according to unconfirmed reports, the source code for windows 2000 and NT have been leaked, the source or authenticity of the files which have spread from P2P to IRC is not currently known but this has been reported by neowin and OSfocus.

users of windows 2000 or NT are advised to make sure they have a firewall with the relative up to date, updates.

source: OSfocus

http://osfocus.net/

and neowin

http://www.neowin.net/

It appears the Windows 2000 source code has been leaked.

http://www.neowin.net/comments.php?id=17509&category=main

Neowin has learned of shocking and potentially devastating news. It would appear that two packages are circulating on the internet, one being the source code to Windows 2000, and the other being the source code to Windows NT. At this time, it is hard to establish whether or not full code has leaked, and this will undoubtedly remain the situation until an attempt is made to compile them. Microsoft are currently unavailable for comment surrounding this leak so we have no official response from them at the time of writing.

This leak is a shock not only to Neowin, but to the wider IT industry. The ramifications of this leak are far reaching and devastating. This reporter does not wish to be sensationalist, but the number of industries and critical systems that are based around these technologies that could be damaged by new exploits found in this source code is something that doesn't bare thinking about.

We ask that for the wider benefit of the IT community that members and readers support Microsoft by forwarding anything they know about the leak to the Microsoft's Anti-Piracy department.

Update: Microsoft's Tom Pilla has confirmed the leak stating: "Today we became aware that incomplete portions of Windows 2000 and NT 4.0 source code was illegally made available on the Internet"

http://www.msnbc.msn.com/id/4253584

SEATTLE - Microsoft Corp. said late Thursday that portions of its Windows source code †� the tightly guarded blueprints of its dominant operating system †� had been leaked over the Internet.

Microsoft spokesman Tom Pilla said in an interview with The Associated Press that some incomplete portions of the Windows 2000 and Windows NT4 source code had been †œillegally made available on the Internet.â₠¬Â�

Access to the source code could allow hackers to exploit the operating system and attack machines running Windows, which is used on hundreds of millions of computers worldwide.

The company was made aware of the leak on Thursday and is investigating, Pilla said. He did not know how much of the code had been leaked or how many people may have gained access to it. The company could not immediately pinpoint the source of the leak, and has contacted law enforcement authorities, he said.

Pilla said there was no indication the code leak was a result of a breach of Microsoftâ₠¬â„¢s corporate network. There was no known immediate impact on Microsoft customers, he said. (MSNBC is a Microsoft - NBC joint venture.)

Microsoft has previously shared some of its source code with some U.S. government agencies, foreign governments and universities under tight restrictions that prevent such organizations from making it publicly available. But the company has generally argued that the blueprints to its operating system are proprietary, and shouldnââ‚à ‚¬Ã¢â€žÂ¢t be made public.

Still, because some people outside Microsoft have had access to the code, analysts said it wasnâ₠¬Ã¢â€žÂ¢t too surprising for such a leak to occur at some point †â€Â� either intentionally or unintentionally.

†œIt seems unlikely this is going to create a material, significant security problem, said Rob Enderle, a technology expert and principal analyst with the Enderle Group. †œItÃƒÆ’Ã†â€™Ãƒâ€šÃ‚Â¢ÃƒÆ ’¢â€šÂ¬Ã¢â€Å ¾Ã‚¢s more embarrassing than anything else because it makes it look like Microsoft canââ‚Âà ‚¬ÃƒÂ¢Ã¢â‚¬Å¾Ã‚¢t control its code.ââ‚ƚ¬Ã‚ÂÂÂ�

Surprised it took as long for this to be distributed as it has really. Don't think it'll be a major issue.

It appears the Windows 2000 source code has been leaked.

http://www.neowin.net/comments.php?id=17509&category=main



http://www.msnbc.msn.com/id/4253584

dupe, try using the search facility first, you might have found a thread about this four hours earlier.

I don't see why this should be a major issue - those who want to seem to find the exploits easily enough without access to the source code.

