First Fallout from Code Leak Hits the Web

Updated: A security company on Monday alerted clients of a new vulnerability to Internet Explorer 5, one attributed to the recent leak of Microsoft Corp. Windows source code. Microsoft confirmed the problem late

A security company on Monday alerted clients of a new vulnerability to Internet Explorer 5, one attributed to the recent leak of Microsoft Corp. Windows source code. The quick attack appears to contradict some optimistic expectations that the recent leak of Windows 2000 and NT code would not pose a significant opportunity for hackers.

In a statement released late on Monday, the company said it was investigating the reported exploit, but added that "This exploit is a known issue that Microsoft had discovered internally and addressed with the latest release of Internet Explorer—Internet Explorer 6.0 Service Pack 1."

According to a message posted by LLCs Security Tracker Web site, a vulnerability was reported in Microsoft Internet Explorer Version 5 that lets a "remote user execute arbitrary code on the target system."

A hacked bitmap file can trigger an integer overflow and execute arbitrary code, the security bulletin said.

The author of the warning said that this flaw was uncovered by reviewing the recently leaked Windows source code.

"I downloaded the Microsoft source code. Easy enough. Its a lot bigger than Linux, but there were a lot of people mirroring it and so it didnt take long," observed the anonymous programmer in his warning.

The code is a portion of source from Windows NT 4.0 and Windows 2000 that made its way onto the Internet Thursday.

"IE6 is not vulnerable, so I guess Ill get back to work. My Warhol worm will have to wait a bit..." wrote the author of the warning.

The Redmond software company noted that it is continuing to work with the Federal Bureau of Investigation and other law-enforcement officials to investigate the source leak.

According to the Monday statement, company officials reiterated the companys position that: "Microsoft source code is both copyrighted and protected as a trade secret. As such, it is illegal to post it, make it available to others, download it or use it. Microsoft will take all appropriate legal actions to protect its intellectual property.

"Questions about the investigation should be referred to the FBI," the statement added.

Several analysts had predicted no immediate threat from the source code leak, since the amount of code presented on the Internet was limited.

However, in comments offered on Friday, Ken Dunham, malicious-code manager at iDefense Inc., based in Reston, Va., said that vulnerabilities in the older Windows would likely be much easier to discover and exploit now after the leak of the source code.

"There are a lot of implications to this. The situation just got a lot worse, in terms of vulnerabilities," he said in an interview with an eWEEK reporter. "I imagine well be seeing a lot more this year because of this. Theres certainly enough in [the leaked code] to play with."

/zimages/1/28571.gifSecurity Center Editor Larry Seltzer said the release of Windows source code offers a novel, if widespread, laboratory to test the relative security claims of Windows and open-source operating systems. Click here to read more.

This warning follows a string of recent vulnerabilities concerning Internet Explorer. Earlier this month Microsoft released a cumulative patch covering a dangerous Internet Explorer vulnerability that let attackers trick customers into visiting malicious sites.

Dennis Fisher, eWEEK, contributed to this story.

/zimages/1/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.

(Editors note: This story has been updated since its original posting to include comment from Microsoft.)