Microsoft recently experienced a serious loss of nope. Nope was leaked on the Internet, and we’re all going to get hacked as a result. The following chart depicts the hyperbole in grey. It’s hand drawn so that the red portion (actual source code) can be seen with the naked eye. Otherwise, it probably wouldn’t be visible.
Being (only slightly) more serious, a rumor that Windows source code was leaked was published and quickly started making the rounds on social media and in other publications. This isn’t the first time this has happened.
Adding to potential hysteria, the reported size of the leak was 32 terabytes. You can fit a lot of potential source code into 32TB, considering the average Windows 10 install still uses less than 10GB. This is where things start getting fuzzy, and this begins to sound more and more like a non-story.
Allegedly, only a small portion of the leak was source code, and even then — it is source that is broadly shared with partners. A file/directory map of the files leaked was anonymously published. After some spot checking, I can verify that I’m not finding any of the more unique file names anywhere else on the Internet or in my own archive of leaks and various (LEGAL) repositories I’ve collected over the years.
Clearly, this isn’t the source code for Windows 10 or any significant portion of Windows 10. For argument’s sake, let’s say this leak was more significant. Why are we getting so worked up over it? The primary reason is the fear that access to the source code will lead to the discovery of new vulnerabilities. Following the logic, new vulns lead to the creation of new zero day exploits, like the ETERNALBLUE exploit created by the NSA and used by the WannaCry ransomware last month.
As previously mentioned, this isn’t the first time some of Microsoft’s proprietary source code got misplaced. The last time was in early 2004, when bits of NT4 and Windows 2000 were accidentally leaked by a partner. Notably, this source code leak did lead to at least one new exploit, lending a small amount of validation to the fear behind making source code publicly visible.
So why does code keep getting leaked? Microsoft shares source code with a number of close partners and large enterprise customers through its Shared Source Initiative. With the amount of products that leverage Windows and hook into the operating system, the need for a shared source code program is unavoidable. Naturally, the more people with access to the source code, the greater the chance of it being misused, abused or misplaced.
Leaked Code: Unlikely source for the next ETERNALBLUE
This is the question — why should we care that Windows source code was leaked? Honestly, I think the biggest threat is for Microsoft to worry about: piracy and IP theft. Customers of Windows have little reason for concern. After all, consider that Linux has always been open source. Solaris was made open source in the mid-2000s. Part of Mac OSX, Darwin, is open source. Large chunks of Google’s Android, Chrome and ChromeOS are open source.
It simply isn’t a big deal.
Occasionally you can open up some source code, browse through and say “A-ha! Found a vulnerability!” The Solaris telnet ‘-fuser’ vulnerability was as simple and critical as they come, and yet remained undiscovered for years. Finding vulnerabilities isn’t always as simple as visually scanning source code or doing a keyword search for insecure methods and common mistakes. An expert could be looking right at an issue and not realize it. Ultimately, the code needs to be fuzzed and tested to find many vulnerabilities. Reviewing source code can definitely help, but it isn’t the silver bullet to finding vulnerabilities that the media seems to make it out to be.
The defender shouldn’t care
Regardless, the defender has nothing to worry about from a source code leak that they don’t already have to worry about without the leak. A vulnerability discovered from looking at source code is no more a threat than a vulnerability discovered by fuzzing.
Before effective defense: chop wood, carry water.
After effective defense: chop wood, carry water.
The journalist’s dilemma
Grab the scoop, or wait for accurate information?
It’s a tough decision, and unfortunately, most are incentivized to release as soon as possible, leading to horribly inaccurate stories like this one from Business Insider:
Hackers leaked 32 terabytes of secret Windows 10 code sounds astoundingly bad. Further on, “The leak… includes both the Windows 10 source code and other code…”. Turns out, only 1.2GB of this ‘leak’ was source code. That’s comes out to 0.004% of a leak that mostly wasn’t a leak in the first place.
In the weeks following the incident with leaked Windows code in 2004, The Register concluded that there was nothing to get excited about after all. I wouldn’t be surprised to see a very similar article from El Reg in a week or two.
This is a Security Bloggers Network syndicated blog post authored by Adrian Sanabria. Read the original post at: Savage Security Blog - Medium