Could stolen Microsoft code lead to more security mishaps?

The theft of Microsoft's code could mean more security breaches, say experts

Computer security experts are concerned that the possible theft of Microsoft source code may lead to widespread security problems with its software, if malicious crackers gain access to key hidden features.

Experts say it is possible that access to the source code could allow crackers to develop new techniques for attacking computer systems using Microsoft software.

"The biggest and best hacks right now are buffer overflows," says Dr Neil Barrett, senior security analyst with security firm IRM. "These are hard if you don't have source code but if you've got access to code it is going to be extremely easy to do."

A buffer overflow allows a malicious user to work around the inherent security of a piece of software by sending an unusually large amount of data. This may allow them to execute usually restricted commands or give them access to normally hidden data on an operating system.

Antivirus vendors are also concerned that access to source code could give virus-writers the upper hand. "If they did get the source code, chances are that they could make a virus with more stealth capabilities," says Sal Viveros, director of marketing for Network Associates in the UK.

Ironically, Microsoft has often defended its decision not make source code publicly available on the grounds that this would make it more vulnerable, a policy dubbed "security by obscurity". Others, particularly those behind the increasingly popular open source Linux operating system argue precisely the opposite. They claim that openness and peer review are key to maintaining the security of a piece of software.

Microsoft says it is examining every file in the compromised area and is also examining the source code of a number of applications including Windows Me, Windows 2000, Outlook, Outlook Express, and Microsoft Office, according to a report in the Wall Street Journal.

Although details surrounding the theft of data from Microsoft remain sketchy, Microsoft's UK director of corporate marketing Shaun Orpen says the company is confident its source code has not been compromised. "You don't leave the intellectual property of a company lying around on a network," he says. "It will have been secured. We feel comfortable with the security in place," he says.

The hackers, however, had access to Microsoft's network for a month. Even if the source code was encrypted, says Barrett, there may have been plenty of opportunity to capture it in plain text in this time.

The hackers are thought to have used a Trojan horse program known as QAZ to capture and send network passwords to an email address in St Petersburg, Russia. Microsoft initially investigated the breach itself but then decided to bring in the FBI.

Statements made by Microsoft directors saying that "of course" all their important data was secure have all the reassuring comfort of statements by John Selwyn Gummer about the hamburger he fed his daughter. Guy Kewney simply doesn't believe the people at Microsoft when they say that no damage was done to their corporate secrets. Go to AnchorDesk UK for the news comment.

To have your say online click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.