• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Windows code leaked onto the Internet

iain

Graduate Poster
I
Joined
Jan 5, 2002
Messages
1,292
It appears that large chunks of the source code for Windows NT and 2000 (and, therefore, also XP that shares a lot of the code) has leaked onto the internet (see story on the BBC for example).

Anyone running these OSs should now be even more concerned about security. There are two approaches to security : obscurity and openness. Both have pros and cons. With obscurity, no-one outside the company (in this case, Microsoft) can see the source code. Since fewer people check it for bugs, it probably has more; but as the bad guys can't see the code it makes it more difficult for them to find it. The alternative Open Source approach is that everyone can see the code - good guys and bad guys.

Unfortunately, with a leak like this Microsoft get the bad effects of Open Source without the good ones. All the bad guys can start searching the code for bugs to exploit but the good guys won't be checking it to find fixes.

Copyright law makes it quite dangerous for any programmer to look at the Windows source code without authorisation from Microsoft. If they took part in the development of any software in future, and Microsoft thought it was partly copied from Windows, it would greatly enhance the Microsoft case if they could show that one of the programmers had seen the source code.

I don't have any idea whether this will lead to worse security exploits than we've already seen, or just more of the same. Whatever, this may be a good time for anyone running NT (especially, as it's out of support) and also 2000 to upgrade, or to look at switching to another Operating System (e.g. Linux, Max OSX, Unix).

(And don't download or view the source code of course).
 
Jon_in_london said:
Apparently, MS programmers have pretty foul mouths (or fingers)

http://news.bbc.co.uk/1/hi/technology/3485545.stm
Click to expand...

All programmers do. Well, all that I know. A simple search of the Linux source code -- available everywhere fine operating systems are freely available -- will show something between 50-100 obscenities scattered about.

No news here.

At my own company, one of our programmers decided to return a "F@#@ ERROR" (not censored in the code) at a peice of (theoretically) unreachable code. Unforuntetely, some customer managed to get the error right off the bat. Now that was embarassing.

Comments, though, it's expected you can say anything you like - at least at most programming houses I know of.
 
WildCat said:

But that could have been added by the folks who leaked it, as a way to further embarrass MS. In fact, I think that's a more likely scenario.
Click to expand...

Nonsense. Examining a non-trivial amount of commercial-grade source code will show it's far more likely the MS programmers had a few unkind things to say about their own code. We *all* do. It's just part of the industry, like a mechanic cursing out his monkeywrench after he drops it on his foot... only a little more visible to the outside world when something like this happens.

Edited to add:

These obscenities, for those of you who aren't programmers, appear in COMMENTS in the code. This is the part of the source code for a program that means nothing at all to the computer, and the comments are in fact removed as part of the first step in turning source code into a program that can be run.

That means these comments, under normal circumstances, are never seen by anyone except the programmers themselves. When the source code is turned into a real copy of Windows that you can go to the store and purchase, those comments don't exist anyplace on the CD you bought.

It is, as I've said, perfectly normal and acceptable practice among professionals in the business to say anything that seems relevant at the time within a comment. And of course, anyone who's been a programmer knows that curse words often seem highly relevant.
 
iain said:
Unfortunately, with a leak like this Microsoft get the bad effects of Open Source without the good ones. All the bad guys can start searching the code for bugs to exploit but the good guys won't be checking it to find fixes.
Click to expand...

Looks like there's already been one exploit found related to the leaked code: http://www.securitytracker.com/alerts/2004/Feb/1009067.html

It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.
...
The author states that this flaw was found by reviewing the recently leaked Microsoft Windows source code
Click to expand...
 
That's fast work : 4 days to find the hole and create an exploit.

I wonder how many more there are waiting to be found in the 13 million lines of code?

*Running Linux and feeling smug*
 
You must log in or register to reply here.

Back
Top Bottom