Twenty four hours after the illegal leak of Windows NT and Windows 2000 source code triggered new security fears for Microsoft
customers, industry analysts said the incident could be a blessing in disguise for Microsoft’s attempts to speed up enterprise migration to its Windows XP operating system.
According to statistics from research firm Gartner, approximately 70 percent of U.S. enterprises are running Windows 2000 or Windows NT desktops. Still, they say a chunk of source code in the hands of malicious hackers is not necessarily a doom-and-gloom scenario.
“There is a widespread misconception that the release of this code could mean ‘zero day’ attacks against the Windows 2000 and NT operation systems,” said Gartner security analyst John Pescatore, speaking about online attacks that do not require user activation. “I don’t think the security concern today is a big deal,” he told internetnews.com.
“The Linux source has been open and out there from day one but we don’t say zero day attacks against Linux. Windows NT is now seven years old. Windows 2000 is now four years. Why do people think this will lead to zero day attacks?”
Still, Pescatore said there are enough jitters among IT administrators that could speed up operating system migration plans.
“We’re not advising clients to rush to dump NT and Windows 2000 because of this code leak. But, I can see this helping Microsoft because of the misconception. Some companies that initially planned to wait until 2005 to move over to XP might get scared and accelerate the move.”
Many security experts were sharing Pescatore’s sentiments on mailing lists and discussion boards Friday. Russ Cooper, security consultant and editor of the NT Bugtraq list, said it would be very surprising if the code leak resulted in any significant new risk. “Given how hard people have pounded away at the binaries in the past, pouring over 55,000 source files to find
something new in old versions will likely/hopefully be a very unfulfilling task,” Cooper said in a note to the Bugtraq list.
According to Cooper, the chunks of code specifically related to Windows NT 4.0 SP3, all relating to NT 4.0 Server except IIS (Internet Information Server), Microsoft’s Web server.
It includes some code for Internet Explorer version 4. Another 338MB download that was in circulation on Internet sites was a small subset of Windows 2000 SP1 (service pack 1). He said the Windows 2000 code contains three references to Mainsoft, a San Jose, Calif.-based strategic software partner of Microsoft.
A published report has identified Mainsoft as the origin of the Windows 2000 leak but Microsoft has declined comment. Company spokesman Tom Pilla told internetnews.com that the code leak did not come from within Microsoft itself. “It’s fairly clear that this was not shown to be any breach of the Microsoft corporate network or Microsoft internal security.”
Yankee Group analyst Laura DiDio believes it is much too early to assume an automatic security danger, especially since Microsoft has made it very clear the leaked code cannot be recompiled. “I don’t think this will cause IT admins to panic and recommend an immediate move to XP. I think many enterprises will proceed as planned with their deployment time table and this episode won’t affect that.”
DiDio told internetnews.com some smaller organizations might speed up XP migration plans because of the code leak but, among larger enterprises, the logistics of upgrading thousands of desktops immediately are just too challenging. “This might cause some big companies to move up their timetable by a few months but it won’t be a stampede.”
Jupiter Research analyst Joe Wilcox thinks its too early to estimate the real impact of the code leak. “While this was a small portion of the Windows 2000 code, there’s still a lot of code here. Until people have had enough time to actually look it over with fine tooth comb, there’s no way to assess what the real security risk is.” (Jupiter Research and internetnews.com are owned by the same parent company.)
After last summer’s Sobig.F and MSBlast virus outbreaks, Microsoft CFO John Connors admitted
that weak billings for three or four weeks after the virus attacks had led to a significant slowdown in software licensing renewals.
Analyst say the code leak could even help Microsoft’s efforts at marketing its XP operating system. For example, customers could either not react, or decide the leak is a risk to their Windows 2000 and NT systems and look to upgrade to XP.
Windows XP is built on top of existing code from previous operating systems and it’s conceivable that if security vulnerabilities are uncovered as a result of the leaked code, those bugs could affect XP as well.