Microsoft Corp. confirmed late Thursday that some of the secret code underlying its Windows NT and Windows 2000 operating systems has been leaked on the Internet. The company played down any potential security concerns the leak might cause.
Incomplete portions of Windows NT and Windows 2000 source code were “illegally made available on the Internet,” Microsoft spokesman Tom Pilla said. Microsoft has no information on the source of the leak and has called in the U.S. Federal Bureau of Investigation, he said.
There is no indication that the leak was the result of any breach of the Microsoft corporate network or the company’s internal security, Pilla said. Also, “at this point in time there is no known impact to customers,” he said.
Source code is pre-compiled code in the form of readable lines of text, usually with comments. It can be compiled into code that can run but can’t be read. The Windows code on users’ PCs is all compiled code.
A breach of the Windows source code — a mix of assembler, C and C++ code — could expose users to an increase in cyberattacks because it would make it easier for hackers to find holes in the operating systems that they can exploit. It would also mean that Microsoft’s closely guarded intellectual property is now out in the open, said Joe Wilcox, a Washington, D.C.-based Jupiter Research senior analyst.
Those who say they have downloaded the source code claim to have a 200MB compressed file that expands into roughly 600MB of code. Microsoft officials told industry analysts that this is roughly correct and that it represents about 15 percent of Windows source code.
Jupiter Research’s Wilcox said a much greater percentage of the Windows code may have leaked. “It was my understanding that Windows 2000 was about 35 million lines of code.” People who have seen the leaked code say it contains about 13.5 million lines.
The code leak could lead to a host of new attacks on systems running Windows 2000 and Windows NT, warned Thor Larholm, a senior security researcher at PivX Solutions LLC, in Newport Beach, California.
“Depending on what particular code was leaked I would say this has a lot of potential for new security vulnerabilities. The next weeks to come will confirm whether we see a rise in exploits,” he said.
But Rob Enderle, principal analyst at Enderle Group in San Jose, California, said that with the amount of Windows code already available through various Microsoft programs the security implications are limited. “A release of source code on the Web is more embarrassing in these days of open source then it is damaging,” he said.
Microsoft enthusiast Web sites earlier Thursday reported that the code was leaked and had the Redmond, Washington-based software maker scrambling to investigate the reports. The source code of the two OSes was rumored to be available on a peer-to-peer file-sharing network as well as on IRC (Internet relay chat).
On Thursday afternoon, discussion sites and mailing lists were abuzz with talk about the leak. Some sites offered screen shots or directly posted parts of what is said to be the source code.
IDG News Service was shown Web pages that appear to contain a directory listing of the packages of Windows 2000 and Windows NT source code. Experts said the listings represent source code for network protocols, parts of Internet Explorer, certificate handling and the Windows kernel. Microsoft declined to confirm if that is correct.
Windows 2000 and Windows NT are older Microsoft products but are still widely used. The products also formed the basis of the current Windows XP operating system.
In one posting on the Web site Slashdot.org, someone using the handle “Monkelectric” asked if the leak could be a ploy by Microsoft to get users to upgrade from Windows NT and Windows 2000 to newer operating systems, perhaps to avoid an onslaught of security breaches. Other posters joked about Windows having gone open source.
This is not the first time that Microsoft has faced a leak of its source code. In 2000, it confirmed that outsiders had accessed some of the code underlying a version of Windows as well as Office.
The company has offering controlled access to some of its source code through a program called the Shared Source Initiative. The program is meant for enterprise users, academics and others.