Windows code leak 'not a security threat'

Security experts say Microsoft's embarrassing Windows 2000 source code leak is unlikely to have given hackers more ammunition

Security experts say that Windows users are unlikely to face any increased security risks as a result of a leak of Windows 2000 source code discovered on Thursday, mainly because it is a simple matter for hackers to find Windows vulnerabilities without recourse to the code.

On Thursday, a 203MB file containing some of Microsoft's closely guarded source code was published on the Internet, representing around 1 percent of the code base of Windows 2000, the enterprise operating system on which Windows XP is based.

David Emm, marketing manager at McAfee Avert, the antivirus company's research arm, told ZDNet UK that source code isn't necessary to plan an attack. "This has been amply demonstrated over the last few years," he said. "It is a bit like somebody wanting to break into my house -- they don't necessarily need the floorplans to in order to see that there is an open window or a drain pipe to climb."

Maikel Albrecht, product manager at Finnish security company F-Secure, reinforced the point. "We have seen previously that there are a lot of known security holes -- for example in the RPC interface, and that was probably found without the source code," he said.

He acknowledged there is a chance that the leaked code could contain an important part of Windows 2000, which could help attackers to understand the system. "If it is a critical component in the system it could be very dangerous and very useful for a hacker but it could be another part and be totally useless," he said. However, the question is mainly hypothetical, he said. "Theoretically, users are more at risk, but I don't think the change is significant," he said.

Access to source code does not necessarily pose a security threat. The open-source development model is based on this premise: anyone can examine the source code, and holes are patched as soon as they are spotted, whether by someone working on the project or by a member of the public.

Emm noted that access to source code should not pose a security threat to well-written software. "To exploit a vulnerability, there has to be a vulnerability," he said. "If the code is written sufficiently robustly in the first place then clearly you are going to minimise any risk."

The real security issue is not how attackers will make use of the Windows code, but in how the code made its way onto the Internet, said Ovum analyst Graham Titterington. "In reality, a partial leak of source code is not of much use to anybody," he said. "The security problem is in how the leak happened."

ZDNet UK's Matthew Broersma contributed to this report.