“It makes the sources potentially more available to crackers, and that has security issues – but I don’t think that is anything really new,” Linux founder Linus Torvalds told ChannelWeb. “At most, it just makes it easier for a bored teenager to find the thing. It may make some people realize that the protection of proprietary shrouded source code really isn’t a protection at all. It’s just a guarantee that the code doesn’t get any good outside code review.”
The code leak comes as Microsoft is under fire from leading security companies for tardiness in fixing existing Windows security vulnerabilties. The company took more than six months to release a patch for a buffer overflow affecting applications using the ASN.1 protocol to exchange information with Windows – including security-related apps using SSL certificates and Kerberos encryption.
If the source code leak exposes new security weaknesses, it could again test the relations between Microsoft and the security research community. In recent years Microsoft has gained improved cooperation in keeping security holes under wraps until a patch is available. If security professionals believe Microsoft is unwilling or unable to respond promptly to reported vulnerabilities, they’re more likely to publish information about exploits; a scenario played out in December when an spoofing bug in Internet Explorer was published. It took Microsoft six weeks to publish a fix, leaving IE users more susceptible to bank card Phishing scams in the interim.
Conceivably, with some source now publicly available, it’s possible that security researchers and other interested third parties may start creating and making available their own patches, which will in turn ask some hard questions of users as to whether they are more at risk installing a third party patch or waiting, unpatched, for the official solution.