News

Microsoft Goes After Source Code Downloaders

• By Scott Bekker
• 02/18/2004

"Microsoft is sending letters explaining to individuals who have already downloaded the source code that such actions are in violation of the law," the company said in a statement on Wednesday. "Additionally, Microsoft has instituted the use of alerts on several peer-to-peer clients where such illegal sharing of the source code has taken place.

"These alerts are designed to inform any user who conducts specific searches on these networks to locate and download the source code that such activity is illegal," the statement said.

Microsoft acknowledged late last week that portions of Windows NT 4.0 and Windows 2000 source code were illegally posted to the Web.

Microsoft's original step was to begin its own investigation into the source of the leak and to cooperate with the U.S. Federal Bureau of Investigation. The personalized approach unveiled Wednesday marks an expansion of Microsoft's damage control effort from finding the source of the leak to a broader effort to discourage people from downloading the code.

Microsoft would appear to have two strong motives for sending the letters: protection of its intellectual property from competitors and the securing its code from attackers. Microsoft has a history of protecting its IP and trademarks by sending legal letters to individuals (such as the embarrassing recent case of its letter demanding high school student Mike Rowe discontinue use of his MikeRoweSoft Web site), so the approach isn't a surprise.

Microsoft has already downplayed the security risk of the 13 million lines of source code, which the company said cannot be compiled. But security researchers and other industry experts have differing opinions from Microsoft and each other about the level of security risk the source code leak represents.

Microsoft's statement on Wednesday, meanwhile, attempted to undermine an earlier claim that an exploit has already been developed based on the source code leak.

The Security Tracker Web site posted an exploit of Internet Explorer 5.0 but not IE 6.0 for a flaw that could allow execution of arbitrary code over a network. The exploit's author claimed to have found the flaw by reviewing the leaked source code.

Microsoft answered on Wednesday that it began investigating a "reported exploit on versions of Internet Explorer allegedly discovered by an individual studying the leaked source code. This exploit is a known issue that Microsoft had discovered internally and addressed with the latest release of Internet Explorer -- Internet Explorer 6.0 Service Pack 1."

Meanwhile, Microsoft was saying very little about how the leaked code reached the Web. However, the BetaNews Web site reported earlier that an examination of the source code revealed that it may have been taken from a computer maintained by Mainsoft, a Microsoft partner of 10 years and a holder of a source code licensing agreement with Microsoft.

In a statement posted on the Mainsoft Web site, Mainsoft chairman Mike Gullard said Mainsoft "takes Microsoft's and all our customers' security seriously and we recognize the gravity of the situation. We are cooperating fully with Microsoft and all authorities in their investigation. We are unable to issue any further statement or answer questions until we have more information."

Without specifying that a partner was responsible or naming Mainsoft, Microsoft did publicly eliminate many other possible ways for the code to reach the Web. "This was not the result of any breach of Microsoft's corporate network or internal security, nor is it related to Microsoft's Shared Source Initiative or its Government Security Program, which enable our customers and partners, as well as governments, to legally access Microsoft's source code," the company said in its Wednesday statement. The Mainsoft agreement predates both the Shared Source Initiative and the Government Security Program.