Windows Leak: Security Problems of Open Source, Without the Benefits

Security experts say this week's leak of partial source code for Windows 2000 and Windows NT probably won't mean a huge change in the security of Windows machines. The leaked code - about 15 million lines of the Win2K operating system's 35 million lines of code - isn't substantial enough for pirates to create wholesale copies, but may provide additional ammunition for hackers and virus writers.

"The leak will do some damage to the security of Windows machines, but it's not clear how much," said Ed Felten of Princeton University, a security researcher who has reviewed Windows source code and was an expert witness in the antitrust case against Microsoft. "There's a longstanding debate about the security implications of open source development. Source code access makes it easier to find security bugs. With open source, you make it easier for honest outsiders to find bugs, which is good, but you also make it easier for malicious outsiders to find bugs, which is bad.

"This kind of leak give us the worst of both worlds: honest outsiders will avoid looking at the stolen code, while malicious outsiders use the code; so you get the security drawbacks of open source without the security benefits," Felten added. "This will only matter, though, if the bad guys would otherwise have trouble finding bugs, which may not be the case."

"It makes the sources potentially more available to crackers, and that has security issues - but I don't think that is anything really new," Linux founder Linus Torvalds told ChannelWeb. "At most, it just makes it easier for a bored teenager to find the thing. It may make some people realize that the protection of proprietary shrouded source code really isn't a protection at all. It's just a guarantee that the code doesn't get any good outside code review."

The code leak comes as Microsoft is under fire from leading security companies for tardiness in fixing existing Windows security vulnerabilties. The company took more than six months to release a patch for a buffer overflow affecting applications using the ASN.1 protocol to exchange information with Windows - including security-related apps using SSL certificates and Kerberos encryption.

If the source code leak exposes new security weaknesses, it could again test the relations between Microsoft and the security research community. In recent years Microsoft has gained improved cooperation in keeping security holes under wraps until a patch is available. If security professionals believe Microsoft is unwilling or unable to respond promptly to reported vulnerabilities, they're more likely to publish information about exploits; a scenario played out in December when an spoofing bug in Internet Explorer was published. It took Microsoft six weeks to publish a fix, leaving IE users more susceptible to bank card Phishing scams in the interim.

Conceivably, with some source now publicly available, it's possible that security researchers and other interested third parties may start creating and making available their own patches, which will in turn ask some hard questions of users as to whether they are more at risk installing a third party patch or waiting, unpatched, for the official solution.