UGN Security
Posted By: Ice Microsoft cracks down on source code traders - 02/20/04 12:58 AM
Microsoft has sent several letters to people known to have posted Windows source code on the Internet, warning them to stop offering the files and erase any copies.

The letters explain to the individuals that downloading or using the source code is a violation of the law. Part of reason for taking the tack is to educate people who may be curious about the operating system source code that the files are proprietary and valuable, Microsoft spokesman Tom Pilla said Wednesday.

"I'm sure that there are many people that don't know that it is illegal to share our source code," he said, adding that the letters are just the logical next step in Microsoft's stated goals of protecting its trade secrets. "We have said from the beginning that we would take all appropriate action with regards to our intellectual property."

Last week, Microsoft acknowledged that two 200MB files containing compressed partial copies of the company's Windows 2000 and Windows NT4 source code had been leaked to the Internet. Some evidence seems to point to Microsoft partner Mainsoft, a developer of Unix tools for Windows, as the source of the leaked code.

Microsoft is now attempting to put the genie back in the bottle. In addition to the warning letters, the software giant has posted alerts on several peer-to-peer file-sharing networks where it believes that illegal sharing of the source code has taken place. Those warnings will appear when a user searches the network using certain keywords related to the source code, Pilla said.

In a statement posted to its Web site, Microsoft stressed that the source code files are both copyrighted and protected as a trade secret.

"As such, it is illegal to post it, make it available to others, download it or use it," the company said in a statement. "Microsoft will take all appropriate legal actions to protect its intellectual property. These actions include communicating both directly and indirectly with those who possess or seek to possess, post, download or share the illegally disclosed source code."

The company's position could deter independent security consultants and hackers from analyzing the code for vulnerabilities. Many security researchers have expressed concerns that the leaked code would prove to be a good tool for hackers who try to find vulnerabilities in Windows code. However, the source code is more than two years old and doesn't appear to include server or network services, which could have been analyzed for vulnerabilities that would lay systems open to remote attack.

"The whole thing is more of an embarrassment for Microsoft," said Marc Maiffret, chief hacking officer for software firm eEye Digital Security.

At least one vulnerability has been found by analyzing the source code. After a security researcher found a flaw in Internet Explorer 5, Microsoft urged customers to upgrade to the latest version of the browser, Internet Explorer 6 Service Pack 1.

Maiffret said he didn't believe that Microsoft's pursuit of copies of the source code would stop the trading.

"It seems like a pretty wasted endeavor," he said. "People are still going to use the code."

Microsoft wouldn't comment on whether the company would go as far as suing security researchers who found vulnerabilities by analyzing the source code.

"Our message is that we appreciate the sentiment of those that are well intentioned, but it doesn't change the fact that...no one should use it for any purpose," Pilla said.

CNet News
© UGN Security Forum