Windows Source code leaked

[dwEEziL]

Well, by now most everyone has probably learned that a portion of the Windows source code (some NT 4 code as well as some Win2k coce) was leaked to the public accidentally about a week ago. While this could be bad for Windows administrators, like myself, due to a possibility of increased unknown vulnerabilities being discovered on a much quicker pace, it could also be a good thing as the Unix/Linux/other open source OS community has been using an open review process for a very long time and is dedicated to finding and fixing vulnerabilities quickly.

 

My topic for discussion here is, what are your thoughts on the ramifications it will have on the Windows community. Please don't just come in here bash Windows. You should be able to back up your opinion with some sort of logic. I will delete any posts along the lines of "Micro$oft is bad mm'kthx bye".

Edited February 17, 2004 by dwEEziL

[Playaa]

well I find it odd that M$ said that there was no leak yet at the same time had the FBI hunting the leakers...

 

I actually don't think it will cause as big of a problem as some people think...it's just a 400mb chunk of code (if I remember correctly) and the full OS is over 40gigs un-compiled...

[All Kill3r]

well I find it odd that M$ said that there was no leak yet at the same time had the FBI hunting the leakers...

http://www.microsoft.com/presspass/press/2...ndowssource.asp

 

im thinking this isnt a very big deal. The next SP will just be a bit bigger now that security codes are gonna need some re-coding, thats my guess. Maybe a few more viruses and few more headaches for networkers then usual but no large scale chaos from it.

[[VI]ROosTEr]

Yeah, this is probably overblown. These leaks, however, may someday challenge Microsoft to make a secure NOS.

[dwEEziL]

I am kind of interested in it. My gut tells me this might just be another scam from MS and they might have purposely leaked the code.

 

Here is my thinking. The code that was leaked (portions of NT 4 and W2k) is from older software (XP and 2k3 are the current OS'es with W2k being almost 2 generations old since XP's real version name is NT 5.1).

 

Second, based on the following article I read today, it seems that the code leaked will not lead to many new vulnerabilities being discovered based on it's content.

 

Third, the leaked code, because of in-code comments, actually paints MS in a kinder light, i.e. some of the comments were for code exceptions that MS made for 3rd party software that broke because it used a known vulnerability that MS had patched. It shows that MS is willing to work with these companies to better software interaction/integration.

 

Fourth, the code has been out for over a week now (or just at a week) and there has been plenty of time for the likes of SCO, Novell, IBM, etc to have looked it over and see if MS had used any of their code in Windows but there hasn't been any outcry. Also, no new vulnerabilities/viruses have come out yet although this might take a little more time to develop (but again, hackers usually work fast).

 

In conclusion, this leaked source code so far has not shown any glowing problems for MS. One "problem" that might come of it is that MS might be less interested in supporting W2k now that some of the source is public and could realistically shorten support for W2k because of it. I quoted "problem" because it would be in MS's best financial interest to do so anyway and get people jumping on the XP/W2k3 bandwagon. All these reasons are why I think this might have been a purposeful leak by MS. Actual code review has only shown good things of MS and they now have a real legitimate reason to end W2k support early (security concerns). If within the next 2-4 weeks, nothing bad comes of this, I will feel justified even if nothing is ever revealed regarding it.

 

The following commentary was in the latest Windows & .NET Magazine

newsletter.  The article isn't currently available online so I have

listed it in full below.  It doesn't look like the actual amount of

source code leaked will cause the number of vulnerabilities discovered

to increase in number and, after inspecting the code, Paul Thurrott says

it actually seems to show MS in a better light.

 

==== 1. Commentary: What the Windows Source Code Leak Means to You

====

by Paul Thurrott, News Editor, thurrott@winnetmag.com

 

Last Thursday morning, I received an excited Instant Messaging (IM)

alert from a friend at Microsoft: "Have you seen this?" he asked. He

then sent me a file named "winver.c," reportedly part of the Windows

2000 source code. The source code for Win2K, as well as for Windows

NT, he said, had leaked to the Internet. The file I was looking at was

a source code listing for a short program written in the C language;

it was described as the "Windows version program" and was written in

March 1989 by someone identified as toddla. Several other C source

code listings were leaked, including one purportedly written by NT

architect David Cutler.

The notion that Microsoft's crown jewels might leak publicly wasn't

surprising to me; after all, the company had opened its source code to

an increasingly large portion of the public in recent years through

its Shared Source program, a response to the open-source threat of

Linux. Since first announcing the Shared Source program, Microsoft has

regularly extended the program's reach, and now many governments,

corporations, educational institutions, hardware and software

development partners, and even individuals have signed nondisclosure

agreements (NDAs), giving them limited-rights access to the source

code for various Windows versions. The software giant has even

publicly acknowledged that it was considering opening the source code

to Microsoft Office also.

