Leaked Code Still Could Bear Malicious Fruit

15/03/2004 Written by Dennis Fisher

When news of the leak of a por­tion of Win­dows source code broke last month, many in the secu­rity com­mu­nity cau­tioned against over­re­act­ing, say­ing that the leak likely wouldn’t lead to a slew of new vul­ner­a­bil­ity dis­cov­er­ies. But that atti­tude has changed in recent weeks because researchers said that crack­ers have uncov­ered sev­eral pre­vi­ously unknown vul­ner­a­bil­i­ties in the code and appear deter­mined to keep the flaws quiet for their pri­vate use.

Many in the legit­i­mate secu­rity world have shied away from down­load­ing and exam­in­ing the code, out of fear of legal prob­lems with Microsoft and out of a desire to keep their research unspoiled by what could be cor­rupt or dam­aged code. How­ever, mali­cious crack­ers have had no such reser­va­tions. Imme­di­ately fol­low­ing the code’s post­ing on the Inter­net, mem­bers of the secu­rity under­ground began por­ing over the code, search­ing for undoc­u­mented fea­tures and flaws that might give them a new way to break into Win­dows machines.


There were some early claims of suc­cess, includ­ing one man who said he found a new vul­ner­a­bil­ity in Microsoft Corp.‘s Inter­net Explorer. How­ever, at the time, secu­rity experts said that because the leaked code was so old and was only a frag­ment of the entire Win­dows source, there would likely be few actual weak­nesses found. But experts who mon­i­tor the under­ground secu­rity com­mu­nity said the crack­ers con­tin­ued to share the code with one another and have appar­ently had some suc­cess prob­ing for flaws.

“I know of vul­ner­a­bil­i­ties that have been dis­cov­ered as a result of the code being exposed to the Inter­net. I sus­pect that addi­tional new vul­ner­a­bil­i­ties will be dis­cov­ered as time goes on, due to the breach of secu­rity,” said Ken Dun­ham, malicious-​code man­ager at iDe­fense Inc., a secu­rity intel­li­gence com­pany in Reston, Va.

The real dan­ger isn’t the vul­ner­a­bil­i­ties that this crowd finds and then posts for all the world to see; it’s the ones that they keep to them­selves for per­sonal use that have researchers wor­ried. Experts said there has been a lot of talk about such finds on cracker bul­letin boards and Inter­net Relay Chat chan­nels of late, indi­cat­ing that some of the bad guys are busily adding new weapons to their armories.

“We are always keep­ing an open ear in the under­ground, and peo­ple are def­i­nitely find­ing good use of the leaked source,” said Thor Larholm, senior secu­rity researcher at Pivx Solu­tions LLC, based in New­port Beach, Calif. “How­ever, they are also keenly aware that Microsoft is actively pur­su­ing any­one that claims to have a copy of the source, so they are keep­ing a low pro­file. So far, we have seen a few pub­licly announced vul­ner­a­bil­i­ties based off the leaked source, but I esti­mate that most of the remain­ing vul­ner­a­bil­i­ties will be kept out of pub­lic view and part of pri­vate weapon arse­nals.”

Another con­cern for Microsoft and its mil­lions of cus­tomers is that even though the leaked code is more than 10 years old, it forms the base of the company’s cur­rent oper­at­ing sys­tem offer­ings, Win­dows XP and Win­dows Server 2003. This means that any vul­ner­a­bil­i­ties found in Win­dows NT or Win­dows 2000 could exist in the newer ver­sions as well. This kind of thing keeps secu­rity peo­ple awake at night, tor­mented by visions of crack­ers roam­ing unchecked through their net­works.

“Per­haps the great­est dan­ger is that code in the leaked data is the same as that in non­leaked source code. If that is the case, it may give hack­ers addi­tional motive and pay­off for exploit­ing some­thing that is a new­found vul­ner­a­bil­ity that may work in mul­ti­ple [oper­at­ing sys­tems],” said iDefense’s Dunham.


Share this content: