, The Associated Press 2004-02-12
Microsoft Corp. says incomplete portions of the source code for some versions of its Windows computer operating system were leaked over the Internet, but analysts caution it's too early to say how much damage the leak may cause.Microsoft spokesman Tom Pilla said Thursday that some pieces of source code -- the tightly guarded blueprint of its dominant computer operating system -- for its Windows 2000 and Windows NT4.0 operating systems had been "illegally made available on the Internet."
Access to the source code could allow hackers to exploit the operating system and attack machines running some versions of Windows. Several versions of the operating system, including the ones containing leaked code, are used on hundreds of millions of computers worldwide.
Such access could also provide a competitive edge to Microsoft rivals, who would gain a much better understanding of the inner workings of Microsoft's technology.
The company was made aware of the leak Thursday and was investigating, Pilla said. He did not know how much of the code had been leaked, when the leak occurred or how many people might have gained access to it. The company could not immediately pinpoint the source of the leak, and has contacted law enforcement authorities, he said.
Pilla said there was no indication the leak was a result of a breach of Microsoft's corporate network. There was no known immediate impact on Microsoft customers, he said.
Microsoft has previously shared some of its source code with some companies, U.S. government agencies, foreign governments and universities under tight restrictions that prevent such organizations from making it publicly available. But the company has generally argued that the blueprint to its operating system is proprietary, and shouldn't be made public.
Still, because some people outside Microsoft have had access to the code, analysts said it wasn't too surprising for such a leak to occur at some point.
"I don't understand why it hasn't happened sooner, because there are so many (organizations) out there that have access to the source code," said Marc Maiffret of eEye Digital Security Inc. of Aliso Viejo, Calif.
But analysts and security experts cautioned that it was hard to assess any potential damage the leak could cause, since so few details were available.
"Frankly, I'm not sure anybody can fully assess that, other than Microsoft," said Al Gillen, research director for systems software at research group IDC.
The leak could potentially put more Windows users at risk because it opens the door to more people finding vulnerabilities in Microsoft's code -- and using them in malicious ways, Maiffret said. That could, in turn, wreak havoc on Microsoft's ability to respond with fixes in a controlled manner.
But, he cautioned, it was too early to say whether such a major threat existed.
Some experts said it seemed more likely the leak could be most valuable to Microsoft rivals.
"What people could learn from it has the potential to make other organizations that are building competing products ... make products that can compete with (Microsoft) more effectively," Gillen said.
But others noted that the greatest damage may be to Microsoft's reputation.
"It seems unlikely this is going to create a material, significant security problem," said Rob Enderle, a technology expert and principal analyst with the Enderle Group. "It's more embarrassing than anything else because it makes it look like Microsoft can't control its code."