Computer Cops - First Fallout from Code Leak Hits the Web

First Fallout from Code Leak Hits the Web

By David Morgenstern
February 16, 2004

A security company on Monday alerted clients of a new vulnerability to Internet Explorer 5, one attributed to the recent leak of Microsoft Corp. Windows source code. The quick attack appears to contradict some optimistic expectations that the recent leak of Windows 2000 and NT code would not pose a significant opportunity for hackers.

According to a message posted by SecurityGlobal.net LLC's Security Tracker Web site, a vulnerability was reported in Microsoft Internet Explorer Version 5 that lets a remote user execute arbitrary code on the target system.

A hacked bitmap file can trigger an integer overflow and execute arbitrary code, the security bulletin said.

The author of the warning said that this flaw was uncovered by reviewing the recently leaked Windows source code.

I downloaded the Microsoft source code. Easy enough. It's a lot bigger than Linux, but there were a lot of people mirroring it and so it didn't take long, observed the anonymous programmer in his warning.

The code is a portion of source from Windows NT 4.0 and Windows 2000 that made its way onto the Internet Thursday.

IE6 is not vulnerable, so I guess I'll get back to work. My Warhol worm will have to wait a bit... wrote the author of the warning.

Microsoft issued an updated statement on the posting of the Windows source code late in the day on February 16. In its statement, the company said it was investigating the reported exploit, but added that This exploit is a known issue that Microsoft had discovered internally and addressed with the latest release of Internet Explorer—Internet Explorer 6.0 Service Pack 1.

The Redmond software company noted that it is continuing to work with the Federal Bureau of Investigation and other law-enforcement officials to investigate the source leak. In its statement, company officials reiterated the company's position that: Microsoft source code is both copyrighted and protected as a trade secret. As such, it is illegal to post it, make it available to others, download it or use it. Microsoft will take all appropriate legal actions to protect its intellectual property.

Questions about the investigation should be referred to the FBI, the statement added. .......................................................

More at eWeek


	Home · Topics · Submit News · Top 10 This entire site, Cops Themes, and Computer Cops are © 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright © 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 686 pages served in previous 5 minutes. Page Generation: 0.341 seconds.