The IT industry had the uncomfortable experience last week of watching security analysts — and presumably their shadowy competition, cybercriminals — examining source code from the proprietary Windows operating system.
About 660MB of source code from Windows 2000 and Windows NT 4 circulated on file-sharing networks, alongside dummy copies containing only empty data. Microsoft confirmed the leak on Monday and called in the FBI.
Carol Leishman, Microsoft New Zealand’s communications manager, says the leak hasn’t compromised the security of Windows computers and the company is treating the theft as an intellectual property infringement issue.
“We’ll do all we can to make sure our customers are protected,” Leishman says. “At this point there is no known impact on our customers.”
Posters to the BugTraq mailing list noted that the code archive was far from complete and couldn’t be easily compiled.
However, within days of the leak a vulnerability was reported in Internet Explorer 5, based on analysis of the source code. Microsoft says it found the bug internally and had fixed it in the latest version of IE6.
Leishman says it’s too early to speculate on the likely impact of Windows source in the wild. Asked whether the unknown thieves could have stolen more source code than the files circulated on the internet, Leishman says Microsoft doesn’t know.
“We have no indication of that,” she says. “This is the first time [code has been stolen] to the best of our knowledge.
“I think it’s really all speculative.”
- See Under Construction