Chunks of the secret source code behind two versions of Microsoft’s Windows operating system have been leaked onto the internet, the software giant has confirmed.
The illegal release of 13.5 million command lines that form Windows 2000 and Windows NT 4.0 could help hackers devise more potent viruses or give competitors programming ideas, experts believe.
Microsoft is now working with the FBI to investigate the online postings, which have been circulating on file-sharing networks and via chat groups. “We take such activity very seriously,” says a statement on Microsoft’s web site.
It is not yet clear how the code was leaked, although some media reports have pointed to one of Microsoft’s own software partners. Microsoft only releases parts of its source code to partners, researchers and government agencies under very restrictive legal agreements. The company adds that there is no evidence that its own network was hacked or that any customers have been affected.
Advertisement
Open source
“It’s an interesting issue because everyone’s always been harassing Microsoft to make their source code available,” says Pete Lindstrom, research director at Spire Security in Malvern, Pennsylvania, US.
In contrast to Windows, a rival operating system, Linux, is open source. This means its code is freely available and can therefore be examined for bugs or vulnerabilities by a wide range of programmers.
“How much do Microsoft want to protect their intellectual property now that the source is out there in the bad guys’ hands?” asks Lindstrom. He suggests they could develop a system where registered programmers could examine the code and would be paid for any glitches they find.
Command lines
The leaked code is 203 megabytes in size and expands to about 650 MB, the capacity of a typical CD-ROM. This represents a small fraction of the operating systems’ total source code. Part of the code was reportedly written for a patch for Windows 2000, a program called Service Pack 1.
Some security experts have said the code does not include sensitive network protocols but does contain command lines for the drawing program Microsoft Paint. But the specific programs controlled by the code are irrelevant when it comes to hackers, Lindstrom told New Scientist. Finding a flaw in “any executable can lead to a fully compromised system”, he says.
This is the first major leak of Microsoft source code, although free versions of the Windows operating systems have surfaced online before. The source code is also said to be peppered with profanity, which could embarrass Microsoft even further, says Lindstrom.
It has been a difficult week for Microsoft. Thursday’s code leak came shortly after the company revealed a “critical” flaw in the Windows system that could allow hackers to take control of computers remotely over the internet.
“The good news is there will now be answers to just how secure Microsoft is,” Lindstrom says.
