Does Microsoft's sharing of source code with China and Russia pose a security risk?

Does Microsoft's sharing of source code with China and Russia pose a security risk?

Summary: Part of Microsoft's Government Security Program (GSP), the company has offered the Russian Federal Security Service (FSB) a peek inside the source code of Microsoft products. Could GSP's main benefit of "providing insight and a deeper understanding of Microsoft products", turn into a gold mine for discovering security flaws?

SHARE:

Oops, Microsoft did it again.

Part of the company's Government Security Program (GSP), Microsoft has offered the Russian Federal Security Service (FSB) a peek inside the source code of Microsoft Windows Server 2008 R2, Microsoft Office 2010 and Microsoft SQL Server.

This is the second time that the company has (publicly) shared source code with the FSB, following a similar deal which took place in 2002, this time involving source code for Windows XP, Windows 2000 and Windows Server 2000. Microsoft has done similar deals with China in 2003, and most recently in 2010.

However, in the light of the silently ongoing cyber warfare arms race, GSP's main benefit of "providing insight and a deeper understanding of Microsoft products", may easily turn into a gold mine for discovering security flaws, or at least offer important pieces of the puzzle.

For starters, the program's restriction that "governments may read and reference the source code but may not modify it." is flawed because it implies that just because you're looking you cannot influence, hence indirectly modify the source code for offensive purposes. From powerful DIY source code analysis tools, to the managed services offered by different companies, it wouldn't be hard for a government to execute this process and take advantage of any source code it has access to.

Moreover, in the context of the Linus's Law - "Given enough eyeballs, all bugs are shallow", taking all the geopolitical factors on an international scale into consideration, if Russia or China manage to find a security flaw by having access to the source code offered to them by Microsoft for national security reasons, there's little to zero possibility that they will go public with it, as the competitive advantage from a cyber warfare/cyber espionage perspective is indisputable.

Cambridge University's Richard Clayton seems to agree:

"If a government has the source code it can find different sorts of security vulnerabilities and perhaps exploit them, [but] it's unclear whether access to the source code makes people better or worse off," said Clayton.A number of different factors made the situation complicated, said Clayton. Access to the code could allow close analysis, which would enable the discovery of holes such as buffer overflow flaws, but equally it is possible to run a fuzzing program which throws random data at parts of an operating system or software to find different vulnerabilities.

Although the sharing of source code, doesn't automatically result in zero day flaws, it may offer crucial pieces for the puzzle that a particular country has already started building, on its way to find security flaws within Microsoft's OS/products, for defensive and naturally, offensive purposes.

From a business perspective, nothing's more precious than a government contract. But in order for this government contact to ever see the light of the day, sometimes a company losses sight of the big geopolitical picture, citing commercial gains, or plain simple market segment growth strategies.

Microsoft, don't just offer a peak at your source code, demand and legally oblige those who have access to it for national security reasons, to share back data on important bugs and potential security flaws. How would Microsoft measure the effectiveness of this potential bilateral contract? It can legally reserve the right to exclude countries who've been on purposely offered insecure source code, and decided not to report it.

Is Microsoft forgetting the basics of geopolitics, namely that "Nations have no permanent friends and no permanent enemies. Only permanent interests."? Are the risks posed by sharing source code with deep pocketed cyber warfare players, worth the market penetration emphasis from a commercial perspective?

Should Microsoft finally switch from being the giver, to being the receiver as well?

What do you think? Talkback.

Topics: China, Microsoft, Security, Windows

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

51 comments
Log in or register to join the discussion
  • I have just two words for you: Back Door

    nt
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • Back doors

      @Dietrich T. Schmitz, Your Linux Advocate

      Can be programmed into any OS. Even ones that are free to modify, such as Linux. We saw that a few weeks ago via an Ed Boot post.
      The one and only, Cylon Centurion
      • Someone should remind you that...

        @NStalnecker <br><br>the Ed Bott piece you mention should have been titled: <i><b>Ed Bott shoots himself in the foot</b></i><br><br>Because that's what it was. That piece exposed Ed Bott as not understanding the difference between a software <b>mirror</b> and a software <b>repository</b>.<br><br>That failure to grasp basic concepts of IT is all too funny coming from a guy who presents himself as an expert with decades of experience in the field. It does speak volumes about the technical aptitude of your average MS guru.<br><br>Anyway, we all must thank Ed for his shoot int the foot stunt, it was priceless.
        OS Reload
      • RE: Does Microsoft's sharing of source code with China and Russia pose a security risk?

        @NStalnecker
        Nicholas young lad, you set yourself up on that one.
        Sorry, I can't help you out as I agree with everything written by OS Reload.
        Ed Bott really shines when it comes to Linux (NOT).

        Too funny.
        Hey Nicholas now that Ballmer is pushing the cloud has your viewpoint changed?
        Dietrich T. Schmitz, ~ Your Linux Advocate
      • RE: Does Microsoft's sharing of source code with China and Russia pose a security risk?

        @OS Reload

        Repositories and mirrors matter in the fact that anyone will download something they see and like no matter what the source. Either way, it still proved Linux is vulnerable just as is Windows, iOS, Mac, etc...
        The one and only, Cylon Centurion
      • Oh Nicholas, you learn nothing

        @NStalnecker

        A trusted repository is not a simple mirror. This is such a basic concept and yet, just like Ed Bott, you miserably fail to grasp it.

        As I said above, it speaks volumes about the skills MS is teaching you (or NOT teaching to be correct.)
        OS Reload
      • RE: Does Microsoft's sharing of source code with China and Russia pose a security risk?

