windows NT, warned Thor Larholm, a senior security researcher at PivX Solutions.

"Depending on what particular code was leaked I would say this has a lot of potential for new security vulnerabilities. The next weeks to come will confirm whether we see a rise in exploits," he said.

But Rob Enderle, principal analyst at Enderle Group, said that with the amount of Windows code already available through various Microsoft programs, the security implications are limited.

"A release of source code on the web is more embarrassing in these days of open source then it is damaging," he said.

The source code of the two OSes was rumoured to be available on a peer-to-peer file-sharing network as well as on IRC (internet relay chat).

This is not the first time that Microsoft has faced a leak of its source code. In 2000, it confirmed that outsiders had accessed some of the code underlying a version of Windows as well as Office.

Joris Evers writes for IDG News Service

Read more on IT risk management