Channel Worried About Security After Windows Source-Code Leak

"As a partner, we are concerned if Microsoft's corporate intellectual property has been leaked to the Internet and gets into the wrong hands," said Ken Winell, president of Econium, a solution provider in Totowa, N.J. "A talented hacker with source code can wreak havoc and will cost our enterprise clients, consumers and businesses time, effort and money to combat it."

Though Microsoft partners acknowledge the potential security breaches and threat to the vendor's coveted intellectual property, most are taking a wait-and-see attitude until they know the nature of the bits that were released.

Microsoft issued a terse statement acknowledging the situation, but the Redmond, Wash.-based software giant would not disclose which portions of the NT and Windows 2000 code were leaked. Most Windows servers today run NT or Windows 2000.

"Microsoft became aware that portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet. It's illegal for third parties to post Microsoft source code, and we take such activity very seriously," Microsoft said in the statement, which indicated that the company is investigating the postings and working with law enforcement authorities. "At this point, it does not appear that this is the result of any breach of Microsoft's corporate network or internal security. At this time, there is no known impact on customers. We will continue to monitor the situation."

Microsoft declined to respond to repeated calls Friday morning for further information on the code leaked. One key systems integration partner said that while it's too early to assess the damage of the leak, the situation is no minor problem.

"It depends. Microsoft has always made most of the source code available to some academic users and some systems integrators and clients via the Windows Source, and this includes the security APIs and some critical kernel code," said John Parkinson, chief technologist for the North American Region at Cap Gemini Ernst and Young. "It's always possible that the code that was released covers areas that have undiscovered vulnerabilities, but it's often as hard to find things in source code as it is in binary code. There is a lot of source code in Windows--I wouldn't panic yet."

Frank Cullen, principal at Blackstone and Cullen, an Atlanta-based Microsoft partner, said there's not enough information to decide whether there's a problem. "They mention that it's incomplete code, but they're not telling me what's out there," Cullen said. "On the plus side, it's good that this is known and that it's in the open. If this were not known, people could be up there working with it.

"Microsoft has a good understanding of what the implications are and, by now, I think they'd know if there's a potential hacker benefit to the publication of code and are already responding, making sure things are tightened up," he added.

One intellectual property attorney said the leak could potentially be exploited by hackers as well as by Microsoft's open-source and ISV competitors.

"The legal implications can be put simply. Microsoft has not lost any copyright protection, which is its principal legal bastion. It has, however, lost its trade-secret rights over the code that has been released. Trade secrets matter," said Tom Carey, an intellectual property attorney and partner at Bromberg and Sunstein, Boston. "One possible implication for the software industry is that--to the extent that Microsoft has a built-in advantage in writing apps for Windows because it knows how Windows really works--it may be possible for other vendors to have some of that same knowledge and write apps that are more stable and faster.

"It is also possible that the Linux community could use the knowledge gleaned from the OS code to develop a form of Linux that could run Windows apps," Carey said.

Industry observers and Microsoft partners said they're confident that Microsoft has protected it intellectual property rights pretty well, and any attempt by a competitor to co-opt Windows in their own code won't fly.

"The code is still covered by copyright, and any programmer should probably avoid looking at it to avoid SCO-style legal implications," said Paul DeGroot, a principal analyst at Directions on Microsoft, a newsletter in Kirkland, Wash. "If you look at it, and similar code turns up in your own work or even is already in your own work, you could have problems if Microsoft believes you have stolen its code. Proving that you didn't see something can be difficult. My understanding is that Microsoft tells its own programmers that they may not view Linux source code, for example."

Econium's Winell said he hopes those that posted the code are identified and prosecuted. "Unlike Linux desktops, which is like the wild, wild West and not controlled and enhanced all the time, Windows users have come to take a quality-controlled operating system for granted and not have to worry about a bad release," Winell said. "We hope that Microsoft can swiftly identify how the code got released, prosecute the perpetrator and build a barrier/security patch to protect against intrusions."

Cullen said Microsoft attorneys are well-armed to handle the issues. "Microsoft has shown it will do whatever it takes to protect its IP rights in the source code, and that's reassuring," he said. "They've done due diligence here, and they know they have to defend their IP or lose it."

Programmers on Slashdot.org, a news Web site on the Sourceforge.net open-source development site, posted messages urging open-source developers to help in the cleanup process to reduce the possibility of security outbreaks for all customers.

Directions on Microsoft's DeGroot said he's confident that the leak won't push Microsoft to pull the plug on its own Shared Source Initiative.

"It does illustrate one of the risks that Microsoft is taking by expanding source-code access to more and more customers. However, that program is pretty beneficial to large customers and big systems integrators. So I doubt Microsoft will pull it back," DeGroot said. "It's possible that they will take some measures to tighten security on the code or that they can trace a release of source code to a specific organization."

Although some question whether the suspects will be caught, one partner, who asked not to be named, said Microsoft will hunt down the person responsible the same way that the Recording Industry of America made examples of music downloaders. "They have to make an example of someone," he said.

BARBARA DARROW contributed to this story.