02/13/2004: 
Technologica
Security Alert! Source Code To MS Paint Available
or, Tempest In A Teapot?
from Seattle Times
Microsoft confirmed yesterday that portions of its Windows source code had been leaked over the Internet.
Microsoft spokesman Tom Pilla said some incomplete portions of Windows 2000 and Windows NT 4.0 source code had been "illegally made available on the Internet."
One security consultant said the leak appears to be only a small chunk of the overall code.
The company was made aware of the leak yesterday, Pilla said. He did not know how many people might have gained access to it or when the leak occurred. The company also could not immediately say what the source of the leak was but said it was investigating. It also has contacted law-enforcement authorities.
Pilla said that there was no indication the code leak was a result of a breach of Microsoft's corporate network and added that there was no known immediate impact to Microsoft's customers.
Dragos Ruiu, a security consultant who looked at the code, described it as a hodgepodge of about 30,000 files, which is only about 2 percent of the overall source code of an operating system.
"It's pretty obviously not faked," said Ruiu, who organizes the annual CanSecWest security conference in Vancouver, B.C. One big chunk of the leak, he said, is the underlying code to Microsoft Paint, a simple program that lets a user create and customize images.
More
The leaked material appears to be about 213 megabytes in size and expands to about 658 megabytes. Ruiu said he looked for, and did not find, critical components of the source code such as certain network protocols.Still, he said, it's tough to identify how much of a threat the leaked code presented to Microsoft.
"There's a lot of files there," he said. "Everybody's trying to figure out what the impact of this is."
Microsoft has shared some source code with some U.S. government agencies, foreign governments and universities under tight restrictions.
But the company has generally argued that the blueprints to its operating system are proprietary and shouldn't be made public.
Still, because some people outside Microsoft have had access to the code, analysts said it wasn't too surprising a leak would occur, either intentionally or unintentionally.
"It seems unlikely this is going to create a material, significant security problem. It's more embarrassing than anything else because it makes it look like Microsoft can't control its code," said Rob Enderle, a technology expert and principal analyst with the Enderle Group.
2 Annotations Submitted
Friday the 13th of February, BBC noted:
Why is this a problem for Microsoft?
...for Microsoft to have this code paraded in public is hugely embarrassing. Not least because the code is littered with profanity and might show that many Microsoft programmers do not do a very good job.
Friday the 13th of February, betanews noted:
BetaNews has learned that Thursday's leak of the Windows 2000 source code originated not from Microsoft, but from long-time Redmond partner Mainsoft.
The leaked code includes 30,915 files and was apparently removed from a Linux computer used by Mainsoft for development purposes. Dated July 25, 2000, the source code represents Windows 2000 Service Pack 1.
Analysis indicates files within the leaked archive are only a subset of the Windows source code, which was licensed to Mainsoft for use in the company's MainWin product. MainWin utilizes the source to create native Unix versions of Windows applications.
Mainsoft says it has incorporated millions of lines of untouched Windows code into MainWin.
Clues to the source code's origin lie in a "core dump" file, which is left by the Linux operating system to record the memory a program is using when it crashes. Further investigation by BetaNews revealed the machine was likely used by Mainsoft's Director of Technology, Eyal Alaluf.
References to MainWin can also be found throughout the leaked source files, which do not compile into a usable form of Windows.
