Microsoft’s effort to make Windows more secure was dealt a heavy blow recently when someone apparently obtained and published a massive chunk of the Windows source code. The initial response of many security pundits was that this disclosure would have little effect on the overall security of Windows, but the reason they gave was less than reassuring, since many said there were already so many well-known holes in the code that having the source code wasn’t necessary to compromise Microsoft systems.
Understandably, Microsoft has been downplaying the threat posed by this disclosure of several megabytes of source code, but Microsoft also quickly followed the disclosure with a recommendation to immediately upgrade all Microsoft browser versions to Internet Explorer 6 SP1.
The majority of the disclosed code was initially reported to be for the Windows NT 4.0 and Windows 2000 operating systems. However, more recent reports point to the source code for Internet Explorer 4 and 5 as being the code that was released, and that would be consistent with Microsoft’s recommendation for people to upgrade to IE 6 SP1.
The disclosure has been reported in some newsgroups as having originated from a Microsoft partner that had legitimate access to the code. Microsoft’s press release on the disclosure said that the company would be pursuing legal remedies and that the code was not released due to any apparent breach of the company’s own network or any internal security vulnerabilities.
This could potentially affect all Internet Explorer versions prior to IE 6, even if they have all appropriate security patches applied.
Risk level—unknown but probably very serious
There have been so many serious vulnerabilities discovered in IE by trial and error that it seems quite likely many more will be found by potential attackers after they carefully analyze the actual source code.
There are no known mitigating factors because the exact nature of this disclosure of source code (and how hackers will exploit it) is not yet known.
The only fix is to upgrade to IE 6 SP1, and even that may not be a comprehensive fix, since so much of the source code in IE 6 is probably legacy code inherited from earlier versions of IE.
If there is any good news in this for Microsoft, it lies in the fact that this disclosure was probably not due to any security problems at Microsoft. Plus, this should probably drive upgrades to the latest version of IE, which can mitigate some other well-known security problems and threats.
Also watch for …
- Critical holes have been found in the ZoneAlarm firewall. For the second time in two weeks, a popular firewall has been shown to have serious vulnerabilities. Both the recent Check Point firewall threats and this one in ZoneAlarm 4 (the current version) could allow attackers to penetrate and completely compromise the affected systems. Unfortunately, for a critical program with such a serious vulnerability, Zone Labs has made the update available only to those who have paid for an annual update and support. Zone Labs reports that the threat affects versions of ZoneAlarm, ZoneAlarm Pro, ZoneAlarm Plus, and the Zone Labs Integrity Client. This threat is due to a buffer overrun in SMTP. According to Zone Labs, “In order to exploit the vulnerability without user assistance, the target system must be operating as an SMTP server. Zone Labs does not recommend using our client security products to protect servers.”
- A number of vulnerabilities have been disclosed for NetBSD:
—NetBSD Security Advisory 2004-004: shmat reference counting bug
—NetBSD Security Advisory 2004-003: OpenSSL 0.9.6 ASN.1 parser vulnerability
—NetBSD Security Advisory 2004-002: Inconsistent IPv6 path MTU discovery handling
—NetBSD Security Advisory 2004-001: Insufficient packet validation in racoon IKE daemon