On The Insider: Miley Says No to Nudity

Search:
Go!


Today on CNET
Reviews
News
Downloads
Tips & Tricks
CNET TV
Compare Prices
Blogs
Cell phones| Desktops| Digital cameras| Laptops| MP3 players| TVs| All Categories


Click Here
advertisement

Security Watch : Don't get burned by viruses and hackers.
Why the Microsoft code leak is so dangerous
E-mail to a friend
Send us feedback
By Robert Vamosi 
Senior associate editor, CNET Reviews
February 25, 2004

As I'm sure you've all heard by now, a portion of the source code for the Windows 2000 operating system has been leaked onto the Internet. Microsoft is asking individuals who've posted or downloaded the copyrighted code to stop doing so and to delete any copies they may have. But as I write this, the code is still available online.

Zero-day exploits possible
To you and me, it's just code, but for a criminal hacker, or cracker, it's a treasure trove of new software vulnerabilities waiting to be found. The real danger here is that crackers, using the leaked code, could take us all by surprise and exploit flaws that no one--not even Microsoft--is aware of. That means there would be no quick fixes for the flaws, and whatever virus, worm, or attack the cracker came up with could continue to cause harm while vendors and security researchers scramble to come up with a solution.

This is what's called, in security parlance, a zero-day exploit--one of the most dreaded and potentially destructive computer security scenarios. Let's just hope Microsoft has made finding flaws in this code a top priority.

Already, one flaw affecting older versions of Internet Explorer has been found by someone outside of Microsoft, and I expect more.
Before I go any further, I'd like to clear up some misconceptions I've heard about this topic. First, the leaked code is what programmers view and modify, not the compiled code that runs on your desktop. And it represents only 15 percent of the total OS. This means you wouldn't be able to use it to, say, create your own home-brewed version of Windows 2000.

Second, the source code is old, dating back to July 2000. Since Microsoft, like other software vendors, does not create new versions from scratch, it is assumed that some of the leaked code (bugs and all) is still in use in post-2000 OSs, such as Windows XP.

Inside Microsoft's thinking
What the code does offer is a glimpse into the thinking of Microsoft programmers--both strengths and weaknesses. Already, one flaw affecting older versions of Internet Explorer has been found by someone outside of Microsoft, and I expect more to be announced on security mailing lists such as Bugtraq in the coming weeks.

Microsoft has confirmed that within the leaked code there's at least one flaw, which affects how Internet Explorer (versions 5.0 and 5.5) and Outlook Express process bitmap images. The software giant says the vulnerability was fixed in Service Pack 1 for Windows XP. But that won't help the people who are still running older versions of Windows. And because the fix is available in a Service Pack, those running unlicensed versions of XP are just as vulnerable as those running the older OSs. Microsoft is said to be considering releasing a patch for wider distribution.

It's called zero-day because there is no time to develop a fix.
Exactly how the code got onto the Internet remains a mystery, which the FBI is investigating. Evidence within the code itself points to Mainsoft, a San Jose, California-based company that migrates Microsoft software to other OS platforms and has an agreement with Microsoft to use the Windows source code. Mainsoft is said to be cooperating with the FBI.

Regardless of how the code got out there, Microsoft now faces a race against the clock as it works to locate and patch any vulnerabilities discovered because of the leak before someone else can exploit them.

Patch or no patch
Typically, vendors or security researchers who discover software vulnerabilities won't announce them publicly until they're able to provide a patch or workaround to fix them. Because of this, it's not uncommon for them to know of several unannounced vulnerabilities for weeks or even months before the rest of the world.

But when a cracker creates a virus or worm to take advantage of a flaw before the vendors and researchers, we have a zero-day exploit. It's called zero-day because there is no time to develop a fix.

Before the Windows code was leaked, zero-day exploits were largely a topic of discussion within the security community. Now, we're very close to seeing the reality. If a cracker uses an unknown exploit, it could be hours or days before there's some way to stop the damage.

I only hope that Microsoft has given the mitigation of potential flaws from this leak the highest priority--because the only solution now is to beat crackers to the punch. Otherwise, this leak could do more than cause a disastrous event on the Net. It could also become a turning point for Microsoft--the point where users start seriously considering the open-source operating systems out there. Those OSs use code that's already been publicly vetted for security flaws, so often it's more secure to begin with--and, of course, it can't be leaked to the Net, because it's already widely available.

Do you expect some previously unknown flaw discovered within the leak to lead to a major new virus or Internet attack? Tell me about it--TalkBack to me!


Security Center
Top antivirus apps
From CNET Reviews
Top antispyware apps
From CNET Reviews
Virus and security alert forums
From CNET Message Boards




2/18/04
Beware: Spam-sending, spying pest on the loose
The latest online menace combines the capabilities of computer viruses, Trojan horses, and pesky spyware--all in one deceptive package. Here's how to protect yourself from it.

2/11/04
How Microsoft botched another security patch
Will Microsoft ever learn? Just last week, it quietly released another Internet Explorer fix--and caused headaches for both developers and end users. Here's how this could have been avoided.

2/4/04
MyDoom: how it became the fastest worm ever
MyDoom spread across the Web more quickly than any virus or worm in history. But it did so by employing years-old techniques--which means we have only each other to blame for the outbreak.

More commentary


More commentary
Buzz Report
Molly Wood
Taking a bite out of hype.
Security Watch
Robert Vamosi
Don't get burned by viruses and hackers.
Fully Equipped
David Carnoy
The electronics you lust for.
On Call
Kent German
Solutions for your wireless woes.
Driving It
Wayne Cunningham
What's hot and what's not in car tech.

Help Center|Newsletters|Corrections|What's New|All Product Reviews|
Search:
Go!

Popular topics: Apple | Antivirus | Cell Phones | Dell | Digital Camera | Firefox 3 | Games | iPhone | iPod | iTunes | Laptops | Norton | PS3 | Verizon | Wii | Xbox 360
CNET.com
About CNET|Today on CNET|Reviews|News|Compare prices|Tips & Tricks|Downloads|CNET TV
Popular on CBS sites: World News | Fantasy Football | Amy Winehouse | Baseball | E3 | Batman | Firefox 3 | iPhone 3G
About CNET Networks | Jobs | Advertise


© 2008 CNET Networks, Inc., a CBS Company. All rights reserved. | Privacy Policy | Terms of Use