It's not exactly hard to hack without it
Published: 13 February 2004 15:10 GMT
Security experts say Microsoft's embarrassing Windows 2000 source-code leak is unlikely to have given hackers more ammunition
Security experts say that Windows users are unlikely to face any increased security risks as a result of a leak of Windows 2000 source code discovered on Thursday, mainly because it is a simple matter for hackers to find Windows vulnerabilities without recourse to the code.
On Thursday, a 203MB file containing some of Microsoft's closely guarded source code was published on the Internet, representing about 1 per cent of the code base of Windows 2000, the enterprise operating system on which Windows XP is based.
David Emm, marketing manager at McAfee Avert, the antivirus company's research arm, told ZDNet UK that source code isn't necessary to plan an attack. "This has been amply demonstrated over the last few years," he said. "It is a bit like somebody wanting to break into my house -- they don't necessarily need the floorplans to in order to see that there is an open window or a drain pipe to climb."
Maikel Albrecht, product manager at Finnish security company F-Secure, reinforced the point. "We have seen previously that there are a lot of known security holes -- for example in the RPC interface, and that was probably found without the source code," he said.
He acknowledged there is a chance that the leaked code could contain an important part of Windows 2000, which could help attackers to understand the system. "If it is a critical component in the system it could be very dangerous and very useful for a hacker but it could be another part and be totally useless," he said. However, the question is mainly hypothetical, he said. "Theoretically, users are more at risk, but I don't think the change is significant," he said.
Access to source code does not necessarily pose a security threat. The open-source development model is based on this premise: anyone can examine the source code, and holes are patched as soon as they are spotted, whether by someone working on the project or by a member of the public.
Emm noted that access to source code should not pose a security threat to well-written software. "To exploit a vulnerability, there has to be a vulnerability," he said. "If the code is written sufficiently robustly in the first place, then clearly you are going to minimise any risk."
The real security issue is not how attackers will make use of the Windows code, but in how the code made its way onto the Internet, said Ovum analyst Graham Titterington. "In reality, a partial leak of source code is not of much use to anybody," he said. "The security problem is in how the leak happened."
ZDNet UK's Matthew Broersma contributed to this report.
IT Support Team Leader - 1st Line Support, Windows XP, Novell NetWare, MS Office 2003/2007University College Birmingham is seeking to recruit an ...
You must have previous experience in a dedicated vulnerability management function where you have been responsible for all potential attacks on a ...
Desktop Support Analyst (MS Office 2003, Windows XP, Active Directory)Desktop Support Analyst (MS Office 2003, Windows XP, Active Directory) required ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Nick Heath Your top HR tech priorities for next year revealed How to make human resources IT work for you
Bob Tarzey Why you must rein in your power users When they do damage, it can be catastrophic to your business