Just when you thought the Windows security picture couldnt get any worse, Microsoft confirmed Friday that source code from its well-worn Windows NT 4.0 and Windows 2000 operating systems had been leaked on the Internet.
On Feb. 10, the company announced two new security holes that affect all of the companys desktop and server operating systems, one of which is potentially as dangerous as the flaw exploited by last years MSBlast worm.
But the leak of source code raises the threat considerably for companies running Windows desktops and servers. While Microsoft is downplaying the immediate risk to its customers, theres plenty of reason to be alarmed.
While the source code that is now running loose in the wild is from Microsofts older operating systems—Microsoft stopped supporting NT 4.0 desktop systems and Windows 2000 is nearing the end—there are still large numbers of systems that run on them. More importantly, portions of the code may still be part of Microsofts most recent versions of Windows.
This creates something of a Cuban Missile Crisis for Windows user. Anyone interested in finding new security holes in Microsofts operating system might now be able to find vulnerabilities right in the source code. As a result, they could exploit those holes before Microsoft can issue a patch, and attacks could come without warning.
The actual risk from the leaked source code may turn out to be negligible. People who do nothing to protect their companies may emerge unscathed. But until Microsoft confirms which code has been leaked, and gives a clear picture of the risk that the code places on its customers, theres no telling what will get thrown at Windows systems, from where, or when. Times like these call for paranoia.
Here are a number of steps you can take right now to reduce short-term risk to your systems:
Patch everything pronto
Make sure that youve got all your systems on a network up to the most recent set of Microsoft hot-fixes. Thats easier said than done; youll need to ensure that the patches dont break any of your current applications. For anything that is broken by the patch, youll have to make the call--is this important enough to the company to risk leaving systems open to attack?
Tighten up your firewalls, both at the edges of your network and within it
Take a hard look at the types of network traffic youre letting pass through firewalls; if it isnt essential to a critical application, then shut it down.
If you dont have patch management software, get it
If Microsoft is forced to pick up the pace of deploying fixes to security holes, then the task of manually managing the installation of fixes will become a major resource drain—and the longer it takes to roll out each new patch, the greater your window of vulnerability.
Watch your network traffic like a hawk
Baseline the types of traffic on your network now, and watch for spikes that cant be explained by normal application usage. One of the latest known bugs in Windows, for example, exploit the Windows Internet Name Service (WINS)--a sudden peak in WINS requests might indicate an attack.
Consider your options
If youre running an all-Microsoft infrastructure, this may be the time to consider adding some diversity to your infrastructure. Investigate whether you can move some applications to other operating systems as a backup or outright replacement. Weigh the cost of investing in training staff, migration of applications and additional systems management against the potential cost of an outage or loss of data; but remember the probability of that loss is now a lot higher.
For some executives, these measures may seem obvious. But the damage done in the past year by threats that were already well known to the information technology community illustrates that people dont always do what they obviously should.