MS Windows source code leaked

[Uraniun235]

http://zdnet.com.com/2100-1104_2-515849 ... d.newsfeed

Microsoft is investigating the possibility that a file posted to several underground sites and chat rooms contains some protected source code to Windows 2000.
The 203MB file contains the code that appears to be from Microsoft's enterprise operating system, but the code is not complete, said Dragos Ruiu, a security consultant and the organizer of the CanSecWest security conference, who has examined the file listing.

"It was on the peer-to-peer networks and IRC (Internet relay chat) today," Ruiu said. "Everybody has got it; it's widespread now."




The 203MB file expands to just under 660MB, he said, noting that the final code size almost perfectly matches the capacity of a typical CD-ROM. The entire source code, he said, is believed to be about 40GB, meaning that the file circulating Thursday would be only a fraction of the full code base--if it is authentic.

Ruiu, who has seen the file, believes it to be authentic. "It looks real," he said. "You can't build Windows, however. It's just a bunch of chunks of the operating system."

Microsoft said it is looking into claims that file traders were swapping its proprietary source code.

"The rumor regarding the availability of Windows source code is based on the speculation of an individual who saw a small section of unidentified code and thought it looked like Windows code," Microsoft said in a statement. "Microsoft is looking into this as a matter of due diligence."

Earlier Thursday, a source located a file purporting to be the code on a Web site, but the file was removed from the Internet before it could be completely downloaded.

The possibility that the source code was released created a buzz on the Internet but also worried some security experts.

"It's definitely not a good thing if black hats have the source code," said Oliver Friedrichs, senior manager with antivirus company Symantec's security response center. If the source code has been released, "the underground can look at the code without legitimate security researchers being able to find vulnerabilities first."

But Microsoft downplayed any security issue.

In its statement the company said the main concern is the potential theft of its handiwork rather than the possible security threat that such a leak might pose.

"If a small section of Windows source code were to be available, it would be a matter of intellectual property rights rather than security," Microsoft said.

Microsoft zealously guards the source code to the various versions of its Windows operating system, sharing it only with universities and government agencies that sign agreements not to release the code. While working versions of Microsoft's operating system have occasionally leaked to the Internet, actual source code leaks have been rare.

Although Microsoft Chairman Bill Gates has publicly bragged about the security of Windows, even Microsoft fears the release of its code. In testimony during the Microsoft antitrust trial, Jim Allchin, the company's senior vice president for Windows, said opening up the company's source code could be devastating for the operating system's security.

"The more (that) creators of viruses know about how antivirus mechanisms in Windows operating systems work, the easier it will be to create viruses or disable or destroy those mechanisms," Allchin testified during a May 2002 antitrust trial.

Allchin made the statements while defending the company against legal remedies supported by nine states that would have compelled Microsoft to give away the source code to Internet Explorer.

Allchin's fears are not misplaced, said Thor Larholm, senior security researcher with security consultancy PiVX Solutions.

"Just look at the amount of vulnerabilities that are discovered without the source code," he said. "The majority of Windows servers are still running Windows 2000. Furthermore, Windows 2000 has a lot of shared code that is still being used by Windows XP and Windows Server 2003."

However, other security experts believe that fears about a leak leading to the widespread discovery of vulnerabilities in the code are misplaced.

"Theoretically, to a good reverse engineer, all code is open source," said a Microsoft security consultant who asked not to be identified. He added that the size of the compressed file that was being passed around the Internet sounded about right.

In the end, however, the mistake that made Microsoft's code public might result in benefits similar to open-source code, Ruiu said.

"Short term, there might be problem (as bugs are found), but long term it might be good for them," he said. "Their code might become more secure."

CNET News.com's Ina Fried contributed to this report.

[phongn]

Bad news for Microsoft if this is real.

Also bad news for the OSS community, because now they have to be extra-paranoid about code submissions.

[The Kernel]

Doesn't sound too bad. It really depends I suppose on what part of the OS they got, but such a small chunk of the source isn't likely to be very useful to anyone.

