[ISN] Microsoft Says Parts of Source Code Were Leaked

From: InfoSec News (isn@private)
Date: Fri Feb 13 2004 - 06:20:45 PST

  • Next message: InfoSec News: "Re: [ISN] .zip files putting the zap on antivirus products"

    Forwarded from: William Knowles <wk@private>
    
    http://www.washingtonpost.com/wp-dyn/articles/A38314-2004Feb12.html
    
    By Brian Krebs
    Special to The Washington Post
    Friday, February 13, 2004
    
    Microsoft Corp. last night confirmed that portions of the source code 
    for two versions of its Windows operating system have leaked onto the 
    Internet, a security breach that could give hackers important 
    intelligence about how to exploit flaws in software run by many of the 
    world's computers.
    
    "Today we became aware that incomplete portions of Windows 2000 and NT 
    4.0 source code was illegally made available on the Internet," 
    Microsoft spokesman Tom Pilla said. "It's illegal for third parties to 
    post Microsoft source code and we take that activity very seriously."
    
    Pilla said the company does not know how much of the code was 
    compromised, but he said Microsoft believes it was not a complete 
    version of either operating system. There was no indication of a 
    breach in Microsoft's internal network, Pilla said. He said the FBI is 
    investigating.
    
    Windows 2000 and NT are widely deployed in business networks; less so 
    on home computers.
    
    Computer security experts said the release of Windows source code 
    could pose a threat to Internet security, depending on what portion of 
    the code was leaked.
    
    A leak of any portion "could dramatically increase the probability 
    that new zero-day vulnerabilities will be found," said Alan Paller, 
    director of research at the SANS Institute, a security training group 
    based in Bethesda.
    
    "Zero day" attacks exploit a security vulnerability before or at the 
    same time a software maker learns of the flaw. 
    
    Thor Larholm, senior security researcher at Newport Beach, 
    Calif.-based PivX Solutions, said the Windows source code file being 
    traded on the Internet appears to be roughly 660 megabytes in size, 
    about one CD-ROM's worth of data. That is far short of the estimated 
    40 gigabytes of data that make up the entire Windows code.
    
    But even a partial leak "is a potentially very serious problem for 
    Microsoft," Larholm said. "Just look at the vulnerabilities that are 
    discovered by people who didn't have access to the source code."
    
    Howard Schmidt, former head of security at Microsoft, said he was less 
    concerned about the security implications of the leak than its 
    potential threat to Microsoft's intellectual property.
    
    "From a security standpoint, this is sort of like capturing a 1956 
    Russian fighter jet," said Schmidt, now chief security officer at 
    online auction giant eBay. "Everyone has been beating on Windows 2000 
    and NT for a long time, and any flaws that may be found have likely 
    been fixed long ago. Frankly, I'd be more worried that someone was 
    going to use this as a base for developing software or another 
    operating system based on Microsoft's proprietary code."
    
    The Redmond, Wash.-based software giant closely guards the Windows 
    source code but does license portions of it to security researchers 
    and more than 50 universities under its "Shared Source Initiative."
    
    Microsoft, in a competitive strike against the rival Linux operating 
    system, last year said it would began sharing large portions of the 
    source code with governments around the world that want to validate 
    the security of the software before deploying it in national defense 
    and other sensitive areas. 
    
    Unlike open-source software like Linux, the code comprising Windows is 
    not open for public inspection. Linux users are encouraged to 
    participate in an open, continuous cycle of modifications and upgrades 
    that its proponents say results in systems that are more secure and 
    reliable than those powered by proprietary code like Windows.
    
    
    Brian Krebs is a reporter for washingtonpost.com. Staff writers Mike 
    Musgrove and Jonathan Krim contributed to this report. 
    
    
    
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Feb 13 2004 - 10:02:41 PST