Microsoft Investigates Leak of Windows Source Code
UPDATED Microsoft is currently investigating a potential severe security breach that has let loose onto the Internet source code for its Windows 2000 operating system. Portions of the code viewed by BetaNews contain a mix of library files, executables, text documents, scripts, and un-compiled code.
In addition, rumors have begun to circulate claiming that the source code to Windows NT4 has also gone astray.
It is currently unknown how much of the source has been compromised, and just how damaging its disclosure will be for Microsoft.
The claimed Windows 2000 source code archive contains 30,915 files totaling approximately 13.5 million lines. The source is dated July 25, 2000, placing it after the official release of the operating system, which was rumored to contain between 35 and 50 million lines of code in its entirety.
Early references to "Whistler" -- the code-name for Windows XP -- can be found in the files, which is consistent with the post-Windows 2000 time frame. An internal alpha version of Whistler leaked in March 2000.
A Microsoft spokesperson told BetaNews that the company was looking into this as a matter of due diligence. "At this time, all we have to say is the rumor regarding
the availability of Windows source code is based the speculation of an
individual who saw a small section of un-identified code and thought it
looked like Windows code," the spokesperson said. "If a small section of Windows source code were to be available, it would be a matter of intellectual property rights rather
than security."
Sources indicates the leak is valid, but incomplete. Comments -- which are added to track changes to source code during development -- refer to specific bugs, Microsoft employees, and even organizational charts. Product code names are abound, with references to Daytona, Cairo, and Memphis, as well as beta timetables. The archive contains graphics files for Windows 2000 and Internet Explorer 5.0 included in resource files, according to sources.
Comments such as, "potentially off-by-1, but who cares..." are buried within code for the Windows Taskbar. Sources tell BetaNews there is no reference that calls Netscape developers "Weenies," as was alleged in court documents. Other comments range from mundane technical jargon to all out profanity.
This is not the first time Microsoft has experienced a code leak. Incomplete source to Microsoft's DOS version 6.22 surfaced years ago, but received little attention due to its obsolescence.
Senior Jupiter Research analyst Joe Wilcox told BetaNews he was surprised by the news. "I find it hard to believe that source code would leak. After all, companies put source code under lock and key, typically with no outside access available. That said, a substantial leak would be devastating for Microsoft."
"A source code leak would present multiple problems for Microsoft," explained Wilcox. "First, the loss of valuable intellectual property worth hundreds of millions in development cost. Second, hackers could look for and exploit new security vulnerabilities. That could create credibility loss for Microsoft, as some businesses question the security of Windows. Finally, Windows NT and 2000 are the foundation of Windows XP."
Eric Steil contributed to this report.