Microsoft has signed a deal to open its Windows 7 source code up to the Russian intelligence services.
Russian publication Vedomosti reported on Wednesday that Microsoft had also given the Russian Federal Security Service (FSB) access to Microsoft Windows Server 2008 R2, Microsoft Office 2010 and Microsoft SQL Server source code, with hopes of improving Microsoft sales to the Russian state.
The agreement will allow state bodies to study the source code and develop cryptography for the Microsoft products through the Science-Technical Centre 'Atlas', a government body controlled by the Ministry of Communications and Press, according to Vedomosti.
Microsoft Russia president Nikolai Pryanishnikov told Vedomosti that employees of Atlas and the FSB will be able to share conclusions about Microsoft products.
The agreement is an extension to a deal Microsoft struck with the Russian government in 2002 to share source code for Windows XP, Windows 2000 and Windows Server 2000, said Vedomosti.
A senior security source with links to the UK government told ZDNet UK on Wednesday that the 2002 deal was part of Microsoft's Government Security Program. Nato also signed up, said the source. Having a number of different governments with access to Microsoft code meant it was possible that a government could find holes in the code and use it to exploit another nation-state's systems, said the source.
Cambridge University security expert Richard Clayton told ZDNet UK on Thursday that opening up source code leads to a complex security situation. While a view of the code could enable a government to find security holes that the state could use to launch attacks against other nation states, it is possible to find holes in software without having access to the source code, said Clayton.
"If a government has the source code it can find different sorts of security vulnerabilities and perhaps exploit them, [but] it's unclear whether access to the source code makes people better or worse off," said Clayton.
A number of different factors made the situation complicated, said Clayton. Access to the code could allow close analysis, which would enable the discovery of holes such as buffer overflow flaws, but equally it is possible to run a fuzzing program which throws random data at parts of an operating system or software to find different vulnerabilities.
While access to the code can enable pre-emptive patching before an attack, nation states would be able to tell if another government was patching its networks, said Clayton.
"Should you immediately patch the system, in which case people will notice the Russians have patched their systems?" said Clayton. "Or alternatively you could report the vulnerability to Redmond [Microsoft headquarters], or should you use [the hole] to attack your enemies?"
Clayton said that there were tens of thousands of bugs in Microsoft products, in part due to the sheer volume of source code. A government could not hope to patch them all, said Clayton, while an attacker only has to find one hole and exploit it successfully to gain access to systems.
"It's completely asymmetrical," said Clayton.
The Office of Cyber Security, which oversees the UK government cyber-attack and defence capability, had not responded to a request for comment at the time of writing.
A senior Whitehall source told ZDNet that Microsoft's decision to open its source code to various governments had been a commercial decision.
Microsoft said it had opened up code to the FSB as part of its ongoing Government Security Agreement with the Russian state.
"The agreement that we signed with the FSB is an extension of Microsoft’s Government Security Program (GSP)," Microsoft said in a statement on Friday. "The purpose of the GSP is to increase trust with national governments. In the case of the Russian agreement, GSP participation will facilitate the development of the next generation of secured solutions for Russian government agencies based on the latest Microsoft technologies and Russian cryptography."