Microsoft has called in the FBI to locate the source of proprietary Windows source code circulated on the internet, but customers have nothing to fear at this stage, the company says.
Carol Leishman, Microsoft NZ’s communications manager, says the leak hasn’t compromised the security of computers and the company is treating the theft as an intellectual property infringement issue.
“We’ll do all we can to make sure our customers are protected,” Leishman says. “At this point there is no known impact on our customers.”
Rumours of the leaked code started to spread across the internet late last week and were confirmed on Monday when Microsoft said “portions” of the Windows 2000 and Windows NT4 source code had been distributed online. The FBI was notified.
Leishman declined to “speculate” on the possible impact of the leak. Asked whether the unknown thieves could have stolen more source code than the 600MB circulated on the Internet, Leishman says Microsoft doesn’t know.
“We have no indication of that,” she says. “This is the first time [code has been stolen] to the best of our knowledge.
“I think it’s really all speculative.”
Microsoft makes some of its source code available to about 3000 governments, customers and partner companies as part of its Shared Source initiative, Leishman says, but has “no information” that the programme was the source of the theft.
In fact, a poster to the BugTraq mailing list suggested that the source contained references to Mainsoft Corporation, a longtime Microsoft partner. Mainsoft released a 65-word statement this week to announce the company was “cooperating fully with Microsoft and all authorities in their investigation” and declining further comment.
Mainsoft is not a member of the Shared Source programme.
The source code package circulating on the internet contains about 660 megabytes of raw files. An analysis published on the Kuro5hin website suggests it contains about 15% of the entire Windows 2000 source.
Most of the code dates from July 25, 2000. The author of the Kuro5hin article says the code is “generally excellent” — well documented, checked for obvious security holes, and apparently free of copyrighted code from the GNU, Linux or BSD open-source efforts.
Nevertheless, the files will be examined with interest. On Sunday a vulnerability was reported in Internet Explorer 5, based on an examination of the leaked code. The most recent version of the browser, IE 6, is not affected.