Feeds

MS Windows source code escapes onto Internet

Say it's a vital secret for long enough and it'll turn round and bite you...

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Microsoft has suffered what appears to be a severe leak of Windows source code, with a file circulating on the Internet appearing to consist of several million lines of code from around mid-2000. The source code seems to relate to NT4 and Windows 2000, and in a statement the company has conceded that "portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet.

"It's illegal for third parties to post Microsoft source code," the statement continues somewhat redundantly, "and we take such activity very seriously."

The impact of the leak is however massively more important for Microsoft than it is for the rest of the world, as it effectively blows the company's 'security via obscurity' approach to smithereens. Over the past year or so it has, with much pomp and ceremony, unveiled its shared source programme as a counter to open source, while in the same period it has repeatedly stressed that it cannot disclose some aspects of its code to rivals for security reasons. If they could see it, it would leak, and then evil terrorists would be able to break into Windows more easily. Microsoft, incidentally, currently has the shared source web site as a 'related link' on the leak statement page. Are you entirely sure about this relationship, dahlinks?

According to Neowin, there are two packages which appear to be the source of NT 4 and Win2k, respectively. The site says it's not yet clear whether or not the full source has leaked. Betanews says the claimed Win2k source contains 30,915 files and consists of 13.5 million lines, pointing out that this is considerably less than the 35-50 million the entire source should consist of.

This is still however a substantial slug, so if keeping source secret is important, then the leak is surely important. The leak will likely be of some help to people trying to find vulnerabilities in Windows (bear in mind that source for NT and Win2k has a great deal of relevance for XP), but the ready illegal availability of source presents a problem rather than an opportunity for security companies and for developers trying to make their products interoperate with Windows, given that having illegal knowledge of Windows' workings would massively compromise their ability to do legal work.

This may present particular problems owing to the likely entertainment value of Windows source. Betanews tells us that already people have been looking for the notorious "Weenies" jibe at Netscape developers, and although they've come up empty, there are numerous profanities and references to codenames long gone. The Register is confident that close study will reveal that it's all such a byzantine nightmare that our long-held theory that Microsoft doesn't know what's in there either will be proved, but don't look if you ever want to legally develop for Windows again.

What next? Microsoft says there has been no breach of its corporate network and internal security, which is possibly a first, but has called in the FBI. The dates of the code and the content will likely produce clues as to how and where it began to make its way out of the company, and if the mid-2000 claim is correct, that would suggest that it could have been outside of Microsoft for some considerable time. The likelihood is surely that it was associated with a development deal with an outside company whose safe has now fallen open, or something.

The weirdness here is that although Windows source code might be obscure, it's not exactly secret, nor has it ever been. Microsoft now does the shared source stuff, but it has been giving outside companies access for years. There are plenty of people out there who do know something about Windows source code, and under shared source deals plenty people can look at Windows source, but there's not a lot of point looking if you can't do anything much with the knowledge, and if you don't have a legal, development reason to look you're not exactly going to volunteer to do so.

It'd be nice if escaping source code prompted Microsoft to take a more rational view of the whole issue, stop pretending it's secret and adopted the rival view that openness helps security, but we fear that'll take a few more leaks. Windows source code - so secure we let the Chinese and the Russians look. Right. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Sway: Microsoft's new Office app doesn't have an Undo function
Content aggregation, meet the workplace ... oh
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Do Moan! MONSTER 6-day EMAIL OUTAGE hits Domain Monster
Customers freaked out by frightful service
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
NetWare sales revive in China thanks to that man Snowden
If it ain't Microsoft, it's in fashion behind the Great Firewall
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.