Source Code Leak Prompts Vulnerabilities, Warning from Microsoft

   Hackers and security researchers who downloaded the Windows 2000 source code over the weekend have already found a security vulnerability to exploit, although the vulnerability affects only the out-of-date Microsoft Internet Explorer (IE) version that shipped with the original Win2K. The vulnerability, which affects IE 5.01, lets attackers compromise users' PCs when they access a malicious Web site. On one hand, Microsoft says that not only does the vulnerability affect only a single, older version of IE, but the company found and fixed the vulnerability during its Trustworthy Computing code review 2 years ago. On the other hand, about 10 percent of Web browser users--more people than use Mozilla, Netscape, Opera, and Apple Computer's Safari combined--still use IE 5.01.
   "\[The vulnerability\] doesn't affect IE 6," Mike Reavey, a Microsoft security program manager, said. "It does look like it was one of the things that was found during the code review." Microsoft is cautioning users to upgrade to the most recent IE version--IE 6 with Service Pack 1 (SP1)--to ensure the safest possible Web experience. But the near-instantaneous release of a vulnerability based on the Windows source-code leak makes me wonder how many other vulnerabilities will be found in the coming days. And, unlike the IE vulnerability, some of those vulnerabilities might also affect the most current versions of Windows, including Windows Server 2003 and Windows XP, which are based on Win2K. "We take this seriously," a Microsoft spokesperson said Friday. "It's illegal for third parties to post or make our source code available. From that standpoint we've taken appropriate legal action to protect our intellectual property."
   Microsoft has also taken the interesting step of warning users to keep their hands off the stolen source code. On Monday, the company issued legal warnings to people who had downloaded or distributed the code. "The unauthorized copying and distribution of Microsoft's protected source code is a violation of both civil and criminal copyright and trade secret laws," the warning said. "If you have downloaded and are making the source code available for downloading by others, you are violating Microsoft's rights, and could be subject to severe civil and criminal penalties." Microsoft then demanded that downloaders destroy their copies of the source code and tell Microsoft where they got it.