Mainsoft Eyed as Windows Source Code Leak

UPDATE:
Over half a million developers currently have at least some access to
Microsoft source code. As Microsoft searches for sources of the illicit release of parts of its Windows 2000 and NT4 operating system code, its gaze may fall heavily upon those developers.

In that regard, Web site BetaNews.com reported Friday that the leaked Windows 2000 code came from Mainsoft, a San Jose, Calif.-based strategic software partner of Microsoft. The report said the leaked code includes 30,915 files and was apparently removed from a Linux computer used by Mainsoft for development purposes.

“References to MainWin can also be found throughout the leaked source files, which do not compile into a usable form of Windows,” the BetaNews report said.

Russ Cooper, security consultant and editor of the NT Bugtraq list, said it would be very surprising if the code leak resulted in any significant new risk. “Given how hard people have pounded away at the binaries in the past, pouring over 55,000 source files to find something new in old versions will likely/hopefully be a very unfulfilling task,” Cooper said in a note to the Bugtraq list.

According to Cooper, the chunks of code specifically related to Windows NT 4.0 SP3, all relating to NT 4.0 Server except IIS (Internet Information Server), Microsoft’s Web server. It includes some code for Internet Explorer version 4. Another 338MB download that was in circulation on Internet sites was a small subset of Windows 2000 SP1 (service pack 1). He said the Windows 2000 code contains three references to Mainsoft.

Microsoft spokesman Tom Pilla had no comment on the BetaNews report about Mainsoft. But he stressed that the code leak did not come from within Microsoft itself. “It’s fairly clear that this was not shown to be any breach of the Microsoft corporate network or Microsoft internal security,” Pilla told internetnews.com.

The development comes on the heels of Microsoft’s confirmation Thursday that portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet.

Regarding efforts to determine the source of the leak, Pilla told internetnews.com: “We’re obviously involved in an ongoing
investigation that involves the appropriate law enforcement authorities.”
However, the leak did not come from within Microsoft itself, he added.

The company said Thursday there was no known impact on customers and that it is monitoring the situation.

Pilla noted that only some of OS code base was at issue. “It was portions of
Windows 2000 and Windows NT,” he said, though he couldn’t characterize the
size of those portions. He emphasized that the newer operating systems–Windows XP and Windows Server 2003-were not impacted.

In a statement to internetnews.com, Mike Gullard, chairman of the board of Mainsoft, said the company “has been a Microsoft partner since 1994, when we first entered a source code licensing agreement with Microsoft. Mainsoft takes Microsoft’s and all our customers’ security matters seriously, and we recognize the gravity of the situation. We will cooperate fully with Microsoft and all authorities in their investigation. We are unable to issue any further statement or answer questions until we have more information.”

Mainsoft has “unique and extensive licensing agreements,” with Microsoft. As a result, “Mainsoft has unprecedented access to Microsoft Windows source code enabling the industry’s highest level of Windows compliancy on Unix.”

Microsoft’s OS code is made available under the company’s Shared Source Initiative. Under the program, Microsoft has long provided A-list customers with access to Windows source code, as a means of supporting those customers’ efforts to build Windows applications and hardware.

Microsoft has several legs of its Shared Source Initiative which could be potential sources for the breach. These include separate enterprise, OEM and systems-integrator programs that spread source code around the software community.

Under the enterprise program, Microsoft allows eligible enterprise customers access to Microsoft Windows source code for internal development and support purposes, including debugging. According to a Microsoft statement on its Web site, this “enables customers to develop and support their internally deployed applications and solutions that run on the Windows platform.”

Under its OEM source-licensing program, Microsoft allows eligible OEM customers access to Windows source code as a reference to help them in the development and end-user support of hardware (computers and peripherals) which run or connect to Windows.

Microsoft’s shared source program currently servers more than 650,000 developers, according to the developer site windowsfordevices.com. This is the aggregate total for all developers, who variously have been given a peek at source code from Windows 2000, Windows XP, Windows Server 2003, and Microsoft’s embedded CE operating systems.

Many of these developers are members of Microsoft’s Most Valuable
Professional, or MVP, program. The program provides important developers with insider access to Microsoft technology, in a bid to help Redmond promulgate the Windows platform.

In addition to OS code, Microsoft has also made public other parts of its software platforms. In 2002, Microsoft released source for its ECMA Common Language Infrastructure (CLI) and C# standards through its Shared Source Initiative (SSI).

And as part of a plan to woo student developers, Microsoft last year released Visual Studio .NET 2003 Academic Edition to U.S. schools in conjunction with professional versions of the development environment. Additionally, the source code for a number of environment’s components will be made available under Microsoft’s Shared Source Initiative through an Academic Tools Source License.