First Fallout from Code Leak Hits the Web

 
 
By David Morgenstern  |  Posted 2004-02-16 Email Print this article Print
 
 
 
 
 
 
 

Updated: A security company on Monday alerted clients of a new vulnerability to Internet Explorer 5, one attributed to the recent leak of Microsoft Corp. Windows source code. Microsoft confirmed the problem late

A security company on Monday alerted clients of a new vulnerability to Internet Explorer 5, one attributed to the recent leak of Microsoft Corp. Windows source code. The quick attack appears to contradict some optimistic expectations that the recent leak of Windows 2000 and NT code would not pose a significant opportunity for hackers. In a statement released late on Monday, the company said it was investigating the reported exploit, but added that "This exploit is a known issue that Microsoft had discovered internally and addressed with the latest release of Internet Explorer—Internet Explorer 6.0 Service Pack 1." According to a message posted by SecurityGlobal.net LLCs Security Tracker Web site, a vulnerability was reported in Microsoft Internet Explorer Version 5 that lets a "remote user execute arbitrary code on the target system."
A hacked bitmap file can trigger an integer overflow and execute arbitrary code, the security bulletin said.
The author of the warning said that this flaw was uncovered by reviewing the recently leaked Windows source code. "I downloaded the Microsoft source code. Easy enough. Its a lot bigger than Linux, but there were a lot of people mirroring it and so it didnt take long," observed the anonymous programmer in his warning. The code is a portion of source from Windows NT 4.0 and Windows 2000 that made its way onto the Internet Thursday.
"IE6 is not vulnerable, so I guess Ill get back to work. My Warhol worm will have to wait a bit..." wrote the author of the warning. The Redmond software company noted that it is continuing to work with the Federal Bureau of Investigation and other law-enforcement officials to investigate the source leak. According to the Monday statement, company officials reiterated the companys position that: "Microsoft source code is both copyrighted and protected as a trade secret. As such, it is illegal to post it, make it available to others, download it or use it. Microsoft will take all appropriate legal actions to protect its intellectual property. "Questions about the investigation should be referred to the FBI," the statement added. Several analysts had predicted no immediate threat from the source code leak, since the amount of code presented on the Internet was limited. However, in comments offered on Friday, Ken Dunham, malicious-code manager at iDefense Inc., based in Reston, Va., said that vulnerabilities in the older Windows would likely be much easier to discover and exploit now after the leak of the source code. "There are a lot of implications to this. The situation just got a lot worse, in terms of vulnerabilities," he said in an interview with an eWEEK reporter. "I imagine well be seeing a lot more this year because of this. Theres certainly enough in [the leaked code] to play with." Security Center Editor Larry Seltzer said the release of Windows source code offers a novel, if widespread, laboratory to test the relative security claims of Windows and open-source operating systems. Click here to read more. This warning follows a string of recent vulnerabilities concerning Internet Explorer. Earlier this month Microsoft released a cumulative patch covering a dangerous Internet Explorer vulnerability that let attackers trick customers into visiting malicious sites. Dennis Fisher, eWEEK, contributed to this story. Check out eWEEK.coms Security Center at security.eweek.com for security news, views and analysis. (Editors note: This story has been updated since its original posting to include comment from Microsoft.)
 
 
 
 
David Morgenstern is Executive Editor/Special Projects of eWEEK. Previously, he served as the news editor of Ziff Davis Internet and editor for Ziff Davis' Storage Supersite.

In 'the days,' he was an award-winning editor with the heralded MacWEEK newsweekly as well as eMediaweekly, a trade publication for managers of professional digital content creation.

David has also worked on the vendor side of the industry, including companies offering professional displays and color-calibration technology, and Internet video.

He can be reached here.

 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel