Microsoft’s effort to make Windows more secure was dealt a heavy blow recently when someone apparently obtained and published a massive chunk of the Windows source code. The initial response of many security pundits was that this disclosure would have little effect on the overall security of Windows, but the reason they gave was less than reassuring, since many said there were already so many well-known holes in the code that having the source code wasn’t necessary to compromise Microsoft systems.

Understandably, Microsoft has been downplaying the threat posed by this disclosure of several megabytes of source code, but Microsoft also quickly followed the disclosure with a recommendation to immediately upgrade all Microsoft browser versions to Internet Explorer 6 SP1.

The majority of the disclosed code was initially reported to be for the Windows NT 4.0 and Windows 2000 operating systems. However, more recent reports point to the source code for Internet Explorer 4 and 5 as being the code that was released, and that would be consistent with Microsoft’s recommendation for people to upgrade to IE 6 SP1.

The disclosure has been reported in some newsgroups as having originated from a Microsoft partner that had legitimate access to the code. Microsoft’s press release on the disclosure said that the company would be pursuing legal remedies and that the code was not released due to any apparent breach of the company’s own network or any internal security vulnerabilities.

This could potentially affect all Internet Explorer versions prior to IE 6, even if they have all appropriate security patches applied.

Risk level—unknown but probably very serious
There have been so many serious vulnerabilities discovered in IE by trial and error that it seems quite likely many more will be found by potential attackers after they carefully analyze the actual source code.

Mitigating factors
There are no known mitigating factors because the exact nature of this disclosure of source code (and how hackers will exploit it) is not yet known.

The only fix is to upgrade to IE 6 SP1, and even that may not be a comprehensive fix, since so much of the source code in IE 6 is probably legacy code inherited from earlier versions of IE.

Final word
If there is any good news in this for Microsoft, it lies in the fact that this disclosure was probably not due to any security problems at Microsoft. Plus, this should probably drive upgrades to the latest version of IE, which can mitigate some other well-known security problems and threats.

Also watch for …