First Exploit Surfaces from Leaked Windows Code
UPDATED Just two days after portions of the Windows 2000 Service Pack 1 source made its way onto the Internet, the first exploit to take advantage of bugs discovered in the now opened code has appeared on security mailing lists.
The vulnerability lies in Internet Explorer's handling of bitmap images. With a specially created bitmap, a remote user can cause a buffer overflow and execute arbitrary code on a target system. The author of the report, which was seemingly posted with malicious intent, indicates the flaw was uncovered when analyzing the file "imgbmp.cxx" within the Windows source code.
As previously reported, BetaNews traced the leaked source code back to Microsoft partner Mainsoft, which utilized it for MainWin, a software platform for porting Windows applications to UNIX.
It is not clear exactly how much of the Windows source was in the leak, but because the code was three and a half years old, Microsoft may have an easier time controlling the damage.
At this time it appears the exploit only affects Internet Explorer 5, and was fixed for the release of version 6 Service Pack 1. But even though IE 6 SP1 is a free upgrade, IE 5 and 5.5 continue to be used by over 25 percent of Web surfers, according to recent statistics by OneStat.com.
A company spokesperson confirmed to BetaNews that Microsoft was investigating the newly reported exploit. "This particular vulnerability was previously identified and
addressed in IE 6 SP1 (service pack 1) which shipped on August 30, 2002.
Microsoft continues to recommend that customers stay up to date with the
latest security updates and service packs."
"Customers running Windows XP Service Pack 1 or Windows Server 2003 who have installed all of the latest updates are not impacted," the spokesperson said.
Microsoft has said that future versions of Internet Explorer will only be available with operating system upgrades, with IE 7 slated for inclusion in Windows Longhorn. The decision could pose problems for users not wishing to upgrade, or force Microsoft to issue security fixes for products long outdated due to hackers finding further holes in the leaked Windows source.
Jupiter Research senior analyst Joe Wilcox questioned the significance of vulnerabilities discovered within the source. "Much depends on whether newly discovered bugs matter. Microsoft may not have fixed some bugs because they're in old software, such as Internet Explorer 5. Others may be known problems that were fixed later on, either in patches or new products."
However, Wilcox noted that the exploit is likely to fan the flames of open source advocates who claim their approach is more secure, because nothing is hidden. "Already Microsoft is under pressure to open access to its source code, particularly from governments. One major issue: Security. The more bugs that are found, the more pressure Microsoft will face from customers."
"Microsoft and many security specialists agree that given the sophisticated techniques and tools in use by security researchers and malicious attackers today, this partial code exposure provides attackers limited incremental ability to find new or unknown security issues," a Microsoft spokesperson told BetaNews.
"Microsoft is reviewing the leaked source code material to identify areas that could be exploited, and will take appropriate steps to protect customers."