Feeds

MS Windows source code escapes onto Internet

Say it's a vital secret for long enough and it'll turn round and bite you...

  • alert
  • submit to reddit

Website security in corporate America

Microsoft has suffered what appears to be a severe leak of Windows source code, with a file circulating on the Internet appearing to consist of several million lines of code from around mid-2000. The source code seems to relate to NT4 and Windows 2000, and in a statement the company has conceded that "portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet.

"It's illegal for third parties to post Microsoft source code," the statement continues somewhat redundantly, "and we take such activity very seriously."

The impact of the leak is however massively more important for Microsoft than it is for the rest of the world, as it effectively blows the company's 'security via obscurity' approach to smithereens. Over the past year or so it has, with much pomp and ceremony, unveiled its shared source programme as a counter to open source, while in the same period it has repeatedly stressed that it cannot disclose some aspects of its code to rivals for security reasons. If they could see it, it would leak, and then evil terrorists would be able to break into Windows more easily. Microsoft, incidentally, currently has the shared source web site as a 'related link' on the leak statement page. Are you entirely sure about this relationship, dahlinks?

According to Neowin, there are two packages which appear to be the source of NT 4 and Win2k, respectively. The site says it's not yet clear whether or not the full source has leaked. Betanews says the claimed Win2k source contains 30,915 files and consists of 13.5 million lines, pointing out that this is considerably less than the 35-50 million the entire source should consist of.

This is still however a substantial slug, so if keeping source secret is important, then the leak is surely important. The leak will likely be of some help to people trying to find vulnerabilities in Windows (bear in mind that source for NT and Win2k has a great deal of relevance for XP), but the ready illegal availability of source presents a problem rather than an opportunity for security companies and for developers trying to make their products interoperate with Windows, given that having illegal knowledge of Windows' workings would massively compromise their ability to do legal work.

This may present particular problems owing to the likely entertainment value of Windows source. Betanews tells us that already people have been looking for the notorious "Weenies" jibe at Netscape developers, and although they've come up empty, there are numerous profanities and references to codenames long gone. The Register is confident that close study will reveal that it's all such a byzantine nightmare that our long-held theory that Microsoft doesn't know what's in there either will be proved, but don't look if you ever want to legally develop for Windows again.

What next? Microsoft says there has been no breach of its corporate network and internal security, which is possibly a first, but has called in the FBI. The dates of the code and the content will likely produce clues as to how and where it began to make its way out of the company, and if the mid-2000 claim is correct, that would suggest that it could have been outside of Microsoft for some considerable time. The likelihood is surely that it was associated with a development deal with an outside company whose safe has now fallen open, or something.

The weirdness here is that although Windows source code might be obscure, it's not exactly secret, nor has it ever been. Microsoft now does the shared source stuff, but it has been giving outside companies access for years. There are plenty of people out there who do know something about Windows source code, and under shared source deals plenty people can look at Windows source, but there's not a lot of point looking if you can't do anything much with the knowledge, and if you don't have a legal, development reason to look you're not exactly going to volunteer to do so.

It'd be nice if escaping source code prompted Microsoft to take a more rational view of the whole issue, stop pretending it's secret and adopted the rival view that openness helps security, but we fear that'll take a few more leaks. Windows source code - so secure we let the Chinese and the Russians look. Right. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.