Microsoft Corp. continued to investigate the leak of some of the closely-guarded code underlying its Windows 2000 and Windows NT products Friday as a partner company, Mainsoft Corp., responded to allegations that it was the source of the leak.
As computer security experts offered differing opinions on the source and severity of the leak, Microsoft declined to comment on its investigation Friday, but did say its Shared Source Initiative program was not to blame.
“There was no breach of either our internal security or any (security) from our Shared Source Initiative,” Microsoft spokesperson Tom Pilla said Friday.
Microsoft in a statement late Friday repeated that its investigation has shown the code leak was not the result of any breach of its corporate network or internal security, nor is it related to the Shared Source Initiative. The company added that the Government Security Program also is not involved.
Microsoft has called in the U.S. Federal Bureau of Investigation and warns that its source code is copyright protected and protected as a trade secret. “As such, it is illegal to post it, make it available to others, download it or use it. Microsoft will take all appropriate legal actions to protect its intellectual property,” the company said.
Security experts postulated Thursday that the leak may have come from one of the many organizations that signed up for programs under Microsoft’s Shared Source Initiative, under which enterprise users, academics and others can get controlled access to select parts of Microsoft’s source code.
The Government Security Program gives select governments and international organizations controlled access to the source code of several Windows versions.
Source code is computer code in the form of readable lines of text, usually with comments. It can be compiled into programs that can be run but not read. The Windows code on users’ PCs is all compiled code.
Parts of the leaked code reviewed by IDG News Service point to Mainsoft, a San Jose-based Microsoft partner. Microsoft has provided Mainsoft with access to its source code for several years. Mainsoft uses the code to enhance graphics for Unix-based Computer Aided Design/Computer Aided Modeling (CAD/CAM) applications, it said.
One example of a reference to Mainsoft is in a file named “download.cpp.” It contains a statement that the Application Program Interface is not yet implemented by Mainsoft and that it needs an extra check on Unix. Other files also contain similar statements, for use by developers, mixed in with the computer code.
Mainsoft on Friday said it takes the matter seriously and will cooperate with the inquiry into the source code leak. “Mainsoft recognizes the gravity of the situation. We will cooperate fully with Microsoft and all authorities,” said a company spokesperson reading from a prepared statement from Mike Gullard, Mainsoft chairman of the board.
Microsoft’s Pilla declined to comment on the Mainsoft link, but said the company is not part of Microsoft’s Shared Source Initiative.
Experts cautioned not to jump to conclusions and that a mention of Mainsoft in the code does not mean the company is the source of the leak.
“It does not prove anything. The code could have been edited and it does not prove that they are the leak,” said Ken Dunham, director of malicious code at iDefense Inc. in Reston, Va.
In fact, while examining the leaked code, iDefense found that it likely was first leaked in mid-2001. Somebody subsequently tampered with it before it was spread on the Internet and the leak became public on Thursday, Dunham said.
“We see mixture of clean and somewhat sloppy code that does not look like Microsoft code. It does look like somebody got hold of it and meddled around with it for a while and then it got released into the underground,” he said.
Those who have downloaded the source code claim to have a 200MB compressed file that expands into roughly 600M bytes of code, enough to fit on one CD-ROM. Microsoft has not commented on what source code was leaked, but iDefense and others say it includes parts of the Windows kernel, the core of the operating system.
“This puts the blueprints in the hands of the enemy and that is the worst thing you want to do in a war with the attackers on the Internet. Now they will take that code and rip it up, debug it and exploit it,” iDefense’s Dunham said.
The code gives malicious hackers an unfiltered look at the underlying code for some parts of the Windows operating system. Depending on what parts of are available, the leak could pose a serious security risk, said Stuart McClure, president and chief technology officer of security company Foundstone Inc.
Experts who looked at what appear to be directory listings of the packages of Windows 2000 and Windows NT source code said Thursday that the listings represent source code for network protocols, parts of Internet Explorer, certificate handling as well as the Windows kernel.
But Russ Cooper, Surgeon General of TruSecure Corp. and moderator of the NTBugtraq online discussion list said having source code files doesn’t necessarily make it easier to design attacks against Microsoft’s operating system.
“You can try to read the source code and see where the vulnerabilities lie, but you have to understand the programming technique, and that’s a lot harder to do than watching the way compiled programs respond to different attacks,” he said.
Not only does the breach of the Windows source code — a mix of assembler, C and C++ code — potentially expose users to an increase in cyberattacks, it also means that Microsoft’s closely guarded intellectual property is now out in the open. The company has spent millions of dollars on developing Windows.
Windows 2000 and Windows NT are older Microsoft products but are still widely used, mostly by enterprise users. The products also form the basis of the current Windows XP operating system.