Source Code Leak Prompts Vulnerabilities, Warning from Microsoft

   Hackers and security researchers who downloaded the Windows 2000 source code over the weekend have already found a security vulnerability to exploit, although the vulnerability affects only the out-of-date Microsoft Internet Explorer (IE) version that shipped with the original Win2K. The vulnerability, which affects IE 5.01, lets attackers compromise users' PCs when they access a malicious Web site. On one hand, Microsoft says that not only does the vulnerability affect only a single, older version of IE, but the company found and fixed the vulnerability during its Trustworthy Computing code review 2 years ago. On the other hand, about 10 percent of Web browser users--more people than use Mozilla, Netscape, Opera, and Apple Computer's Safari combined--still use IE 5.01.
   "[The vulnerability] doesn't affect IE 6," Mike Reavey, a Microsoft security program manager, said. "It does look like it was one of the things that was found during the code review." Microsoft is cautioning users to upgrade to the most recent IE version--IE 6 with Service Pack 1 (SP1)--to ensure the safest possible Web experience. But the near-instantaneous release of a vulnerability based on the Windows source-code leak makes me wonder how many other vulnerabilities will be found in the coming days. And, unlike the IE vulnerability, some of those vulnerabilities might also affect the most current versions of Windows, including Windows Server 2003 and Windows XP, which are based on Win2K. "We take this seriously," a Microsoft spokesperson said Friday. "It's illegal for third parties to post or make our source code available. From that standpoint we've taken appropriate legal action to protect our intellectual property."
   Microsoft has also taken the interesting step of warning users to keep their hands off the stolen source code. On Monday, the company issued legal warnings to people who had downloaded or distributed the code. "The unauthorized copying and distribution of Microsoft's protected source code is a violation of both civil and criminal copyright and trade secret laws," the warning said. "If you have downloaded and are making the source code available for downloading by others, you are violating Microsoft's rights, and could be subject to severe civil and criminal penalties." Microsoft then demanded that downloaders destroy their copies of the source code and tell Microsoft where they got it.

End of Article

"Microsoft has also taken the interesting step of warning users to keep their hands off the stolen source code. On Monday, the company issued legal warnings to individuals who had downloaded or distributed the code."

OMG Paul, you're in trouble! You wrote:

"Yesterday morning, one of my Microsoft contacts popped open an Instant Messaging (IM) window and asked me whether I'd seen something he discovered online. He then showed me part of the Windows 2000 source code called WINVER.C, which was dated March 8, 1989."

Are you going to reveal your contact? After all, Microsoft DEMANDED it. This contact showed it to you (i.e., distributed it), and you'd better 'fess up. I don't think you'd last long in prison, Paul.

Editor's note: Only if required by a judge, Wendy. --Paul

Wendy Rebecca February 18, 2004

Quite frankly I find Microsoft's responses to this leak so far to be totally unsatisfactory. As I have previously stated, I'm a fan of Microsoft's products, and have defended them to my Linux and Mac loving friends on many occasions, however I am becoming increasingly concerned that Microsoft is going to do nothing other than roll out the legal warnings, that will likely not scare off the more determined of the so called 'black hat' hackers, who've long since pledged allegance to the penguin, and will stop at nothing to do the Maximum amount of damage possible to Microsoft.

We NEED to see Microsoft conducting a secondary code review of the source code leaked to pro-actively look for vulnerabilities that may be exploited as a matter of urgency.

Mark Lomas February 18, 2004

Something I don't understand. The leaking of Windows source code is considered a threat, but Linux is open source. If having source code on the Internet is such a big security risk, then Linux must not be suitable for anyone. You can't have it both ways. Either the Windows leak is nothing to worry about, or Linux should not be used. What about more articles on the bugs in the major Linux Distributions (red hat/suse)?

Rob February 19, 2004

"Editor's note: Only if required by a judge, Wendy. --Paul "

Nah, you're safe. I was just jokin' with you anyway.

