By Brian Krebs washingtonpost.com Staff Writer
Friday, February 13, 2004; 8:43 PM
Source code for two versions of the Microsoft Windows operating system that leaked onto the Internet may expose weaknesses in other versions of the software, broadening the scope of damage that hackers could inflict, several computer experts said.
The leaked code comes from Windows 2000 and NT -- versions intended for corporate users -- but researchers said the much of the compromised code shows up in newer versions such as Windows XP and Windows Server 2003, making them possible targets for online criminals looking to steal sensitive information from individual computer users.
The real implications of the source code leak, which Microsoft Corp. announced on Thursday, remain unclear. Other computer researchers downplayed its seriousness, saying that it would amount to little more than the latest computer security public relations gaffe for Microsoft Corp.
Valdis Kletnieks, a computer engineer at Virginia Tech's computing center, said that about 75 percent of the vulnerabilities that Microsoft has released patches for during the past year affect all of Microsoft's most recent operating systems, from NT through Windows Server 2003.
"That tells me that about 75 percent of the old code base is still being dragged through to newer versions of the operating system," Kletnieks said.
Mark Rasch, chief security counsel for Omaha, Neb.-based security company Solutionary Inc., said one reason that Microsoft has not completely reworked the code is that new versions of the operating system must be compatible with older systems.
"One of the ways it does that is by recycling code," said Rasch, a former investigator in the U.S. Justice Department's computer crime and intellectual property division. "So it's a safe bet that major chunks of what's been leaked are contained in the newest versions of Windows as well."
Bruce Schneier, founder and chief technology officer for Counterpane Internet Security, predicted the biggest fallout from the incident would be embarrassment for Microsoft.
"I bet if you were to go forward six months from now and look back, you'd see the rate of Microsoft vulnerabilities discovered is about the same as usual," Schneier said.
One reason for this, some experts said, is that hackers had so much time to locate security flaws in Windows NT and 2000 that most of them have been found and fixed.