Microsoft to Review Old Windows Code After Source Leak
In an effort to keep its customers secure following the recent Windows source code leaks, Microsoft has turned to the lessons it learned while taking a two month hiatus in early 2002 to clean house and eliminate insecure code from Windows.
While Redmond's Trustworthy Computing initiative -- which sparked the code review -- marked a watershed event in Microsoft's history, the underlying bits of Windows that leaked onto the Web late last week predate this effort, and underwent review by way of the more porous quality control measures that were in practice at the time.
Microsoft engineers are busy making the most of knowledge gained by that experience, and are performing a security audit on the wayward Windows source code materials using today's security processes.
"This code did go through the quality control process of its day before its release, which was a number of years ago. Since then, there have been numerous improvements in the security process, and code has continually been reviewed and updated for security," a Microsoft spokesperson told BetaNews. "In this case, in order to help ensure our customers are not impacted by the release of this source code, we are reviewing it again."
If necessary, the company will patch supported legacy versions of its software, including older builds of Internet Explorer, but encourages users to upgrade and follow the measures outlined at its Protect Your PC Web site.
"The most recent version of any operating system should always be the most secure," the spokesperson said. However, this may leave many customers who have not upgraded without protection.
Just days after the leak, the first exploit to take advantage of a vulnerability discovered in the source code appeared on security mailing lists. The flaw lies in the way Internet Explorer handles bitmap images, and could lead to the execution of arbitrary code on a victim's computer. Although the bug was fixed in IE 6 Service Pack 1, earlier versions of IE are used by over 25 percent of Web surfers.
For customers who have not upgraded to the latest release, a Microsoft spokesperson told BetaNews, "In this case, we are working to provide this fix to supported versions of Internet Explorer that are affected by this issue."
What remains to be seen is whether or not additional flaws will be uncovered as a result of the new source code review, and how Microsoft will handle fixes to legacy products, such as Windows NT 4 and Windows 2000 Service Pack 1 - portions of which were those leaked.
Industry watchers have already begun to weigh in.
"Considering the number of products outside support but still in use, this is no small matter," said Jupiter Research senior analyst Joe Wilcox.
"Another issue: How far did Microsoft extend its original two-month Windows code review; that's a question only the company can answer. When Microsoft conducted that review, some Internet Explorer 5 versions had already passed their period of lifecycle support. IE 5.01 for Windows 2000 Service Pack 2 expires at the end of June," noted Jupiter's Wilcox. "Was there a thorough review of IE 5.01 for Windows 2000 SP1, for which some code leaked last week and for which a flaw was soon after uncovered?"
Microsoft modified its support policy for service packs on October 15, 2002, such that all products released before that date will continue to receive fixes for the most current service pack only.
If taken as gospel, this policy excludes Windows 2000 Service Pack 1.
Although Microsoft has taken the proactive step to review its leaked code for potential vulnerabilities, a spokesperson for Sun Microsystems questioned the motives. "The need for a review of legacy code should not be event driven, but rather be in the culture and fabric of the company," the spokesperson said.