Besides, Microsoft won't bother you. You're one of the best shills they've got. No sense endangering the franchise by harassing Paul Thurrott. ;-)

Editor's note: Hey, that's hilarious. On the other hand, I have been threatened and warned by Microsoft on various occassions. --Paul

Wendy Rebecca February 19, 2004

@Rob

The leaking of Windows source is considered a thread because, some people argue, Windows relies on "security through obscurity" which means that programmers rely on the fact that people don't have access to the source to make it hard to crack. Because this isn't possible with Linux, a different philosophy has to be used - programmers have to design a system that is secure even if people know exactly how it works. Most encryption methods used today are publically available, but they are still hard to crack. Relying on "security through obscurity" is a bad idea, and hopefully MS have not done that.

Robert Knight February 19, 2004

@Rob: It's widly acknowledged that "security by obscurity" (i. e. closed source software such as MS's) is highly dangerous and insecure.

For example an encryption scheme is "secure" if - and only if - an attacker who knows the exact code cannot decrypte a message without the appropriate key (i. e. security is based on the key and not on the code). You cannot attack, despite knowing the code.

If security is based on the assumption that you are not vulnerable because a cracker does not know your code, you have a big problem as soon as a cracker gets your code or finds a vulnerability by other means (proofen by almost daily new holes in MS software).
Furthermore, as user of such software, you can neither verify nor protect yourself by changing the code (hence the necessity to invest in additional security software: you can't trust in MS built-in security).

Open source software can be verified - and if necessary - changed by everyone. There is no false assumption that a hacker does not know the code. So security has to be "real" and not just a marketing promise.

With the leak of some MS code, not much has changed - maybe some crackers now have an easier life and some users are now aware of closed source dangers. But all-in-all, MS software stays insecure..

Editor's note: You can't have DRM without "security by obscurity." Even Real's "open source" Helix solution doesn't let its DRM scheme out in the open. How widely acknowledged is this theory, really? --Paul

pit February 20, 2004

"You can't have DRM without "security by obscurity.""

Is that so? Well - dream on, expert..

(For everybody else: I recommend to have a look at some works of Bruce Schneier (http://www.schneier.com) on that matter.)

On a side note:

From The Free On-line Dictionary of Computing (27 SEP 03) :

security through obscurity

Or "security by obscurity". A term applied by
hackers to most operating system vendors' favourite way of
coping with security holes - namely, ignoring them,
documenting neither any known holes nor the underlying
security algorithms, trusting that nobody will find out
about them and that people who do find out about them won't
exploit them. This never works for long and occasionally sets
the world up for debacles like the RTM worm of 1988 (see
Great Worm), but once the brief moments of panic created by
such events subside most vendors are all too willing to turn
over and go back to sleep. After all, actually fixing the
bugs would siphon off the resources needed to implement the
next user-interface frill on marketing's wish list - and
besides, if they started fixing security bugs customers might
begin to *expect* it and imagine that their warranties of
merchantability gave them some sort of rights.

pit February 20, 2004

Editor's note: You can't have DRM without "security by obscurity." ... How widely acknowledged is this theory, really? --Paul

As other have suggested, perhaps you should take a few moments to read up on security theory before making statements which clearly show you don't know what you're talking about. This is almost as bad as the time you kept insisting that the Windows EAL was somehow related to the relative security of the Windows platform, which it isn't.

I think you're confusing the obscurity of information, such as encryption keys, with obscurity of the algorithm in use, such as public key. It is perfectly accepted practice to make the algorithm known but the secret info hidden. This is NOT considered "security by obscurity."

As someone who has actually designed and implemented security solutions, and keeps a close eye on industry developments, trust me on this one. Security by obscurity is not considered good practice. A system that has been subject to extensive peer review, with a known algirothm, is much preferred.

John F. Braun February 25, 2004

You must log on before posting a comment.

If you don't have a username & password, please register now.