        @OS Reload

        I never said they were the same thing.
        The one and only, Cylon Centurion
      • RE: Back doors

        @NStalnecker

        Aside from the differences between a software repository and a mirror, it should also be noted that repositories added to mainstream package management systems use PGP signing and authentication to validate software that is updated, installed, and what have you. http://uppix.net/3/d/4/ee01c3025da368639c166ddf83dbe.png

        "...anyone will download something they see and like no matter what the source..."

        True, but since the sources are available the public is empowered to find these problems in the source and report them; if one person had proof that there was a back door in the Linux kernel, the problem would be resolved using all of the man power of the dev's. Same goes for the darwin/mac os kernel. On the other hand If you had proof that the Win kernel had a back door, you can email MS all you want but they as a company put it there for a reason.
        jkltechinc
      • Nicholas, yes you did

        @NStalnecker you said the following...<br><br><i>I never said they were the same thing.</i><br><br>Yes, you said it in the same sentence. You earlier said...<br><br><i>Repositories and mirrors matter in the fact that anyone will download something they see and like no matter what the source.</i><br><br>Which amounts to equating them both as being the same thing.<br><br>You (and Ed Bott) know nothing about repositories and the way they work. A centralized package repository is too alien a concept for the likes of you.
        ahh so
    • RE: Does Microsoft's sharing of source code with China and Russia pose a security risk?

      @Dietrich T. Schmitz, Your Linux Advocate

      Does this article really matter. The US goverment has been doing crap like this for years. Why does it matter what MS does with their own intelligical property
      MLHACK
      • RE: Does Microsoft's sharing of source code with China and Russia pose a security risk?

        @MLHACK
        Does it matter? You bet it does.
        Don't be naive.

        Hats off to the Zero-Day Folks for putting out this blog to raise awareness on the issue.
        Dietrich T. Schmitz, ~ Your Linux Advocate
  • No, sharing of Microsoft source code does not pose a security risk

    I always carry with me a bootable Linux pendrive and I refuse to do anything risky in an OS other than Linux so I see that form of code sharing as not a security risk.<br><br>On the other hand anyone using MS windows should be very fearful of this. The risks are obviously multiple and potentially very serious. I even see serious national security risks in it (remember, the nastiest crimeware artists are based in Russia and China and we wouldn0t want them having privileged access to classified information about windows.)
    OS Reload
  • RE: Does Microsoft's sharing of source code with China and Russia pose a security risk?

    No risk at all. This isn't the first time Microsoft has shared code and they probably have all kinds of restrictions in place on what they are allowing other governments to see. They shared the source with universities and no one was in a tizzy about that. I wouldn't be surprised if they don't show the core of Windows for business reasons. Just a scare mongering article. No one is at any risk.
    Loverock Davidson
    • I know I'm not at risk but you can't say the same

      Only God knows how many back doors are there in your vulnerable windows installation.

      This worrisome news only add to the distress all conscious users of vulnerable windows systems must be feeling right now.
      OS Reload
      • Absolutely none

        @OS Reload

        Why do you think there are? Windows has changed since XP, you should try it out sometime as to avoid making such snide comments again.
        The one and only, Cylon Centurion
      • RE: Does Microsoft's sharing of source code with China and Russia pose a security risk?

        @OS Reload
        [i]Only God knows how many back doors are there in your vulnerable windows installation.[/i]

        I'll make it easy for you, none. Now go back to reading slashdot where you and the rest of them can work on more conspiracies.
        Loverock Davidson
      • RE: Does Microsoft's sharing of source code with China and Russia pose a security risk?

        @OS Reload
        What's god got to do with this?
        This discussion was actually mildly amusing until decided to lace your diatribe with religion. Stick to the subject of the article.
        Oh, and go ahead and flag my post if you want; we atheists are used to being discriminated against.
        jedikitty@...
    • RE: Does Microsoft's sharing of source code with China and Russia pose a security risk?

      @Loverock Davidson <br><br>Microsoft acting as a good corporate citizen? MS "doing the right thing"?<br><br>Insert gales of incredulous laughter here.<br><br>Microsoft being wittingly used by the US gov't as part of our cyberwar response against the Chinese? Maybe, and the irony would be delicious: the tacit admission that their stuff is so toxic we WANT our enemies to use it.<br><br>But it's much more likely just the same old stupid rapacious MS.

      <br><br>And as to there being no back doors in MS OSes anymore: yeah, right. And just like he said, BushII wasn't tapping your phones w/o warrants, the fact that almost all MS bugs expose your data to unauthorized persons is a "mistake", there were WMDs in Iraq (which nation was in bed with al Qa'ida), and the Easter Bunny will bring you candy.

      Do you really believe everything you're told? Remind me never to work with you: it's dangerous to be anywhere near you.
      SzechwanVanilla
      • RE: Does Microsoft's sharing of source code with China and Russia pose a security risk?

        @SzechwanVanilla
        You wrote a couple of paragraphs and said absolutely nothing. Microsoft has shared source code before and its worked out pretty well for the universities and researchers who used that code. Its not like they are giving the core Windows secrets out. You need to get a grip and put more faith in Microsoft Windows.

        [i]Remind me never to work with you: [/i]
        Don't flatter yourself. Its a privilege to work with me. I decide who I want to work with.
        Loverock Davidson
      • Don't waste you time...

        Replying to LoveRock. Microsoft could sell try and sell rocks and he'd be there claiming that they invented them, and they're far better than Linux anyway.
        zkiwi