The hacker attacks that Microsoft Corp. confirmed Friday may be much worse than the company publicly acknowledges, and they possibly expose security holes that should have long been plugged, observers say.
While admitting its corporate networks fell prey to a hacker attack, Microsoft denies reports that intruders accessed source code for its major operating system products Microsoft released a statement Friday saying hackers did not actually steal Windows code.
“This situation appears to be much narrower than originally reported,” Microsoft says in its statement. “Our investigation shows no evidence that the intruder gained access to the source code for our major products, such as Windows Me, Windows 2000, or Office.”
Microsoft does say the hacker or hackers could “view source code under development for a future product,” but that the perpetrator did not modify or corrupt that code.
Microsoft’s statement is nothing more than an attempt to diminish its embarrassment, says Jeffrey Tarter, editor and publisher of Softletter.
“The day I believe Microsoft PR statements is the day I’ll believe Clinton on his sex life,” Tarter says. “Once a hacker opens a file, I don’t think there’s any way Microsoft could know whether the code was downloaded or what had been done to it.”
While Windows source code would clearly be a valuable steal, it is unclear what kind of damage, other than illegal distribution, would result from this particular hack.
Initial reports say the hacked information was sent to a site in Russia. Programmers there could conceivably use the code to distribute illegal copies of Windows, but “most likely the hackers will just do mischief with it like posting the source code on bulletin boards,” Tartar says.
While Microsoft says it is confident “the integrity of its intellectual property remains secure,” the fact that anyone could hack into the networks of the world’s largest software company says something about Microsoft’s attitude toward security, Tartar adds.
“Any network has vulnerabilities, but it should not have been possible for a hacker–no matter how good–to get at source code, Microsoft’s most valuable asset,” Tarter says.
“The interesting question is whether the hackers did mess around with any files,” he adds. “It’d be a wonderful excuse for bugs Microsoft could use for the next two or three years.”
And if Windows source code appears on Web bulletin boards and chat rooms, so much the better, according to Tarter. “Putting Windows out in the open might have some benefit to Microsoft, as programmers might look at it and suggest ways it could be better,” he says.
Security experts say if Microsoft suspects a hacker could have manipulated source code, the company would have to painstakingly check code against changes logged by authorized programmers–a process that could take months.
The source code for Microsoft programs like the Windows operating system is under more or less constant modification by Microsoft’s team, as it looks for errors and work on upgrades, says Russ Cooper, the moderator for an online forum for computer security, NTBugTraq.
Changes in source code would have a ripple effect, he notes. “It’s not like the copy of Windows you buy on a CD-ROM in the store,” he says. “What if I make a change in Windows Me that will be shipped to consumers with a ‘back door,’ so I can break into their systems? The possibilities are endless.”
The hackers appeared to have accessed Microsoft computers by the QAZ Trojan, typically delivered via e-mail, according to an unnamed source cited by the Wall Street Journal.
But Cooper doubts the QAZ program alone could enable access.
“The claim that the QAZ Trojan caused this is highly doubtful,” he says. The QAZ program can identify a PC’s IP address, so a hacker might establish a connection, he notes. “But in order to do that, I would have to go through Microsoft’s firewall. Out-of-date antivirus software and a broken firewall is highly unlikely.”