RSSMicrosoft to Review Old Windows Code After Source Leak
By Nate Mook and David Worthington | Published February 19, 2004, 9:25 PM
In an effort to keep its customers secure following the recent Windows source code leaks, Microsoft has turned to the lessons it learned while taking a two month hiatus in early 2002 to clean house and eliminate insecure code from Windows.
While Redmond's Trustworthy Computing initiative -- which sparked the code review -- marked a watershed event in Microsoft's history, the underlying bits of Windows that leaked onto the Web late last week predate this effort, and underwent review by way of the more porous quality control measures that were in practice at the time.
Microsoft engineers are busy making the most of knowledge gained by that experience, and are performing a security audit on the wayward Windows source code materials using today's security processes.
"This code did go through the quality control process of its day before its release, which was a number of years ago. Since then, there have been numerous improvements in the security process, and code has continually been reviewed and updated for security," a Microsoft spokesperson told BetaNews. "In this case, in order to help ensure our customers are not impacted by the release of this source code, we are reviewing it again."
If necessary, the company will patch supported legacy versions of its software, including older builds of Internet Explorer, but encourages users to upgrade and follow the measures outlined at its Protect Your PC Web site.
"The most recent version of any operating system should always be the most secure," the spokesperson said. However, this may leave many customers who have not upgraded without protection.
Just days after the leak, the first exploit to take advantage of a vulnerability discovered in the source code appeared on security mailing lists. The flaw lies in the way Internet Explorer handles bitmap images, and could lead to the execution of arbitrary code on a victim's computer. Although the bug was fixed in IE 6 Service Pack 1, earlier versions of IE are used by over 25 percent of Web surfers.
For customers who have not upgraded to the latest release, a Microsoft spokesperson told BetaNews, "In this case, we are working to provide this fix to supported versions of Internet Explorer that are affected by this issue."
What remains to be seen is whether or not additional flaws will be uncovered as a result of the new source code review, and how Microsoft will handle fixes to legacy products, such as Windows NT 4 and Windows 2000 Service Pack 1 - portions of which were those leaked.
Industry watchers have already begun to weigh in.
"Considering the number of products outside support but still in use, this is no small matter," said Jupiter Research senior analyst Joe Wilcox.
"Another issue: How far did Microsoft extend its original two-month Windows code review; that's a question only the company can answer. When Microsoft conducted that review, some Internet Explorer 5 versions had already passed their period of lifecycle support. IE 5.01 for Windows 2000 Service Pack 2 expires at the end of June," noted Jupiter's Wilcox. "Was there a thorough review of IE 5.01 for Windows 2000 SP1, for which some code leaked last week and for which a flaw was soon after uncovered?"
Microsoft modified its support policy for service packs on October 15, 2002, such that all products released before that date will continue to receive fixes for the most current service pack only.
If taken as gospel, this policy excludes Windows 2000 Service Pack 1.
Although Microsoft has taken the proactive step to review its leaked code for potential vulnerabilities, a spokesperson for Sun Microsystems questioned the motives. "The need for a review of legacy code should not be event driven, but rather be in the culture and fabric of the company," the spokesperson said.
I think it's interesting that M$ always claimed OpenSource products would be less secure because all those bad guys out there could easily dig the source code for security holes. A year ago I found the argument quite convincing, because if you look at the source code of programs it's BY FAR easier to find security holes.
But what I didn't think about was: What if Microsoft source code would leak one day?
Well, the situation is quite obvious:
Linux source code has been reviewed by millions of programmers around the world continuously whereas Microsoft source code was only looked at by a few individuals for a long time.
The result is obvious, just look at the Bugtraq mailinglist on how many hackers are currently digging thru the windows source code finding more and more vulerabilities like the one with which you could execute any code by just letting the victim look at a manipulated BMP image.
No wonder Microsoft now spends lots of extra hours on digging their code before the hackers do!
watch out folks,
Ingmar
Score: 0
|I bet that hackers will be able to find errors and exploit the OS much faster than microsoft can find and fix those errors.
any takes?
Score: 0
|Hackers... I hate that word... I am just finishing my 3rd year in a Comp Sci / Software Engeneering degree and I don't consider my self a hacker.. but if I look at code I can figure it out... and change if I wanted to...
the shear volume of code that people will have to go through to find a little bug here and there will be astronomical... I wouldn't want to do it my self... microsoft has a huge team which has knowledge of the code before hand ... they will surely find the bugs faster then a single person.. or small handful of people ...
Score: 0
|I've had computer science myself in college. I know they're programmers really, but the general public calls them because they associate bad things w/ hackers.
So I said hackers since they will be writing "bad" stuff and the general public will know what I'm referring to.
Score: 0
|one more thing. changing code is one thing and having exisiting code being exploited is another thing. for example, an integer overflow or something else, (like that bitmap image thing) is completely different and generally worm/virus/whathaveyou programmers write small programs to take advantage of that bug. Those people can be called hackers. Hackers aren't just people that break into computers.
Score: 0
|Not to spurn on a debate on the issue, but generally speaking, the nasty folks you are refering to are better known as crackers so as to distinguish them from the better, socially redeeming hackers.
Score: 0
|no, the people i'm referring to are better hackers than crackers. crackers are more of a crack the security code (i.e serial generators), cd dongles, because you're cracking the security.
hacker on the other hand uses whats out there already. i.e windows has a flaw and they expose it. that is a hacker not a cracker.
Score: 0
|I agree
Score: 0
|Baggio you loose ;-p
Score: 0
|You are confusing crackers with cracks. There seems to be two usages of the word cracker.
Score: 0
|Well, here is the thing...a hacker is somebody that merely uses a computer with skill. A cracker is somebody that breaks into computers. A script kiddie is somebody who is using cracking tools to crack computers, but dont know how the tools work or sometimes what they are even doing. Hacker = good, cracker = bad, and the inner-most circle of hell is reserved for script kiddies.
Score: 0
|A Cracker is something you have with your Tea
Score: 0
|No, really, you're wrong.
Just because crackers has "crack" in the name doesn't limit them exclusively to cracks ('serialz' etc). The term is also used to denote someone who cracks into computers, often with malicious intent. A Hacker, is actually a programmer, because a "hack" is a piece of badly-written or -implemented code, hence a "hacker" being someone who hacks-together code.
Score: 0
|that many posts went towards an argument about what a hacker, crack, or anything is.
Score: 0
|