What started out for Microsoft as a bad day with the reported theft and Internet posting of source code for some of its Windows operating systems turned worse as the technology giant once again saw the security of its software tested with the emergence of a dangerous Internet Explorer exploit.
Security experts said the attacks via Microsoft’s Web browser — although not connected to the source code spillage — are particularly dangerous to Internet users because it would take only casual visiting of a Web site to become infected.
The alarming rate of emerging vulnerabilities, exploits and wriggling worms this year is compounded by the source code leak, which is likely to lead to even more security issues, according to experts who predicted the situation might spell the start of a switch from Microsoft products to other alternatives.
“This is definitely impacting the bottom line for Microsoft,” iDefense director of malicious code Ken Dunham told TechNewsWorld. “They are losing steam in the sales area and losing ground in servers because of security issues. It may not be the courts that dissolve the monopoly of Microsoft, but it may be the attackers.”
Malicious Leg Up
Security experts agreed that the Windows NT and Windows 2000 source-code leak — which is being investigated by the software giant and law enforcement officials — has broad implications for the number and severity of future attacks against Windows machines.
“Six hundred forty megabytes’ worth of lines of code should be enough to find some vulnerabilities in there,” Gartner research vice president Richard Stiennon told TechNewsWorld. “There will be new exploits, there will be patches, and there will be worms.”
Dunham called the capability to come up with new vulnerabilities and exploits based on the exposed source code “incredible.”
“The attackers are saying this morning that it does give them a leg up,” Dunham said of the source-code leak. “They can look at source code they’ve never seen before and do things they have never done before.”
He added that the source-code leak also might give an advantage to Microsoft’s competitors, which now have access to their rival’s code. The source code is being widely distributed and downloaded via the Web, FTP sites and peer-to-peer (P2P) networks.
Attacks Not Prevented
The theft and distribution of Windows source code comes at a time when several Internet viruses, virus variants, exploits and attacks are pounding at the Windows operating system and particularly the Internet Explorer browser.
Dunham — who reported at least 5,000 infected computers as a result of a new, as-yet-unpatched or so-called zero-day exploit — said the serious vulnerability in Explorer 6 could facilitate silent infection if a user merely visits a hostile Web site. Dunham recommended using alternative browsers, such as Mozilla, Netscape or Opera.
“It’s flat scary to think that by just surfing the Internet your computer could be infected with a virus,” he said. “This [attacker] has specific plans to hijack computers and control them, maybe to steal data, maybe to use in attacks.”
Dunham, who said the danger from exploit code was tempered because it is not widespread, nevertheless warned that companies using Explorer 6 are likely vulnerable even with the most up-to-date and comprehensive security patching.
“Corporations that use IE — even if they are fully patched because they are sensitive to security — are wide open to attack,” he said.
Death of Monoculture
Stiennon, who referred to the increasing attractiveness of alternate Web browsers on the Windows platform, said that although distaste for Microsoft wanes with the fading of issues, the company is likely to lose market share over time because of security concerns.
“During actual patch activity, the disgust level gets pretty high,” Stiennon said. “Companies start looking at other platforms, and you hear words like ‘diversity.’ But the half-life of that sentiment seems to be about three weeks, then they’re moving onto the next ones.”
He added that at some point, however, it will be easier to measure the cost of dealing with patching and the pain of an all-Windows or “monoculture” approach, which will drive companies to switch. He also said the other shoe to drop will be the reaction of consumers, who have helped Microsoft gain its dominant position.
“When consumers abandon ship and buy Macintosh or anything else, it will be the beginning of a tidal shift in computing,” Stiennon said.