Subscribe to Windows IT Pro
February 18, 2004 12:00 AM

Source Code Leak Prompts Vulnerabilities, Warning from Microsoft

Paul Thurrott
Windows IT Pro
InstantDoc ID #41788
Rating: (0)

   Hackers and security researchers who downloaded the Windows 2000 source code over the weekend have already found a security vulnerability to exploit, although the vulnerability affects only the out-of-date Microsoft Internet Explorer (IE) version that shipped with the original Win2K. The vulnerability, which affects IE 5.01, lets attackers compromise users' PCs when they access a malicious Web site. On one hand, Microsoft says that not only does the vulnerability affect only a single, older version of IE, but the company found and fixed the vulnerability during its Trustworthy Computing code review 2 years ago. On the other hand, about 10 percent of Web browser users--more people than use Mozilla, Netscape, Opera, and Apple Computer's Safari combined--still use IE 5.01.
   "[The vulnerability] doesn't affect IE 6," Mike Reavey, a Microsoft security program manager, said. "It does look like it was one of the things that was found during the code review." Microsoft is cautioning users to upgrade to the most recent IE version--IE 6 with Service Pack 1 (SP1)--to ensure the safest possible Web experience. But the near-instantaneous release of a vulnerability based on the Windows source-code leak makes me wonder how many other vulnerabilities will be found in the coming days. And, unlike the IE vulnerability, some of those vulnerabilities might also affect the most current versions of Windows, including Windows Server 2003 and Windows XP, which are based on Win2K. "We take this seriously," a Microsoft spokesperson said Friday. "It's illegal for third parties to post or make our source code available. From that standpoint we've taken appropriate legal action to protect our intellectual property."
   Microsoft has also taken the interesting step of warning users to keep their hands off the stolen source code. On Monday, the company issued legal warnings to people who had downloaded or distributed the code. "The unauthorized copying and distribution of Microsoft's protected source code is a violation of both civil and criminal copyright and trade secret laws," the warning said. "If you have downloaded and are making the source code available for downloading by others, you are violating Microsoft's rights, and could be subject to severe civil and criminal penalties." Microsoft then demanded that downloaders destroy their copies of the source code and tell Microsoft where they got it.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • John F. Braun
    8 years ago
    Feb 25, 2004

    Editor's note: You can't have DRM without "security by obscurity." ... How widely acknowledged is this theory, really? --Paul

    As other have suggested, perhaps you should take a few moments to read up on security theory before making statements which clearly show you don't know what you're talking about. This is almost as bad as the time you kept insisting that the Windows EAL was somehow related to the relative security of the Windows platform, which it isn't.

    I think you're confusing the obscurity of information, such as encryption keys, with obscurity of the algorithm in use, such as public key. It is perfectly accepted practice to make the algorithm known but the secret info hidden. This is NOT considered "security by obscurity."

    As someone who has actually designed and implemented security solutions, and keeps a close eye on industry developments, trust me on this one. Security by obscurity is not considered good practice. A system that has been subject to extensive peer review, with a known algirothm, is much preferred.

  • Pit
    8 years ago
    Feb 20, 2004

    "You can't have DRM without "security by obscurity.""

    Is that so? Well - dream on, expert..

    (For everybody else: I recommend to have a look at some works of Bruce Schneier (http://www.schneier.com) on that matter.)

    On a side note:

    From The Free On-line Dictionary of Computing (27 SEP 03) :

    security through obscurity

    Or "security by obscurity". A term applied by
    hackers to most operating system vendors' favourite way of
    coping with security holes - namely, ignoring them,
    documenting neither any known holes nor the underlying
    security algorithms, trusting that nobody will find out
    about them and that people who do find out about them won't
    exploit them. This never works for long and occasionally sets
    the world up for debacles like the RTM worm of 1988 (see
    Great Worm), but once the brief moments of panic created by
    such events subside most vendors are all too willing to turn
    over and go back to sleep. After all, actually fixing the
    bugs would siphon off the resources needed to implement the
    next user-interface frill on marketing's wish list - and
    besides, if they started fixing security bugs customers might
    begin to *expect* it and imagine that their warranties of
    merchantability gave them some sort of rights.

  • Pit
    8 years ago
    Feb 20, 2004

    @Rob: It's widly acknowledged that "security by obscurity" (i. e. closed source software such as MS's) is highly dangerous and insecure.

    For example an encryption scheme is "secure" if - and only if - an attacker who knows the exact code cannot decrypte a message without the appropriate key (i. e. security is based on the key and not on the code). You cannot attack, despite knowing the code.

    If security is based on the assumption that you are not vulnerable because a cracker does not know your code, you have a big problem as soon as a cracker gets your code or finds a vulnerability by other means (proofen by almost daily new holes in MS software).
    Furthermore, as user of such software, you can neither verify nor protect yourself by changing the code (hence the necessity to invest in additional security software: you can't trust in MS built-in security).

    Open source software can be verified - and if necessary - changed by everyone. There is no false assumption that a hacker does not know the code. So security has to be "real" and not just a marketing promise.

    With the leak of some MS code, not much has changed - maybe some crackers now have an easier life and some users are now aware of closed source dangers. But all-in-all, MS software stays insecure..


    Editor's note: You can't have DRM without "security by obscurity." Even Real's "open source" Helix solution doesn't let its DRM scheme out in the open. How widely acknowledged is this theory, really? --Paul

  • Robert Knight
    8 years ago
    Feb 19, 2004

    @Rob

    The leaking of Windows source is considered a thread because, some people argue, Windows relies on "security through obscurity" which means that programmers rely on the fact that people don't have access to the source to make it hard to crack. Because this isn't possible with Linux, a different philosophy has to be used - programmers have to design a system that is secure even if people know exactly how it works. Most encryption methods used today are publically available, but they are still hard to crack. Relying on "security through obscurity" is a bad idea, and hopefully MS have not done that.

  • Wendy Rebecca
    8 years ago
    Feb 19, 2004

    "Editor's note: Only if required by a judge, Wendy. --Paul "

    Nah, you're safe. I was just jokin' with you anyway.

    Besides, Microsoft won't bother you. You're one of the best shills they've got. No sense endangering the franchise by harassing Paul Thurrott. ;-)


    Editor's note: Hey, that's hilarious. On the other hand, I have been threatened and warned by Microsoft on various occassions. --Paul

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.