Jump to content

Microsoft Win2k And Nt4 Sourcecode Leaked?


Recommended Posts

**Update** The source code, which was leaked initially to a P2P network, spread quickly to IRC, and is now heading for all the large warez channels out there. This really is a shame, because the high-security nature of Windows 2000 is likely to be compromised by an open codebase.


At the current time, anybody who has malicious intentions regarding your Windows 2000 computer can merely browse through the source code, find an unpatched hole, and then root you. If you're currently running Windows 2000, switch your machine off. If you can't, put a firewall up.


This is merely precautionary, as we still do not know the authenticity of the code. At the moment, OSFocus is trying to ascertain it through our MS sources, and we will post any updates as and when we get them.


This source code leak is one of the worst things I have ever come across in my experience as a tech/beta journalist and developer. Whoever leaked it should be dealt with in much the same way muderers and child molesters are. 25 years in jail for leaking Windows' source code? Sounds about right to me.


We will not assist you in finding this code, and we will not give it to you. We do not have it, and we do not want you to send it to us. The end.




Rumors abound web-wide that the Win2k and NT4 source code has been leaked and is floating around the internet. If true, it could spell trouble for Redmond and security experts alike. On the heels of a dangerous exploit this week comes a rumor than could prove downright painful. Neowin this afternoon announced that two packages containing Windows 2000 and NT4 source code were making the rounds. Slashdot soon followed up with their own mention of the rumored leak, effectively knocking Neowin off-line with traffic. So far the authenticity or extent of the leak has not been confirmed, though it does appear to be at least a portion of the code.


From the original Neowin report:


"At this time, it is hard to establish whether or not full code has leaked, and this will undoubtedly remain the situation until an attempt is made to compile them. Microsoft are currently unavailable for comment surrounding this leak so we have no official response from them at the time of writing.


This leak is a shock not only to Neowin, but to the wider IT industry. The ramifications of this leak are far reaching and devastating. This reporter does not wish to be sensationalist, but the number of industries and critical systems that are based around these technologies that could be damaged by new exploits found in this source code is something that doesn't bare thinking about.


We ask that for the wider benefit of the IT community that members and readers support Microsoft by forwarding anything they know about the leak to the Microsoft's Anti-Piracy department."


Link to comment
Share on other sites

I had been hearing about this through my friends at SMB Nation.


I have not yet been able to discern what part of the code was leaked, if it was. I also wonder if MS knows what section(s) of the code are supposedly out there in the wild?


This is gonna make my days in the near future MUCH worse lemme tell ya.

Link to comment
Share on other sites

This really is a shame, because the high-security nature of Windows 2000 is likely to be compromised by an open codebase.

"high-security"?... :)


Seriously, why is everyone saying now that windows source code is available on the web, everyone will be hacked, no computer running windows is secure anymore, etc, etc? *BSD and Linux source code have been available since the beginning and it was not a problea - actually, that's what took these OSs so far, as you probably know.


Yes, security holes are found everyday but patches are released right after. MS has a well known history of knowing about security holes in Windows and doing nothing about it for months. Perhaps this time they will be forced to do something right.

Edited by TCH-Raul
Link to comment
Share on other sites

Hope you don't mind if I chime in here. But I have to agree with the guy above me here. I don't want to upset anybody, but did you really say 'high-security nature' of windows... :) I mean, not only secure, but high.

I've been in the security field for over five years now, and there's nothing secure about windows. The main reason would be because the source code isn't available. When source code is available, it tends to get fixed. Maybe this is actually good.

And 25 yrs in jail? woooot Are you kidding me? It's bad enough our government wants to put hackers in prison for life, which is completely over the edge. How about a 2 year suspended sentence and 200 hrs of community service. :) After all, Bill G didn't pay for the software he stole from his friend when he signed with IBM.

Link to comment
Share on other sites



Statement from Microsoft Regarding Illegal Posting of Windows Source Code


Last updated: Feb. 13, 2004, 6:00 p.m. PST


REDMOND, Wash., Updated Feb. 13, 2004 --


On Thursday, February 12, Microsoft became aware that portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet. Subsequent investigation has shown this was not the result of any breach of Microsoft’s corporate network or internal security, nor is it related to Microsoft’s Shared Source Initiative or its Government Security Program, which enable our customers, partners and governments to legally access Microsoft source code.


Microsoft is working closely with the U.S. Federal Bureau of Investigation on this matter. Microsoft source code is both copyrighted and protected as a trade secret. As such, it is illegal to post it, make it available to others, download it or use it. Microsoft will take all appropriate legal actions to protect its intellectual property. Questions about the investigation should be referred to the FBI.


Microsoft reaffirms its support for both the Shared Source Initiative and the Government Security Program.


At this time there is no known impact on customers. We continue to be committed to protecting our customers and their networks, and we will take any appropriate steps to ensure that we meet this commitment.

Link to comment
Share on other sites

I tend to agree with HG.

They may have found what they think _could_ be an exploit, and in the rush to be the first, they have run with it and published it as fact.


However, it could be true. They could have focused on one simple area and worked like dogs on it. I know that the malformed code in images was, at one time, a possiblity, but I never saw it actually done right. The image file becomes too big for practical use.

Link to comment
Share on other sites

I wanted to have something else besides the exploit author's own word, before saying something. Now I have:

On Monday, February 16, Microsoft began investigating a reported exploit on versions of Internet Explorer allegedly discovered by an individual studying the leaked source code. This exploit is a known issue that Microsoft had discovered internally and addressed with the latest release of Internet Explorer -- Internet Explorer 6.0 Service Pack 1.


Yes, it's an old bug. But it's a bug nonetheless and it was indeed found. I've read the description of how it was found and it was indeed quite simple for a trained eye to catch it (I won't say I've read the source code, because MS would come after me, so... I didn't read the source code. I just know these things because a little bird told me... :) ;))


Read the statement from Microsoft here:


Edited by TCH-Raul
Link to comment
Share on other sites

I am not sure of this but...

If the leaked code still contained the hole, then it was leaked SOME time ago, right? I thought that the leak occured only in the last few weeks.


If it was old code that was leaked, then the person studying it would have already known about the vulnerability in the code and could have been paying special attention to the code and modules affecting that area.


I don't know... either the code has been out a lot longer than we all think it has, or the code is old and probably has most of the problems plugged already??


Or it could all be a hoax that has been fabbed by Microsoft in cooperation with the FBI to get that nasty anti-trust suit ruling overturned because now that the code is in the wild, it can be considered Open Source, LOL.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...