• Sidebar: Analyzing Source Code

A portion of Windows source code posted on the Internet in Feb. 2004 might expose new security vulnerabilities that customers will have to address and might cause developers to consider whether to yield to the temptation to look at the source code. However, the longer-term impact will likely be on Microsoft and its partners as Microsoft takes action to protect its trade secrets and intellectual property.

Illegally Posted Windows

The illegally posted source code appears to be for components of Windows NT 4.0 and Windows 2000, such as Internet Explorer 5.0, and represents a small portion of the complete source code for Windows. Microsoft says that the leaked source code is insufficient to build a running version of Windows.

Microsoft was quick to state that the source code was not posted on the Internet as the result of any breach of its network or security, and it is working with the FBI to determine who was responsible. Some details in the leaked code point to long-time partner Mainsoft, which has been a licensee for the source code since 1994.

Impact on Microsoft

The presence of Windows source code on the Internet has a big effect on Microsoft. It must take action to protect its intellectual property (IP) and must address any resultant security vulnerabilities and damage to its reputation as a result of the leak. Because the leak does not appear to be a result of its Shared Source programs, Microsoft will likely continue those programs unchanged.

Protecting Microsoft’s IP

Microsoft’s source code is protected as a trade secret, is copyrighted, and may have additional protection from patents. Although the law around IP is confusing and complex, Microsoft is obligated to show that it has always strived to adequately protect its IP, or else some of those protections could be lost. Therefore, it is working with the FBI to find out who posted the code on the Internet.

Microsoft is also is notifying anyone who may have already downloaded the source code, or who may even be considering it, that to do so is illegal. The company is telling users who have downloaded the leaked source code to destroy all copies and tell Microsoft where they obtained them.

Addressing New Security Exploits

Shortly after the source code was posted, a vulnerability in Internet Explorer (IE) 5.0 was identified in that code and an exploit for the vulnerability began to circulate. Microsoft says that it had identified the vulnerability when it temporarily shut down the development of Windows in Jan. 2000 as part of its Trustworthy Computing initiative, and it had already patched the vulnerability in IE 6.0 Service Pack 1. It is advising customers using older versions of IE to upgrade to the latest version and service pack.

However, Microsoft’s solution raises questions. Why did Microsoft fix only the current version of IE when many customers still use older versions? What other vulnerabilities found as part of its review of the Windows code were fixed only in Windows Server 2003 and Windows XP?

To some extent, reaction to the source code release may overstate the danger of newly found vulnerabilities: Many vulnerabilities have been discovered by programmers without access to the source code, which is difficult for even skilled programmers to read and understand (see "Analyzing Source Code").

For example, security vendor eEye does not have access to source code but has discovered numerous vulnerabilities in Windows. Most recently, eEye discovered a vulnerability in Microsoft's ASN.1 data exchange library while designing and developing its own security-enhancing products.

Protecting Its Reputation

Although Microsoft’s showing that the code was not posted as a result of a breach of its own security is some assurance to customers, examination of the source code may be embarrassing to Microsoft. The source code contains programmer comments (a common, even recommended practice in programming), a number of which include profanity and rude or derogatory statements about other programmers both within and outside Microsoft (typically to vent one’s feelings about a difficult section of code or a work-around designed to compensate for another application’s defects).

Code released under the Shared Source program has been edited to remove incendiary comments, but the posted code contained many of the original comments. Intemperate remarks in the code could lead to charges that Microsoft inserts special code or work-arounds in Windows to make its own products run better or more reliably than those of its competitors. At the least, the comments make its programming staff appear to be less than professional.

Finally, some developers may look at the coding practices and algorithms in the code and draw conclusions about the quality of the code and of Microsoft’s developers.

Implications for Shared Source

Microsoft has been expanding access to its source code through its Shared Source Initiative. Governments, large corporate customers, universities, and even some individuals have access to the source code and use it to better understand how Windows works, assist in debugging applications running on Windows, and discover vulnerabilities. Shared Source licenses strictly define what licensees can and cannot do with the code, and it does not appear that the current leak came from a Shared Source licensee.

Because the Shared Source program counters one of the arguments for open-source software—that it is potentially more secure and reliable because "many eyes" examine the code—Microsoft will not likely pull back from its commitment to Shared Source, in spite of the leaked code.

Impact on Customers and Developers

Although Microsoft is most directly affected by the leak, customers, partners, and developers have their own concerns.

Customers and partners. Because an exploit is already circulating for a vulnerability in the leaked code, customers must review their security practices, ensure that their firewalls are configured correctly, maintain updated signature files for their antivirus software, and keep their software patched for known vulnerabilities. Any customer or partner who has licensed code under a Shared Source license has the additional responsibility to review its security measures and ensure that it is not responsible for any future leaks.

Developers. The leak prompted an energetic debate among developers about whether they should look at another organization’s source code, particularly source code for a program or routine similar to anything they are likely to write in the future. If developers look at the Windows code and later write code that resembles the Windows code in any way, they may leave themselves open to claims that they have infringed on Microsoft’s IP. Again, the law surrounding IP is complex and subject to interpretation, but it may be easier to defend against such claims if a developer can assert that he or she never had access to or looked at the code in question.

Resources

Microsoft’s official statement on the posting of its source code is at www.microsoft.com/presspass/press/2004/Feb04/02-12windowssource.asp.

Mainsoft’s official statement on the posting of Microsoft’s source code is at www.mainsoft.com/statement.html.

Microsoft’s Shared Source licensing program is described at www.microsoft.com/resources/sharedsource/Licensing/default.mspx.

Vulnerabilities that eEye has found in Microsoft’s products, and eEye’s security products for Windows, are described at www.eEye.com.

The ASN.1 vulnerability and its impact are described in "IE and ASN.1 Vulnerabilities Require Patches" on page 9 of the Mar. 2004 Update.

The vulnerability code in "Analyzing Source Code" is from the Microsoft Developer Network article "Fix Those Buffer Overruns!" at msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure04102003.asp.