So, in the last few days we've had a 'critical' flaw in Windoze to patch, a claim that IE is the 'most secure' browser because it's got more patches than a patchwork quilt, and now the source code is out, M$ are bricking themselves because they have so little faith in the integrity of Windoze that they are expecting the hacker community to fnid all sorts of new exploits in double-quick time.

Funny, the entire Linux source code is open source but you don't see people flapping about that getting exploited. Or am I missing something here? Please, somebody disabuse me of the notion that Microsoft is a shoddy, complacent outfit that's panicking it's about to get found out at last.

So, in the last few days we've had a 'critical' flaw in Windoze to patch, a claim that IE is the 'most secure' browser because it's got more patches than a patchwork quilt, and now the source code is out, M$ are bricking themselves because they have so little faith in the integrity of Windoze that they are expecting the hacker community to fnid all sorts of new exploits in double-quick time.

Funny, the entire Linux source code is open source but you don't see people flapping about that getting exploited. Or am I missing something here? Please, somebody disabuse me of the notion that Microsoft is a shoddy, complacent outfit that's panicking it's about to get found out at last.

Simple ----

Linux is neat tidy and well written -

Windows is the oposite of the above :D

So, in the last few days we've had a 'critical' flaw in Windoze to patch, a claim that IE is the 'most secure' browser because it's got more patches than a patchwork quilt, and now the source code is out, M$ are bricking themselves because they have so little faith in the integrity of Windoze that they are expecting the hacker community to fnid all sorts of new exploits in double-quick time.

Funny, the entire Linux source code is open source but you don't see people flapping about that getting exploited. Or am I missing something here? Please, somebody disabuse me of the notion that Microsoft is a shoddy, complacent outfit that's panicking it's about to get found out at last.
Actually, Linux does have exploits, and there is a fairly major flaw in the error checking systems on Linux (which I think has been patched admittedly), and so does the Mac (remember the DHCP flaw Apple knew about yet still took a month to release the patch).

I don't know whether Windows is any more or less secure than any other OS (they are all hacked regularly, it may be that Windows gets hacked more because more people run it), but something like 95% of the world's PCs (I mean Personal Computers, not only IBM compatible PCs) run it, so anything that helps the hackers must be worrying.

Just to make it clear. I don't really favour one OS over another. At work, I use Windoxs (XP and 2000 Server) and Mac OSX. At home, I use Windows XP & Mac OSX 2.8 (running on a rather old but cute iBook borrowed from work). I also occasionally dabble in Linux. They all have good and bad points.

Actually, Linux does have exploits, and there is a fairly major flaw in the error checking systems on Linux (which I think has been patched admittedly), and so does the Mac (remember the DHCP flaw Apple knew about yet still took a month to release the patch).

I don't know whether Windows is any more or less secure than any other OS (they are all hacked regularly, it may be that Windows gets hacked more because more people run it), but something like 95% of the world's PCs (I mean Personal Computers, not only IBM compatible PCs) run it, so anything that helps the hackers must be worrying.

Just to make it clear. I don't really favour one OS over another. At work, I use Windoxs (XP and 2000 Server) and Mac OSX. At home, I use Windows XP & Mac OSX 2.8 (running on a rather old but cute iBook borrowed from work). I also occasionally dabble in Linux. They all have good and bad points.
All very true. But someone from zdnet was on the radio this morning arguing that M$ is the author of its own misfortune here by keeping Windoze source-code such a closely-guarded secret in the first place. Other OSes, such as Linux, and even Apple's core operating system, Darwin, are open source. Does this give them an advantage?

All very true. But someone from zdnet was on the radio this morning arguing that M$ is the author of its own misfortune here by keeping Windoze source-code such a closely-guarded secret in the first place. Other OSes, such as Linux, and even Apple's core operating system, Darwin, are open source. Does this give them an advantage?

In that it gets a lot more error checking going on, yes.

I think most MS haters these days do it because it's fashionable or seen as the thing to do.

Then you have the script kiddies who just do it because they can and think it makes them big.

Most people grow up using MS stuff, so to go up against Macs or Linux isn't much of an option as they have no idea how they work (heck, most probably don't know they exist!)

