Microsoft on security and code leak

Microsoft has talked up its new security initiatives and products, including its bounty initiative, yet executives in Sydney today admitted the recent code leak showed the company's own system was “brittle”.

During a panel session at the Microsoft Security Summit, iTnews asked Microsoft executives about efforts to beef up its own internal security policies, in light of the recent leak of protected Windows source code to several peer to peer sites.

Executives said the leak was not the result of any breach of Microsoft's corporate network or internal security, nor was it related to Microsoft's Shared Source program which enabled its customers, partners and governments to legally access Microsoft source code.

“An individual within a partner company perpetrated this, we understand,” said Greg Stone, head of Microsoft's enterprise technology group. Stone did not name the partner company, but said the company was unaware of this individual's activities and was now “working closely” with Microsoft.

Critics have claimed that Microsoft, by opening its source code to an increasingly large portion of the public in recent years through its Shared Source program, had opened itself up to this sort of risk. Over the past three years, around 2,000 organisations, such as corporate businesses, educational institutions, hardware and software development partners, and even individuals, had gained limited-rights access to the source code for various Windows versions.

“Any security expert will agree, there's always a trade off between how secure you make a system and how accessible you make it. Obviously [in this case] there was a breakdown in security, and we will be looking for a less brittle system,” Stone said.

“The leak is an illegal act. The act of downloading and looking at it is also illegal,” Microsoft's director of security, George Stathakopoulos said.

To stem the leak, Microsoft has sent letters explaining to individuals who had already downloaded the source code that such actions were in violation of the law. Microsoft had approached ISPs, search engines and peer-to-peer clients to post alerts to inform any user who conducted specific searches on these networks for the code that downloading it was illegal. The vendor also reaffirmed its ongoing commitment to its bounty initiative.

“Everytime someone puts our customers at risk, we will respond appropriately with a bounty,” Stathakopoulos said.

At the Summit in Sydney today, Microsoft also announced security improvements to its pending products including Windows XP Service Pack 2, Microsoft Internet Security and Acceleration Server 2004 and Windows Server 2003 Service Pack 1. In addition, Microsoft said it is making investments in the areas of cryptography, digital watermarking, hardware integration and authentication.