Microsoft confirmed late Thursday that some of the source code for its flagship Windows operating system was leaked onto the Internet.
The company said that portions of the code for Windows 2000 and Windows NT 4.0 were made available. "It's illegal for third parties to post Microsoft source code, and we take such activity very seriously," the company said in a statement.
"We are currently investigating these postings and are working with the appropriate law enforcement authorities," the company said.
Microsoft added that the leak did not appear to be a breach of Microsoft's corporate network or its internal security.
News of the leak spread quickly Thursday on Neowin.net and other IT community Web sites.
Several experts said that the breach was more of an embarrassment than anything else. "Having source code put on the Web is indicative of some trusted partner that Microsoft had that was doing something improper," said Rob Enderle, principal at the Enderle Group, San Jose, Calif.
But embarrassing doesn't mean harmful, he said: "With that security cloud hanging over Microsoft already, this doesn't help any, but as far as any lengthy damage caused, I'd say no."
Only a matter of time
Steve Kleynhans, a vice president with Stamford, Conn.-based Meta Group, said that, because Microsoft has allowed selected governments and corporations to see its source code over the past year as part of its "shared source initiative", it was only a matter of time before the Windows code made its way into the open.
"Even if didn't happen now, it will happen some day," Kleynhans said Thursday night before Microsoft confirmed the leak. "The more people who see the code, the greater the chance it's going to slip out."
He too downplayed the significance of the leak.
"Just because you get a copy of the code, it doesn't mean you can make your own Windows," he said. "It's not like some competitor is going to clone Windows and suddenly put Microsoft out of business."
Piracy, security problems limited
Critical elements of Windows -- such as the algorithms used in it -- are already protected by patents, making the threat of piracy minimal, Kleynhans said. Security concerns are minimal, too. "Things like how passwords are done? That's pretty much cracked anyway. I think people [already] understand how those processes work."
Kleynhans also said that snippets of source code don't constitute the "crown jewels" anyway.
"It's the whole [Windows product] that's the crown jewels, and any given piece would be like one gemstone on the crown jewels," he said.
Michael Cherry, an analyst at Directions on Microsoft, in Kirkland, Wash., said that a leak of Windows source code won't affect customers unless it somehow allows people to launch more sophisticated attacks on Windows.
"Anything is possible," he said. "It's hard to assess the risk without knowing more.
"In any event, customers must be vigilant about protection. They need their firewall configured correctly, [to] keep software up to date and [to] apply all patches that have been released. The threat is already there. People are already writing malicious code."
Customers react to the news
At least one customer was unconcerned with the leak. Ken Adams, CIO at Miles & Stockbridge PC, a Baltimore law firm, said that he has confidence that Microsoft will do what it has to do to protect its customers.
"We rely on their expertise in tracking these things down and taking care of them," Adams said. "I don't think it's an issue."
It is possible to purchase source code for development purposes, and many of Microsoft's partners probably have likely done so. The code cannot legally be released to the public, but that wouldn't stop a disgruntled employee, said one IT administrator, who asked not to be named.
No silver lining, thanks to hackers
Paul Edwards, a Windows administrator at PHH Arval, the Sparks, Md.-based subsidiary of Cendant Corp., said that, in a world free of hackers, there might actually have been a positive side to the leak.
"In a perfect world, this 'leak' would lead to more of an open source approach for Windows," Edwards said. "Developers would use the knowledge to create open source applications on the Windows platform.
"Unfortunately, we know that this isn't a perfect world, and the would-be developers are hackers who will likely use the knowledge to get a leg up on creating worms and Trojans that exploit vulnerabilities in the platform."
News editor John Hogan contributed to this report.
FOR MORE INFORMATION:
Featured Topic: Trustworthy Computing
Best Web Links: Security