Search on for source of leaked Windows code

Investigators are looking for clues as to how source code for Microsoft's Windows OS made its way onto the Net. An error report found in the code includes information related to a Microsoft partner.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
4 min read
Investigations continued Friday into how source code for Microsoft's Windows operating system made its way onto the Internet.

Microsoft acknowledged Thursday that a portion of the Windows 2000 and Windows NT 4 source code databases had been leaked. On Friday, Microsoft partner Mainsoft confirmed that it was investigating whether it played a role in the release, after a technology-discussion Web site revealed that an error report in the code includes the corporate e-mail address for a Mainsoft employee.

The companies have had a source-code licensing agreement since 1994 that allows Mainsoft to access and distribute Windows operating system source code. Mainsoft's technology allowed Microsoft's Internet Explorer, Outlook and Media Player to be ported to Sun Microsystems and Hewlett-Packard versions of Unix.

The error report--or core file--included with the leaked Windows code was possibly created when a popular Unix text editor, vi, crashed.

"The core file is generated whenever a program crashes in any Unix operating system," said Chris Wysopal, vice president of research and development for computer security company @Stake. "The core file takes the memory image at the time of the crash."

Details of the core file were first posted by BetaNews and confirmed by CNET News.com.

Mainsoft, which has about 80 employees worldwide, didn't confirm the connection on Friday, but said in an e-mail message that it was investigating the matter.

"Mainsoft takes Microsoft's and all our customers' security matters seriously, and we recognize the gravity of the situation," the company said. "We will cooperate fully with Microsoft and all authorities in their investigation."

Although the core file points to Mainsoft as the apparent source of the leaked code, it does not suggest the means by which the code was exposed. The computer where the source code was stored could have been compromised by an online attacker; the machine could have been disposed of or sold without erasing the drive; or other possibilities.

Officials at Mainsoft's home office in San Jose, Calif., said they first learned of the possible connection Friday morning. Investigation into the matter is being handled out of the company's development office in Israel. "We have a really good relationship with Microsoft," a representative said.

Microsoft also wouldn't comment on the connection between the source code and Mainsoft.

"We are in the process of an investigation that started yesterday and are working with the appropriate law enforcement officials," Microsoft spokesman Tom Pilla said.

Pilla added that Microsoft was treating the issue as a theft of intellectual property, not as a security breach. So far, the company has found no reason to suspect that the code came from within the Microsoft or from one of the company's developers, he said.

A rare occurrence
Microsoft zealously guards the source code to the various versions of its Windows operating system, sharing it only with universities and government agencies that sign agreements not to release the code. While working versions of Microsoft's operating system have occasionally leaked to the Internet, actual source code leaks have been rare. In October 2000, an intruder penetrated Microsoft's network and may have had access to the source code.

Although Microsoft Chairman Bill Gates has publicly bragged about the security of Windows, even Microsoft fears the release of its code. In testimony during the Microsoft antitrust trial, Jim Allchin, the company's senior

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

vice president for Windows, said opening up the company's source code could be devastating for the operating system's security.

"The more (that) creators of viruses know about how antivirus mechanisms in Windows operating systems work, the easier it will be to create viruses or disable or destroy those mechanisms," Allchin testified during a May 2002 antitrust trial.

Allchin made the statements while defending the company against legal remedies supported by nine states in its antitrust case that would have compelled Microsoft to give away the source code to Internet Explorer.

Microsoft's assertions that the latest source code leak may not have a major impact on its operating systems' security may have some merit. Dates included in a listing of nearly 31,000 files from the leaked Windows 2000 source code indicate that the repository from which the source code was taken is more than two years old, said Russ Cooper, who uses the title "surgeon general" for security company TruSecure.

"This is old stuff, but there may be insights that may lead to something...(however) someone would have to glean information on the vulnerabilities," Cooper said.

Moreover, the older Windows NT code seems to be more complete. The more recent Windows code, from Windows 2000 service pack 1, is only a small fraction of the total operating system, Cooper said. The current Windows 2000 found in companies has likely been patched to service pack 4.

"There are an awful lot of files out there," Cooper added. "I'm pretty sure that Microsoft will make sure that anyone that has the source needs to get rid of the code."

CNET News.com's Matt Hines contributed to this report.