As I'm sure you've all heard by now,
a portion of the source code for the Windows 2000 operating system has been leaked
onto the Internet. Microsoft is asking
individuals who've posted or downloaded the copyrighted code to stop doing so and to delete any copies they may have. But as I write this, the code is still available online.
Zero-day exploits possible
To you and me, it's just code, but for a criminal hacker, or cracker,
it's a treasure trove of new software vulnerabilities waiting to be found. The real danger here is that crackers, using the leaked code, could take us all by surprise and exploit flaws that no one--not even Microsoft--is aware of. That means there would be no quick fixes for the flaws, and whatever virus, worm, or attack the cracker came up with could continue to cause harm while vendors and security researchers scramble to come up with a solution.
This is what's called, in security parlance, a zero-day exploit
--one of the most dreaded and potentially destructive computer security scenarios. Let's just hope Microsoft has made finding flaws in this code a top priority.
Already, one flaw affecting older versions of Internet Explorer has been found by someone outside of Microsoft, and I expect more.
Before I go any further, I'd like to clear up some misconceptions I've heard about this topic. First, the leaked code is what programmers view and modify, not the compiled code that runs on your desktop. And it represents only 15 percent of the total OS. This means you wouldn't be able to use it to, say, create your own home-brewed version of Windows 2000.
Second, the source code is old, dating back to July 2000. Since Microsoft, like other software vendors, does not create new versions from scratch, it is assumed that some of the leaked code (bugs and all) is still in use in post-2000 OSs, such as Windows XP.
Inside Microsoft's thinking
What the code does offer is a glimpse into the thinking of Microsoft programmers--both strengths and weaknesses. Already, one flaw affecting older versions of Internet Explorer has been found by someone outside of Microsoft, and I expect more to be announced on security mailing lists such as Bugtraq
in the coming weeks.
Microsoft has confirmed that within the leaked code there's at least one flaw
, which affects how Internet Explorer (versions 5.0 and 5.5) and Outlook Express process bitmap images. The software giant says the vulnerability was fixed in Service Pack 1 for Windows XP. But that won't help the people who are still running older versions of Windows. And because the fix is available in a Service Pack, those running unlicensed versions of XP are just as vulnerable as those running the older OSs. Microsoft is said to be considering releasing a patch for wider distribution.
It's called zero-day because there is no time to develop a fix.
Exactly how the code got onto the Internet remains a mystery, which the FBI is investigating. Evidence within the code itself points to Mainsoft, a San Jose, California-based company that migrates Microsoft software to other OS platforms and has an agreement with Microsoft to use the Windows source code. Mainsoft is said to be cooperating with the FBI.
Regardless of how the code got out there, Microsoft now faces a race against the clock as it works to locate and patch any vulnerabilities discovered because of the leak before someone else can exploit them.
Patch or no patch
Typically, vendors or security researchers who discover software vulnerabilities won't announce them publicly until they're able to provide a patch or workaround to fix them. Because of this, it's not uncommon for them to know of several unannounced vulnerabilities for weeks or even months before the rest of the world.
But when a cracker creates a virus or worm to take advantage of a flaw before the vendors and researchers, we have a zero-day exploit. It's called zero-day
because there is no time to develop a fix.
Before the Windows code was leaked, zero-day exploits were largely a topic of discussion within the security community. Now, we're very close to seeing the reality. If a cracker uses an unknown exploit, it could be hours or days before there's some way to stop the damage.
I only hope that Microsoft has given the mitigation of potential flaws from this leak the highest priority--because the only solution now is to beat crackers to the punch. Otherwise, this leak could do more than cause a disastrous event on the Net. It could also become a turning point for Microsoft--the point where users start seriously considering the open-source operating systems out there. Those OSs use code that's already been publicly vetted for security flaws, so often it's more secure to begin with--and, of course, it can't be leaked to the Net, because it's already widely available.
Do you expect some previously unknown flaw discovered within the leak to lead to a major new virus or Internet attack? Tell me about it--TalkBack to me!