All very true. But someone from zdnet was on the radio this morning arguing that M$ is the author of its own misfortune here by keeping Windoze source-code such a closely-guarded secret in the first place. Other OSes, such as Linux, and even Apple's core operating system, Darwin, are open source. Does this give them an advantage?
It may do. More people checking it..

The comments here are funny as hell:
http://slashdot.org/article.pl?sid=04/02/12/2114228&mode=thread&tid=109&tid=187 :LOL:

The general point about "open source" is that as the source code is available for public scrutiny, then when problems with the code are found, they are disclosed almost immediately, and as the code is available to all, there is less pressure on one single entity to "fix the problem".

Now (biased hat on here) the machine I'm typing this on is running Slackware Linux.

Why? Several reasons - 1) I happen to like it. 2) As it's open source, should I choose to do so, I can modify the code myself, quite legally, as long as I agree to submit my changes back for the whole open-source community to share. 3) I (personally) think my linux systems are more secure than an equivalent Windows system 4) I happen to like it (did I mention that already?)

Now, the problem with any operating system is that they are all susceptible to problems. All software has bugs. Get used to it ;-)

Microsoft's problem is the paranoia they attract to their "closed source" model, and the secrecy involved, means that they seldom allow outside interference form others. Indeed, when code problems have been pointed out to MS, they sometimes stay mysteriously silent.

I'm not bashing MS here, honest, linux has bugs and security problems too (although not as many as Windows!!) but with a transparent open source model, problems are more likely to be fixed quickly as *any* developer can submit a patch - it doesn't have to go through Microsoft's "QA" procedure (!!!)

I'll give you a quick example - on Jan 28, a problem was found in the code of the popular open source Instant Messaging client, Gaim. Within 24 hours, patches were available to fix up to 12 vulnerabilites. That wouldn't have happened with Microsoft.

If anyone is interested in the "open source" model, you can find the principle of it in Eric S. Raymond's opus "The Cathedral and The Bazaar" - well worth a look:

http://www.catb.org/~esr/writings/cathedral-bazaar/

Anyway, from what I've just read it seems this "leak" was from an MS-partner!

Red faces all round!

What a bad week for Redmond... if I were a large company running NT x, I'd be seriously considering a switch to Linux or BSD.

What a bad week for Redmond... if I were a large company running NT x, I'd be seriously considering a switch to Linux or BSD.

TBH, I don't think you would - the cost in switching would be enoumous both in support, development, installation, training etc etc.

TBH, I don't think you would - the cost in switching would be enoumous both in support, development, installation, training etc etc.

Beat me to it :p

The cost of re-training the entire staff of a company would be huge.. Would need the whole system revamping.. wouldn't be feasible..

Maybe just use Linux on there main server computers, etc...? Dont really know much about this stuff..

That's what I meant - for the web/database servers and things, not the desktops.

I have 83 servers in my Division - the company as a whole has over 500 - any thoughts of changing them all would be nothing more than a hugely expensive dream.

Yes, but you don't necessarily have to change every server overnight!

For example: My company - although we are Microsoft Certified Partners, get boxes of free things from MS every month and develop Microsoft software products, and have several Windows 2003 domains (Active Directory, blah, blah) I have integrated a whole bunch of linux servers into our local "Windows" LAN.

Reasons? Easy -

1) web servers - Linux/Apache/Perl/MySQL - far better than anyting MS has (AND FREE!) and secure.

2) file servers - Linux/Samba combination - why pay MS over a grand for a ten user licence of Windows Server just to hold data files? My linux file servers, running Samba, (FREE) do the job just as well, are joined into the Active Directory as members, and - most importantly - the end-users haven't a clue they're using a linux server. It's transparent to them. Seamless authentication using their Windows Domain accounts and user-level security is all available in Samba.

3) proxy server - Linux/Squid - fast, secure reliable. ISA Server? No thanks!

So, you *can* implement linux in to your Windows networks without a lot of pain - all you need is the *Technical* resources. And believe me, it's easier to train a couple of your techies in linux than to re-train all your users. Linux' strength has always been in the server room, where in performance terms, a linux box will run better than a windows box on the same hardware.

