Experts Disagree on Potential Effects of Stolen Code

Despite predictions of Windows-eating superworms and fears of dozens of new vulnerabilities hitting the Internet every week, security experts say it could be some time before any real security problems arise from the theft of Microsoft Corp.s Windows source code.

Many researchers said that they are intentionally steering clear of the code and will not download it for fear of legal reprisals from Microsoft or the FBI, which is handling the investigation. As a result, there will likely be little in the way of new, legitimate vulnerability research done on the code, which includes portions of both the Windows NT 4.0 and 2000 source code.

However, soon after its public debut two weeks ago, the code appeared on several peer-to-peer file-sharing networks, as well as underground Internet Relay Chat channels frequented by crackers and less talented script kiddies. Having access to even a portion of the Windows source code is a dream come true for those in the security underground, most of whom have a great deal of time to search for cracks, experts say.

Still, the stolen code, which reportedly amounts to about 15 percent of the source code for each operating system, is more than 10 years old, and researchers have been hammering on both Windows NT 4.0 and 2000 for a while. As such, theres a good chance that most vulnerabilities have been discovered and patched, researchers said.

“I dont think its going to be terribly useful,” said Chris Wysopal, director of research and development at @Stake Inc., a security consultancy based in Cambridge, Mass. “We all need to keep in mind that there are people out there with access to the code, and theyre not the people who publish vulnerabilities. Perhaps good guys should have access to it, too.”

Other researchers arent convinced. They said that having the code in the hands of so many people with malicious motives can lead to the discovery of more flaws.

“I definitely think that this could lead to a horde of new vulnerabilities and exploits being discovered,” said Thor Larholm, senior security researcher at PivX Solutions LLC, based in Newport Beach, Calif. “A lot of the shared code base is still in use in Windows XP and Windows Server 2003. In the short term we will see a lot of public insecurity, but, ironically, this insecurity might very well lead to a hardening of the OS as previously undetected vulnerabilities are weeded out.”