Much of the Windows XP code has been leaked to the public. Does the leak affect the current Windows operating systems?
Opinions are divided. While some fear new waves of attacks on current Windows versions as a result, others even hope for more security. However, the code was never completely secret.
After the reference to a torrent package with Windows XP and Windows Server source code appeared in the 4Chan online forum, Windows users and (self-proclaimed) security experts began to take action the discussion of what consequences this publication would have. We took a closer look at the code and the discussion and dare to classify it.
Code lines are also partly in Windows 10
There is an authenticity not much to doubt – the code most likely comes from Microsoft. In any case, the folder structure, the comment and copyright headers and the contents of randomly examined C code files are plausible. But the code in the torrent package is really old: we found code for Windows XP with Service Pack 1, so from around 2002. The code for Windows Server 2003 also dates from the same time. It is not the first such leak, however, this code is more extensive than previously known fragments.
The question of whether the leak will have bad consequences for users who are still using Windows XP or Windows Server 2003 is not really possible. Anyone who dragged this software into 2020 should be aware of the immense danger.
But what about current Windows versions? Windows XP and Windows 10 code bases certainly overlap. Microsoft has not reinvented the wheel a million times and many lines of code may have made it from the 1990s (as indicated by copyright notices in the code) to Windows 10.
The code is designed to attack central protocols hardly usable. For example, looking at the code for SMB, a popular Windows gateway, is completely uninteresting. The successor SMB 2 came with Windows Vista, today SMB 3 is the standard. Microsoft keeps discouraging using SMB 1 and refuses to fix SMB 1. According to Microsoft, it is inherently insecure.
Secret is not secure
Many open source supporters note security of an operating system should not depend on the code remaining secret. However, Windows cannot be compared with open-source software such as the Linux kernel. With Linux, security researchers and attackers have been able to take small pieces of the new code and analyze it for almost 30 years.
An abrupt release of the Windows code, on the other hand, is feared, could result in a race in which Microsoft could only ever react and has to bring new patches onto the market every month. Above all, the code could serve as an inspiration for secret services and commercial providers of attacks – if you are specifically looking for gaps in the code, you might find the decisive clue when looking at the code, which was previously missing with pure reverse engineering.
Read and be silent
One argument against such a race is that the target groups mentioned did not have to wait until the Windows leak in October 2020. In order to see and analyze the code in the last few decades, you didn’t even have to apply for a job as a developer at Microsoft. There were quite legal options before the leak: Microsoft offers as part of the “Shared Source Initiative” access to his code. Corporate customers (from 10,000 Windows licenses) can apply for the program, for example. There are similar programs for large OEM PC manufacturers, MVPs and manufacturers of embedded systems, as well as for government officials who need to assess the software with regard to security and data protection, for example. Since 2003 they can apply for the “Government Security Program” (GSP).
The secret services may have gone this way as well. The code is offered for reading in the browser, you can also link the view to the Microsoft development environment Visual Studio and then follow how the Windows code interacts with your own applications.There are strict conditions attached to all these offers. Among other things, they are committed to secrecy.
Security Gau rather unlikely
The existence of these offers can reassure all those who are afraid that the secret services will use the leaked Windows XP code right now to develop exploits for current Windows versions and that these will be used en masse in the near future. If knowledge of the code would be helpful in designing attacks, these agencies would have had ample opportunities to look at it over the past few years.
The major security disaster for Windows 10 is unlikely to happen. The group of authorized code readers has simply been too large for that in the last 18 years.