If you trust the Internet, the story goes like this: a leaker, that goes by the handle billgates3, amassed the treasure trove of Microsoft source code over a period of months leading up to this weekend, and felt that releasing it was in the best interest of the public since, after all, this code has been circulating the underground hacker world for years. The code was shared on 4chan, an image-based BBS, and the link was archived after being live for just four hours.
Various media outlets have received the same response from Microsoft to their inquiries, "We are investigating the matter.” (Tom'sHardware.com)
Some BackgroundSince 2003, Microsoft has had numerous agreements over the years to share source code in an effort "to build trust through transparency" with various government agencies through its Government Security Program. This includes national-level government agencies and international organizations. But why does this matter? In short, it's because the source code has been accessible to non-Microsoft personnel for quite some time and thus, it is possible, and even probable, that this code has been available to hackers for years.
What's the Big Deal?
At the moment, there isn't one. The problem is likely down the road. Exposing source code is akin to providing a cheat sheet to hackers and reverse engineers. For example, knowing variables and their types—as well as what functions are called upon them—can help exploit developers craft effective payloads in shorter periods of time. E.g., Less guess work.
What's at Risk?
The potential issues that could arise from this will most probably target the operating systems released in the torrent:
- Windows 2000
- Windows CE 3
- Windows CE 4
- Windows CE 5
- Windows Embedded 7
- Windows Embedded CE
- Windows NT 3.5
- Windows NT 4
- MS-DOS 3.30
- MS-DOS 6.0
This also highlights another important consideration, though there isn't much to do about it: if this code has been available to the hacker community, is there newer source code also in circulation? Don't lose too much sleep though; chances are, if that code is floating around, those in possession of it, aren't weaponizing it against you at first and if you have a good patching cadence for your environment, you'll be safe before it becomes a problem.
So What Should I Do?
Well this may not come as a surprise, but here we go anyway: Get your environment off any of the aforementioned operating systems ASAP! These operating systems are all end-of-life and should not be running production workloads anywhere in your environment. End-of-life typically means any new exploits that affect these systems will not be patched by Microsoft.
Additionally, revisit your patching process to ensure that your patch management cadence is complete (includes all systems) and timely. If anything comes from this that affects currently supported operating systems, prompt patching will be critical.
Send Us Your Comments
What did you think of this article? Send us a note to let us know what you liked, would like to see more of, or what we can do better. And don't be surprised if we reach back out with a small 'thank you' gift for your feedback.