And, of course, you're saving money by not having to purchase huge amounts of licences from MS - and all the changes I've noted above are completely transparent to the users - my users haven't a clue they're updating web pages to Apache and not IIS, that they're using a Squid Cache not ISA, and that the huge collections of MP3 files (ahem) they "found" are not held on a windows-share!

You can bring linux in to an existing LAN: all you need is the *technical* resources.

...and you'll save yourself pots of money too - I know, we did!

If any one is interested in the projects mentioned above:

http://www.samba.org - Samba Project
http://www.squid-cache.org - Squid Caching Proxy Server
http://www.apache.org - Apache Web Server
http://www.mysql.com - MySQL Database Server
http://www.perl.com - Official PERL Home Page

HTH!

I'd love to replace some of our Windows based servers (we couldn't do all of them, as some courses require specific software running on the servers, and in some cases this software requires a Windows Server) with Apple XServe G5s.

Don't think the boss would go for it though. It's too expensive.

For some courses, we do run a combination of Linux (not sure which distro as I am not involved in that side of things) and Solaris servers as well. As I understand it, the Xserves could replace these as well.

Does the fact that only some of the Windows NT and 2000 source code has leaked (and will soon be used by hackers to break into systems using Windows) mean that there's no threat from this leak to other versions, such as XP, 98, etc?

Brian

Does the fact that only some of the Windows NT and 2000 source code has leaked (and will soon be used by hackers to break into systems using Windows) mean that there's no threat from this leak to other versions, such as XP, 98, etc?

Brian

I dont think that the major part of the danger is there. IMO users that leave the admin password blank and do not rename the admin account. You'd be suprised at the ammont of systems I see like that.

Well, according to Betanews (http://www.betanews.com), Microsoft have tracked down the source of the leak. It was actually Windows 2000 Service Pack 1 that was leaked.

Anyway, apparently the company it was leaked from was a company called "Mainsoft" who were/are one of two companies (apart from Microsoft) with rights to the Windows source code.

Apparently it was stolen from a development machine running Linux.

Article here (http://www.betanews.com/article.php3?sid=1076674118)

Ohh look, an exploit! :rolleyes:
Didn't take long did it?
http://slashdot.org/articles/04/02/16/1737200.shtml?tid=126&tid=172&tid=185&tid=190&tid=201

Ohh look, an exploit! :rolleyes:
Didn't take long did it?
http://slashdot.org/articles/04/02/16/1737200.shtml?tid=126&tid=172&tid=185&tid=190&tid=201

First of many IMO..........

Me thinks that the windows update servers will be busy ! Thats if Microsoft actualy publish a fix before I retire :D

it seems the first hatched exploit is with us, it affects internet explorer 5......


Date: Feb 15 2004

Impact: Execution of arbitrary code via network, User access via network

Exploit Included: Yes

Version(s): 5 (6 is reportedly not vulnerable)

Description: A vulnerability was reported in Microsoft Internet Explorer (IE) version 5. A remote user can execute arbitrary code on the target system.

It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.

The author states that this flaw was found by reviewing the recently leaked Microsoft Windows source code. The flaw reportedly resides in 'win2k/private/inet/mshtml/src/site/download/imgbmp.cxx'.

The report indicates that IE 5 is affected but that IE 6 is not affected.

A demonstration exploit is provided in the Source Message [it is Base64 encoded].

Impact: A remote user can cause arbitrary code to be executed on the target user's computer when the target user's browser loads a specially crafted bitmap file. The code will run with the privileges of the target user.

Solution: No solution was available at the time of this entry.

Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)

Cause: Boundary error

Underlying OS: Windows (Any)

Reported By: <gta@hush.com>

Message History: None.


http://www.securitytracker.com/alerts/2004/Feb/1009067.html

First of many IMO..........

Me thinks that the windows update servers will be busy ! Thats if Microsoft actualy publish a fix before I retire :DAnd the amazing thing is, a lot of exploits would be stopped if people had proper security and firewalled their systems properly (certainly most of the IIS exploits can be stopped by firewall. Some would suggest blocking port 80:D).