IDG News Service - Microsoft Corp. is conducting a security review of the Windows 2000 and NT 4.0 source code that was leaked onto the Internet earlier this month to determine whether there is any risk to its customers, the company said yesterday.
"Microsoft is currently performing an in-depth security review of the leaked code," the software maker said in a statement sent via e-mail.
Although the code was checked prior to its commercial release, Microsoft is taking another look at it with more modern review tools. "Since the commercial release of the source code that was leaked, more sophisticated tools and processes have been developed, and there have been numerous improvements in the security review process," the company said.
Analysts and security experts have warned that the Windows source-code breach could lead to an increase in cyberattacks because it could now be easier for hackers to find holes in the operating systems (see story). However, the leaked source code is old, and many issues have already been fixed by patches and service packs.
Still, a bug hunter last week claimed to have uncovered a security flaw in Internet Explorer 5 by studying leaked source code. Microsoft said the problem is a known issue that it had discovered already and fixed in Internet Explorer 6.0. The company was investigating why the flaw was not patched in Internet Explorer 5, which is used by millions of Internet users worldwide.
"In order to thoroughly determine whether or not our customers may be impacted by the unauthorized release of this source code, we are reviewing it again," Microsoft said. The company hasn't decided how long the review will take or how it will respond to anything it may uncover.
Some Microsoft customers were concerned that the leak will require them to install more security patches, although others seemed to consider it business as usual with Microsoft's software.
"This doesn't necessarily change the environment we've had to become accustomed to. Existing vulnerabilities in Windows prior to this code release have forced us to take a much more aggressive approach to service-pack upgrades and security fixes," said Ken Meszaros, assistant vice president and infrastructure manager at LandAmerica Financial Group Inc., a real estate transaction services provider in Richmond, Va.
"We've instituted a staffed security function within our infrastructure group to develop, implement and maintain an aggressive patch-management process. We've gained management commitment to staying current and patched. We utilize system management functions to review and enforce compliance," he said.
Tony Tovar, network administrator at accounting and consulting firm Moss Adams LLP in San Diego, said he trusts that Microsoft has already identified and patched any obvious bugs in Windows 2000 and NT 4.0. "I wouldn't be surprised, though, if the virus-writer community were to find new avenues to exploit," he said.
"My company isn't doing anything we weren't already doing: firewalls, antivirus and automated operating system updates," Tovar said.
Windows 2000 was introduced in 2000, and Windows NT 4.0 was introduced in 1996, according to Microsoft's product support Web site.
Landmark Theatre Corp. in Los Angeles is currently installing Microsoft's Software Update Services (SUS), which allows administrators to install updates on Windows 2000 and Windows Server 2003-based servers, as well as desktop computers running Windows 2000 Professional or Windows XP Professional.
Victor Go, Landmark's vice president of technology, expressed concern about the effect the code leak will have on him and his colleagues. "The fact that we may have to check for, test and deploy patches more often and in a more compressed time frame to mitigate the security risk is a cause for alarm to me and my already overworked support staff," he said.
"Does that mean I have to budget more for next year on support labor to address the already alarming amount of patches that are released by Microsoft?" he said.
Microsoft maintains that the code leak has had no known impact on its customers.
Source code is precompiled code in the form of readable lines of text, usually with comments. It can be compiled into code that can run but can't be read. The Windows code on users' PCs is all compiled code.
Microsoft hasn't commented on how much of the Windows 2000 and NT 4.0 code was leaked, saying only that it is a portion of the code. It has started an internal investigation into the leak and has called in the FBI. Last week, Microsoft warned Internet users not to download the code because it is legally protected intellectual property (see story).
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
