Microsoft code exposure not a crisis'yet
- By William Jackson
- Feb 13, 2004
The Internet appearance of some source code for at least two versions of Microsoft Windows operating systems could create future security headaches.
'You're probably going to see more vulnerabilities in Microsoft this year, and more exploits of them,' said Ken Dunham, director of malicious code for iDefense Inc. of Reston, Va.
But the exposure does not reach crisis level, analysts told GCN.
'In my opinion, this is not a doomsday scenario,' said Johannes B. Ullrich, chief technology officer of the Internet Storm Center operated by SANS Institute of Bethesda, Md. 'A look across the open-source landscape shows that source access does not necessarily lead to less-secure systems.'
The availability of the code could, however, shorten the window between release of a patch for a vulnerability, and appearance of malicious code to exploit it.
Microsoft Corp. already is under the gun for a critical vulnerability announced earlier this week, for which some analysts say exploit code already exists. The vulnerability in the Abstract System Notation 1 Library is very troublesome because so many applications and network devices use it.
That particular flaw 'is not like any vulnerability you've seen before,' said Sunil James, iDefense's director of vulnerability intelligence. 'It is worse. You are going to have a lot of people developing an exploit that can be turned into a worm.'
Ullrich said the hacker underground has been talking about the exposed source code for Windows 2000 and NT 4.0 for quite a while, although Microsoft acknowledged its presence only yesterday. Some peer-to-peer file sharing networks are said to be circulating the source code widely.
'It's illegal for third parties to post Microsoft source code, and we take such activity very seriously,' Microsoft said in a statement. 'We are investigating these postings and are working with the appropriate law enforcement authorities.'
About 30,000 files of source code for the two OSes have been found on the Net, Dunham said, but 'it's going to take a while to dive in and see what the quality and integrity of the code is.' The files being downloaded vary greatly in size, so 'some people are getting tremendously stripped-down versions.'
Because the code has been circulating unprotected and there is no authoritative version against which to compare it, determining authenticity may prove impossible.
And having the source code does not necessarily provide a blueprint for exploitation. Open-source developers have made a strength of such exposure, relying on numerous eyes to find and correct flaws.
Although Dunham described the Microsoft exposure as a 'worst-case scenario' for a closed-source developer whose security is based on secrecy, the source code would be just another tool for hackers, not a key.
'When you can see the actual lines of code, you can see the processes used in developing it, and how things are being done,' Dunham said. That insight could help in the search for vulnerabilities and in the creation of exploits for them.
Microsoft has made elements of its source code available to government officials and developers for years under several programs. The components are offered only in tightly controlled environments, and many analysts think it unlikely that the leaked code came from those sources.
Microsoft has said it does not appear that the exposure came from a breach in its corporate network or internal security.
William Jackson is a Maryland-based freelance writer.