Experts: Microsoft Code Leak Poses No Major Security Threat

On Friday morning, BetaNews.com reported that the source of the leaked code--a small subset of the overall Windows code--had been traced back to Mainsoft, a Microsoft partner that entered a source code licensing agreement with Microsoft in 1994.

The San Jose, Calif, company develops tools for porting Windows applications to Unix and ported the software giant's Internet Explorer and Windows Media Player to non-Windows platforms.

Observers in both the Windows and open source communities claim the leaked code won't give hackers significantly new avenues to exploit, but it could pose a long term IP problem for the software giant and potentially Mainsoft.

Mainsoft did not respond to phone calls on Friday. The company issued a statement indicating they were working with Microsoft on the issue, but they did not acknowledge accountability. Microsoft declined to respond to repeated press calls on Friday.

"Mainsoft takes Microsoft's and all our customers' security matters seriously, and we recognize the gravity of the situation," according to a statement posted to the Mainsoft web site signed by Mike Gullard, chairman of Mainsoft. "We will cooperate fully with Microsoft and all authorities in their investigation. "

Microsoft observers and those in the open source community now believe that the potential for a security nightmare is as limited as the amount of code that hit the Net, but the damage to the world's most lucrative software company is not immaterial.

"From what we've heard, it was only a portion of the source code, not enough to create a build of Windows. I don't think it has any major implications in terms of security," said Matt Rosoff, an analyst at Directions on Microsoft, Kirkland, Wash. "It's fairly difficult for most people even to understand source code. A lot of it is cryptic, old code carried forward, written in ways that only other programmers on the project could understand."

But the damage to Microsoft's IP could be big, he noted. "There is a copyright implication," Rosoff said. "If an ISV or open-source developer looks at the source code, then creates a product that has some sort of similarity to Windows, Microsoft might be able to sue them for copyright infringement. The developer might have to prove that they came up with the feature on their own, that they never looked at the Windows source code, and so on. I think this is an extremely outside possibility, but it's one reason why Microsoft doesn't allow its own developers to look at source code that's protected under the GPL: They don't want that GPL-protected code finding its way into a proprietary product."

Linus Torvalds, the developer of the Linux kernel, said the leak itself won't expose the world to a massive onslaught of viruses, but it brings to light a vulnerability of the proprietary software development model itself.

"It makes the sources potentially more available to crackers, and that has security issues--but I don't think that is anything really new. At most, it just makes it easier for a bored teenager to find the thing," Torvalds wrote in an e-mail to CRN. "It may make some people realize that the protection of proprietary shrouded source code really isn't a protection at all. It's just a guarantee that the code doesn't get any good outside code review."

"The leak is not a security issue but an IP issue," said Bruce Perens, executive director of the Linux Desktop Consortium, who sat on panel Friday afternoon with Microsoft's top shared source executive, Jason Matusow. "Microsoft does not believe in security by obscurity. They're on the same side as the open source [community]. We don't believe visibility of source code compromises security."

"It's embarrassing and Microsoft is taking action, but this is their IP and it was not supposed to be handled that way, and they could sue someone for breach of contract," Perens said.