The sections of code, which amount to a tiny fraction of the entire operating systems instructions, apparently began circulating on peer-to-peer networks in the cracker underground early in the week, sources said. Someone then posted the code to a handful of Web sites, and on Thursday Microsoft officials confirmed the code was legitimate.
Having even small portions of the Windows 2000 code freely available online is a nightmare scenario for Microsoft. The code is the basis for Windows XP and Windows Server 2003. Although the potential for piracy is lessened somewhat by the fact that the posted code was not a complete copy, concern is mounting that crackers will scour the code in search of unknown vulnerabilities.
"Vulnerabilities in Windows NT and Windows 2000 will likely be much easier to discover and exploit now that the source code has been leaked to the Internet," said Ken Dunham, malicious-code manager at iDefense Inc., based in Reston, Va. "There are a lot of implications to this. The situation just got a lot worse, in terms of vulnerabilities. I imagine well be seeing a lot more this year because of this. Theres certainly enough in [the leaked code] to play with."
iDefenses Dunham said that the code was spreading quickly in the cracker underground. There were reports that copies of the code were being passed around on underground file-sharing networks.
But not everyone agrees that potential risks are associated with the leaked code. "Its pretty clear that people are already finding severe vulnerabilities in Windows anyway," said Chris Wysopal, director of research and development at @Stake Inc., in Cambridge, Mass.
As of press time no culprit had been named as the source of the leak, but people who examined the code said it contained several references to a Microsoft partner, Mainsoft Corp., of San Jose, Calif., including in one instance the companys e-mail address.
However, at least one security expert suggested culpability rested elsewhere.
"Unless someone went to a lot of trouble to do an elaborate frame-up, this looks like it was stolen from [Mainsofts] machine," said Wysopal. "It seems unlikely that someone would go to all that trouble. Its more likely that they put the code on a misconfigured or insecure machine, and it got broken into."
On Friday, Mainsoft Chairman Mike Gullard in a statement offered no insight into the leak but acknowledged the issue. "Mainsoft takes Microsofts and all our customers security matters seriously, and we recognize the gravity of the situation." Gullard added that Mainsoft will cooperate fully with the investigations.
Mainsoft has been a partner of Microsoft since 1994 and, like many other partners, has had access to the Windows source code since then. In 2001, Microsoft extended the practice of sharing code with developers with an official program called the Shared Source Initiative. Not surprisingly, partners in the program are bound by strict license agreements.
Because of the program, observers say there is little doubt Microsoft will move quickly to identify the source of the leak. In fact, following its acknowledgement of the leak, Microsoft officials said Shared Source personnel, not Microsofts security team, are handling the investigations into the code leak.
A Microsoft spokesman refused to comment on the possible source of the code leak but said that federal law enforcement officials are conducting an investigation and that the company is confident the leak is not the result of a breach of Microsofts own network.
In its acknowledgement of the leak, Microsoft said the following in a statement:
"On Thursday, Microsoft became aware that portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet. Its illegal for third parties to post Microsoft source code, and we take such activity very seriously.
"We are currently investigating these postings and are working with the appropriate law-enforcement authorities. At this point it does not appear that this is the result of any breach of Microsofts corporate network or internal security. At this time there is no known impact on customers."