Microsoft disseminates its valuable source code to other

institutions and individuals for various reasons. Historically, the

company's hardware and software partners have received access to the

source code to ensure that the products they develop work seamlessly

with Microsoft systems. Under the Shared Source program, the reasons

are a bit more varied. But one reason Microsoft has opened up its

source code is to fend off competition from Linux and other

open-source solutions, which provide users with modifiable source

code. Microsoft doesn't let its Shared Source partners change the

Windows source code and potentially make their own modified versions

of Windows. Instead, the source code access provides suspicious

governments with the evidence they need to prove that Microsoft isn't

inserting back doors, especially US governmental back doors, into its

software. And Microsoft has shown itself to be more, ahem, open to the

notion of providing governments with specially tailored Windows

versions when needed, as the company did recently with Thailand,

although those will be developed inhouse, as the need arises.

But here's what we know so far about the leak. Contrary to early

reports, only a small portion of the source code for Win2K Service

Pack 1 (SP1) and NT 4.0 leaked. Experts differ about how much code

leaked--I've seen estimates in the 1 to 15 percent range--but using

the code to build a working version of Windows would be impossible. I

did obtain the leaked Win2K source code so that I could analyze it and

confirm it was real, but I've never seen the NT source code. I'll be

destroying my copy of the source code after completing my analysis and

have no intention of publishing major portions of it, of course.

At this time, a software company called Mainsoft is the most likely

source of the leak, which means the leak had no ties to the Shared

Source program. Mainsoft has had Windows source code access for years;

longtime Windows & .NET Magazine UPDATE readers might recall my August

2000 revelation that Microsoft had hired the company to explore Linux

ports of Office and Microsoft Internet Explorer (IE), for example--but

uses the information for integration software development purposes.

The leaked source code I've seen includes code for the Windows

Explorer shell, among other things, and an interesting wealth of

documentation that shows Microsoft's developers how to move pre-IE 4.0

Windows shell code to the then-new IE integrated shell. The code

occupies about 147MB of space and includes about 12,900 files, mostly

C, C++, and assembly source files, as well as C and C++ header files.

And for you conspiracy theorists, sorry, the code doesn't appear to

include any proof that Microsoft stole source code from UNIX, Linux,

or other sources in a bid to make its systems better. Open-source

enthusiasts probably spent the weekend poring over the code just to

find such evidence.

On a technical note, the source code is clean and well coded but is

often devoid of useful comments. It's also quite frank in some places,

with occasional swearing and name calling, usually aimed at

Microsoft's own products. But what really stands out, is how often

Microsoft must insert a minor coding change to accommodate the

idiosyncrasies of one application. These hacks, as they're called in

the code, are often aimed at third-party applications, letting the

applications work after a bug or previous feature they've relied on

has been eliminated. This is a good example of Microsoft going out of

its way to ensure that its partners products work with Windows, a task

the company has never received a lot of credit for.

When the source code leak was first reported, security experts

opined that it would have damaging effects on Microsoft's credibility

and could lead to a new generation of software exploits that take

advantage of hackers' newfound knowledge of the Windows source code.

However, little networking or security code is included in the leaked

source I've examined, and because the code comprises such a small

portion of the entire source-code base, it will be impossible to

figure out the complex interworkings of code that make up the complete

OS and find some systemic flaw. So from a technical standpoint, I

think that, for now at least, the Windows source code leak shouldn't

affect any rollout decisions, though arguably you'd be better off

going with Windows Server 2003 and Windows XP over Win2K right now for

various unrelated reasons anyway.

Indeed, with Microsoft's recent emphasis on upgrading to Windows

2003 and XP for security reasons, there's been some question about

Microsoft's plans to adequately support Win2K going forward. For

example, although both of these newer systems will get the improved

Windows Firewall in service pack updates later this year, and Windows

2003 will get the roles-based Security Configuration Wizard, Microsoft

hasn't said much about offering such improvements to Win2K users. For

whatever it's worth, I do know that the company intends to soon reveal

various Win2K security improvements that it will roll out this year,

but I'm a little worried about its public silence thus far. I'm

further concerned what the Win2K source code leak will do to put these

plans on the back burner. It would be sad to see Microsoft take

advantage of this episode to formalize its desire to deemphasize

Win2K, years before the company should do so.

 

====================

[[Mmmm]Homer]

How about a disgruntled ex-employee is blackmailing MS. He/she wants cash from Bill G., but he won't give it up. As a shot across the bow the blackmailer releases an older or less critical chunk to show they mean business and threatens to release more. MS's network was not breached, yet the FBI has someone to look for.

 

Also, Kennedy was shot by the Mafia and there are WMD's in Iraq.

 

Oh yeah, and Micro$oft is bad mm'kthx bye.

[dwEEziL]

Grrrrrr

[[Mmmm]Homer]

LOL

 

Okay, the only thing I can contribute here really is that being in Seattle I've heard ex-employees and programmer types groan over how sloppy the MS code is. Maybe MS will be embarrassed by their glutton of code. Just a possible side effect though.