First Vulnerability from Stolen Code Revealed

The first vulnerability stemming from the Windows source code apparently leaked last week by one of Microsoft's (Nasdaq: MSFT) developers has been posted on the Internet.

"It appears that it could be used to attack ordinary users, but according to the person posting it, it does not affect newer versions of Internet Explorer," said Stuart Moore, CEO of SecurityTracker, which posted the vulnerability at its Web site after receiving it via e-mail.

Moore explained to TechNewsWorld that the vulnerability could be triggered by a modified bitmap file. To the user, the file would look like an ordinary picture, but the instant it appeared on the user's screen, it would begin its mischief.

Hijacks Computers

Moore said he believes the vulnerability could be used to execute arbitrary code on a user's computer, although he could not confirm this suspicion. "That's pretty serious," he said.

"If I can get you to view that bitmap, then I can run whatever code I want on your computer, and then I own your computer," he said.

Attempts by TechNewsWorld to reach the identifier of the vulnerability via e-mail were to no avail.

Internet Explorer 5 Affected

"Microsoft is investigating a newly reported exploit of Internet Explorer that may potentially impact customers using IE versions 5.0, 5.01, 5.5 and 6.0," a Microsoft spokesperson, who asked not to be identified by name, told TechNewsWorld.

She explained that the newly reported vulnerability was previously identified and addressed in IE 6 Service Pack 1, which shipped on August 30, 2002.

Microsoft continues to recommend that customers stay up to date with the latest security updates and service packs. Customers running Windows 98, Windows Millennium, Windows NT4, Windows 2000 and Windows XP or later are encouraged to upgrade to the latest version of IE with all updates at windowsupdate.microsoft.com.

Customers running Windows XP Service Pack 1 or Windows Server 2003 who have installed all of the latest updates are not impacted, and Microsoft downplayed the overall risk posed by the code leak to users.

"Microsoft and many security specialists agree that given the sophisticated techniques and tools in use by security researchers and malicious attackers today, this partial code exposure provides attackers limited incremental ability to find new or unknown security issues," the spokesperson said.

Customers Protected

"Microsoft is reviewing the leaked source code material to identify areas that could be exploited, and will take appropriate steps to protect customers," she added.

Russ Cooper, surgeon general at TruSecure, a provider of risk-management products headquartered in Herndon, Virginia, agreed that only minimal monkey business could be wrung from the code leak.

"I don't think it's a threat to the security of the operating system," he told TechNewsWorld. "There's been three service packs released since each of these versions were issued, and I would suspect that the majority of problems that someone would find easily have probably already been fixed."

Leak Traced to Developer

"I'd be very surprised if someone quickly found something that already hadn't been corrected," Cooper added. The leak of the source code for Windows 2000 and Windows NT 4.0 operating systems was reported last Thursday when it was illegally posted on the Internet.

Within 24 hours, the leak had been traced to Seattle-based Mainsoft, one of more than half a million developers with access to some Windows source code.

"I've known about source-code availability for 10-plus years, and this is the first time that I've heard in that period of time that the source code ever got out from where it was supposed to be," Cooper observed.

Grave Situation

When contacted by TechNewsWorld about the leak, Mainsoft spokesperson Daphne Page said the company would not comment on the situation beyond a statement it issued last week. That statement said:

"Mainsoft has been a Microsoft partner since 1994, when we first entered a source code licensing agreement with Microsoft. Mainsoft takes Microsoft's and all our customers' security matters seriously, and we recognize the gravity of the situation. We will cooperate fully with Microsoft and all authorities in their investigation."

Asked about the chances that the culprits in the case will be caught, TruSecure's Cooper replied: "If someone broke into Mainsoft's computers and did it that way, then I would think, hopefully, that there's a good chance of them getting caught."

If it was a disgruntled employee who took a copy home and has only now released it, Cooper added, it may not be so easy to catch the thief.