Windows Source Code Security Breach Troubles Some ExpertsWindows Source Code Security Breach Troubles Some Experts

Technology experts disagree about the level of risk the security breach Microsoft customers face due to the leaking onto the Web of portions of the source code for Windows NT and Windows 2000

Microsoft confirmed the unauthorized release late Thursday, marking yet another security blow in a week that saw worm attacks and major vulnerabilities in Windows revealed.

"It's illegal for third parties to post Microsoft source code, and we take such activity very seriously," Microsoft said in a statement posted on its Web site. "We are currently investigating these postings and are working with the appropriate law-enforcement authorities."

News of the leaked source code circulated on Windows enthusiast Web sites and throughout the cracker underground Thursday. Estimates of the amount of source code available ranged from 15% to almost half. However, the code couldn't be compiled, making it impossible for someone to recreate Windows for illegal distribution.

But security firms were quick to raise the alarm.

"We expect to see more vulnerabilities and exploits occur as a result of this serious breach," said Ken Dunham, director of malicious code research at security firm iDefense. "Even though it's a partial breach of source code, it's significant in the fact that attackers can now look at the code."

Other experts disagreed, pointing out that the source code of open source software, such as the Linux operating system, has always been available, yet some experts consider those programs more secure than some proprietary products.

"Simply releasing source, in and of itself, does not necessarily constitute a major security breach," said Rob Enderle, principal analyst at the Enderle Group. "If it had been the entire product, there could be the likelihood of clone products that contained hostile code."

However, Oliver Friedrichs, senior manager at anti-virus software maker Symantec, said the major difference with open-source software is that its source code is available to everyone. In the latest incident, hackers are the ones most likely to download the Windows code, while mainstream developers would stay clear of it to avoid copyright violations. "With open source, both white hats and black hats have equal access to the source code," Friedrichs said.

Even if hackers discover vulnerabilities in Windows, it doesn't mean it would be technologically possible to exploit them, Gartner analyst John Pescatore said. "The source code definitely helps you understand what's going on inside the software, but that doesn't mean you can attack the software any better," Pescatore said. "You still have to attack from the outside."

BetaNews, a developer-focused technology Web site, said Friday that an analysis of the leaked Windows 2000 code traced it to a development machine used by the director of technology at Mainsoft Corp., a maker of tools for porting Microsoft applications to Unix and other operating systems. But it was unclear how the source code, some 31,000 files altogether, managed to work its way from the Mainsoft computer to the Web.

Mainsoft was one of the original licensees of Windows source code. Prior to the 2001 launch of Microsoft's Shared Source program, Microsoft offered up code to a very limited number of firms through its earlier Windows Interface Source Environment program. Mainsoft was one of the few licensees under that program.

Mainsoft issued a statement Friday on its Web site, saying it "takes Microsoft's and all our customers' security matters seriously, and we recognize the gravity of the situation. We will cooperate fully with Microsoft and all authorities in their investigation. We are unable to issue any further statement or answer questions until we have more information."

The Microsoft investigation is being headed by its Shared Source program, not by its security division. The Shared Source program consists of a number of licensing arrangements whereby businesses, governments, and other approved parties can access operating system and application source code for development purposes.

Microsoft said in its statement that no one at the company appeared responsible for the leak. "At this point it does not appear that this is the result of any breach of Microsoft's corporate network or internal security," it said.

If it's determined that the leak came out of a shared code licensee, Microsoft will be caught between a rock and a hard place, said Michael Cherry, a lead analyst at Directions on Microsoft.

"I'm not sure what people want from Microsoft," he said. "People want Microsoft to open their code, and they have, with all the best intentions. But if this leaked from that program, Microsoft may just say, 'Maybe we shouldn't let people see our source code after all.'"