Microsoft Checks Leaky Windows
Company says code published on Net has had no known impact on customers.
Joris Evers,
IDG News Service
Tuesday, February 24, 2004

Microsoft is conducting a security review of the Windows 2000 and NT 4.0 source code leaked onto the Internet earlier this month to determine if there is any risk to its customers, the company said Monday.

Microsoft is currently performing an in-depth security review of the leaked code, the Redmond, Washington-based software maker said in a statement sent via e-mail.



Cross-Checking Code
The code was checked prior to its commercial release, but Microsoft is taking another look at it with more modern review tools.

Since the commercial release of the source code that was leaked, more sophisticated tools and processes have been developed, and there have been numerous improvements in the security review process, the company said.

Analysts and security experts have warned that the Windows source code breach could lead to an increase in cyberattacks because it would make it easier for hackers to find holes in the operating systems. However, the leaked source code is old and many issues have already been fixed by patches and service packs.

Still, a bug hunter last week claimed to have uncovered a security flaw in Internet Explorer 5 by studying leaked source code. Microsoft said the problem is a known issue that it had discovered already and fixed in IE 6.0. The company was investigating why the flaw was not patched in IE 5, which is used by millions of Internet users worldwide.

In order to thoroughly determine whether or not our customers may be impacted by the unauthorized release of this source code, we are reviewing it again, Microsoft said. The company has not assigned a timeline to its review and has yet to decide how to respond to anything the review may uncover, according to the statement.



Same Old Situation?
Some Microsoft customers were concerned that the code leak will require them to install more security patches, although others seemed to consider it business as usual with Microsoft's software.

This doesn't necessarily change the environment we've had to become accustomed to. Existing vulnerabilities in Windows prior to this code release have forced us to take a much more aggressive approach to service pack upgrades and security fixes, said Ken Meszaros, assistant vice president and infrastructure manager at LandAmerica Financial Group, a real estate transaction services provider in Richmond, Virginia.

We've instituted a staffed security function within our infrastructure group to develop, implement, and maintain an aggressive patch management process. We've gained management commitment to staying current and patched. We utilize system management functions to review and enforce compliance, Meszaros said.

Tony Tovar, network administrator at accounting and consulting firm Moss Adams in San Diego, said he trusts that Microsoft has already identified and patched any obvious bugs in Windows 2000 and NT 4.0. I wouldn't be surprised, though, if the virus-writer community were to find new avenues to exploit, he said.

My company isn't doing anything we weren't already doing: firewalls, antivirus, and automated operating system updates, Tovar added.



Customer Concerns..............................
More at PCWorld