[Crayz9000]

Yes, it's bad for OSS in that they have to keep an eye out for code submissions (although who in their right mind would submit code straight from Windows?!?) but what would be nice is if some people who had the source got together and wrote up a little public API for some of the system calls.

I'm more worried about worms/trojans/whatever using any security holes that are found in this code.

[Sharp-kun]

Crap.

[phongn]

Yes, it's bad for OSS in that they have to keep an eye out for code submissions (although who in their right mind would submit code straight from Windows?!?) but what would be nice is if some people who had the source got together and wrote up a little public API for some of the system calls.

You don't have to submit code straight from the Windows source; just reading it makes you "tainted" -- along with any derivative works. It may sound stupid, but that's how it works legally. Thus, say, the ReactOS, WINE or Linux NTFS projects could get burned from this.

Doesn't sound too bad. It really depends I suppose on what part of the OS they got, but such a small chunk of the source isn't likely to be very useful to anyone.

Some people looking at the file listings are noticing kernel stuff in it.

[Durandal]

And thus was born the GNU Windows project.

[Uraniun235]

It's only 600 MB or so out of a supposed 40 GB codebase, so you couldn't build the whole operating system out of the code that's been leaked.

[phongn]

It's only 600 MB or so out of a supposed 40 GB codebase, so you couldn't build the whole operating system out of the code that's been leaked.

OTOH, if thinks like the kernel are in it, well, black hats with a lot of time might figure out Bad Things to do with it.

[Uraniun235]

They might, but I would imagine something so critical as the kernel would be the most heavily scrutinized code in Microsoft.

[Defiant]

I would be curious to know what parts of the OS were leaked. This whole situation has the potential to be bad.

[Xon]

It's only 600 MB or so out of a supposed 40 GB codebase, so you couldn't build the whole operating system out of the code that's been leaked.

OTOH, if thinks like the kernel are in it, well, black hats with a lot of time might figure out Bad Things to do with it.

I'm not too worried about expliots in the kernal itself. Those will be patched so fast it isnt funny if there are any potential expliots.

Also, you can biuld a file tree of the window source via looking at the debug symbols. ArsTechnica claims that it looks like NTFS and other such stuff isnt included. And it looks like a very old copy of the Windows sourcecode too.

Pitty it wasnt Win95, then no one would care(including MS)

[Sarevok]

Also, you can biuld a file tree of the window source via looking at the debug symbols. ArsTechnica claims that it looks like NTFS and other such stuff isnt included. And it looks like a very old copy of the Windows sourcecode too.

Indeed and it is possible to attach to system processes to find out how they work.

[Crayz9000]

You don't have to submit code straight from the Windows source; just reading it makes you "tainted" -- along with any derivative works. It may sound stupid, but that's how it works legally. Thus, say, the ReactOS, WINE or Linux NTFS projects could get burned from this.

I know about the "taint" problem; that wasn't what I was talking about. Someone on /. brought up a nice point, which was how Phoenix and Award copied the IBM BIOS. They had two teams, one reverse-engineering the IBM BIOS and writing up detailed specifications; the second took those specifications and wrote new code that duplicated the functionality of the original code.

Couldn't the same sort of thing be done with the Windows code?

[Sarevok]

Of course the same thing can be done with windows. The Win32 API is well documented. If specifications are given that would be enough to duplicate Windows.

[phongn]

I know about the "taint" problem; that wasn't what I was talking about. Someone on /. brought up a nice point, which was how Phoenix and Award copied the IBM BIOS. They had two teams, one reverse-engineering the IBM BIOS and writing up detailed specifications; the second took those specifications and wrote new code that duplicated the functionality of the original code.

Yes, but the reverse-engineering team never looked at the BIOS's actual source. They analyzed and specified the original BIOS itself (the one on chip) and then the other team wrote up the new code.

The Executor project did the same with with the Mac ROM and many system calls -- they did their own clean-room implementation without so much as looking at a line of system code from Apple.