Microsoft's secrets revealed on internet

BY CHARLES ARTHUR

Microsoft was last night frantically hunting for the person who released the secrets of its Windows operating systems onto the internet.

The latest assault on the global computer giant caps what has been one of the worst weeks in recent corporate memory for Bill Gates.

MyDoom became the fastest-spreading computer virus ever seen, able to infect all versions of Windows making them vulnerable to hackers and spammers to steal details and send junk email.

Then late on Tuesday night, the company announced a "serious vulnerability" that could let someone else take complete control of machines running Windows remotely – without the user doing anything. And now, the lines of "source code" laboured over by its programmers has popped up on the Net, leading experts to worry that hackers will use that to find new ways to break into the software that powers the majority of computers around the world.

"It's not an annus horribilis – what's the Latin for week?" said Neil Barrett, founder and consultant at the computer security company Information Risk Management.

"It has to be said that Microsoft still aren't in a position where they enamour themselves to the computing population. We use their products almost in spite of ourselves; these holes keep popping up just when you think it's all right."

Even more embarrassing is that this run of security breaches has come just over two years since Mr Gates, the founder and chairman of Microsoft, announced in January 2002 that it should focus all its energies on building "trustworthy computing", which would be "as available, reliable and secure as electricity, water services and telephony".

He did acknowledge, in the email sent throughout the company, that "computing falls well short of this." But how much further forward is Microsoft – and us – today?

The release of the source code is a special concern. Such code is used to create the software that Microsoft sells. When it reaches you, in a set of CDs, it has become "binary code" – readable only by a machine. Source code gives hints about how the operating system works, and where its faults might lie.

The amount released was tiny compared to the whole operating system – which in source form takes up 40 gigabytes (40,000 megabytes). But even the 650 Mb released yesterday is plenty for a programmer to pore over.

"It can potentially tell you a huge amount about how the system works underneath," said Mr Barrett, who has more than two decades' experience of the hacker mindset.

That, in turn, might lead to underground attacks on the biggest companies using Windows 2000 or Windows NT, from which the code comes. Or it might lead to an even more damaging onslaught than MyDoom or the Blaster worm, which last summer infected millions of PCs directly from the Web.

David Emm, product marketing manager at McAfee, which produces antivirus and "firewall" products to protect PCs, said the leak was more embarrassing than dangerous: "the bad guys don't need source code to latch on to vulnerabilities."

A source within Microsoft agreed: "It's not going to make a whole lot of difference in the hacking world, because what they tend to do is to look at the fixes we send out, and then try to work backwards to see what hole we're fixing."

In that case, they've had plenty to work with. Since Windows XP was launched late in 2001, Microsoft has issued dozens of software "patches" for holes in the code which could potentially give outsiders control of your PC. The releases now come in a monthly cycle – unless the problem is very serious, in which case the patch is released at once.

Most recently the software giant issued a patch for internet Explorer, the Web browser used by about 80 per cent of surfers, to close a hole that allowed "phishing" – letting scam artists create weblinks that appeared to link to real banks, but were instead fakes designed to capture peoples' bank details.

That update did mean that some real bank sites stopped working through the browser. But Microsoft decided that stopping phishing was more important.

The huge flaw announced on Tuesday was more subtle, and had taken the company six months to fix.

"Some of its errors are down to sloppiness in the source code, but others are much more subtle," said Mr Barrett. "I think this flaw was one of the latter."

Does that mean Mr Gates's announcement of January 2002 was just hot air?

"That won't become clear for another 12 to 18 months, maybe more, until we see the next version of Windows," said Mr Emm.

Mr Barrett said: "In fairness, the security initiative has had a good effect. And if we're going to be honest, this isn't going to make the slightest difference to how many people buy Microsoft. It used to be that you didn't get fired for buying IBM. Now, the same applies for Microsoft. The cost of changing and retraining people is so huge. So no matter how bad this was, it won't actually even begin to tickle their dominance."

- INDEPENDENT