This is one Friday 13th that Microsoft won’t forget. It was caught out yesterday afternoon when 600MB of its closely-guarded Windows source code suddenly appeared online and was rapidly disseminated across the globe.
It is telling that the first questions asked and first answers given regarding the leak centered on security. Will hackers find a way into the 95 percent of PCs currently running Windows? Does this provide answers about how Microsoft security works?
It was also hardly surprising that security would be top of the list though, coming as it does at the end of one of the worst weeks Microsoft has ever faced.
News that a major hole in a common Windows component, ASN.1, could give someone complete control of your computer made the mainstream news headlines. Microsoft insisted that everyone download a patch as soon as possible.
Just a few days earlier, the software giant had again stepped outside its self-imposed monthly security updates to insist everyone download a patch for its Explorer Web browser. Without it, the browser could be made to go to one website yet tell the user that they were at another. This trick had already been used in a variety of scams in which people were defrauded.
At the same time, another bug meant the Explorer could be fooled into thinking files were something they weren’t. Someone trying to download a harmless text or pdf files could end up with a crippling virus or worm, and Explorer was complicit in the crime.
Those that dug a little further in each case were further shocked by another fact - Microsoft has known about these critical holes for some time and had taken ages to get them fixed. The ASN.1 problem had been reported to the software giant an incredible seven months earlier. The Explorer hole was at least two months old. The Explorer file problem - which remains unfixed - was discovered several years ago!
And then there were the worms that took advantage of holes in Windows. Blaster caused worldwide headaches, for businesses and individuals alike, and continues to do so for anyone that hasn’t patched their system. Then MyDoom tore through PCs, creating havoc for a few days and bringing down websites in its wake. Variants of it are continuing to create problems.
In each case however, Microsoft has felt secure in the knowledge that there was little real danger because its operating system’s source code was locked firmly away. It could take its time and if questioned about apparent delays deliver the same line about having to make sure that the patch worked smoothly and did not disrupt Windows. It is an extremely complex program, Microsoft smoothly assures, and fixing holes is a complicated business.
Well, with a good percentage of Windows NT - the foundation of XP - out there in the open, we shall shortly know just how complex it is. It will come down one of two ways: either Microsoft is appallingly slow at creating patches or the Windows source code is a scrappy mish-mash. Neither will help the company in its desperate bid to persuade people that Windows - and Microsoft products - are safe and secure.
The fact that all these security problems, and the source code leak, come in such a short period of time is no coincidence. Microsoft’s monopolistic existence is under threat from another operating system, one whose source code is freely available and which exists at the opposite end of the spectrum - Linux.
Linux eats at the very heart of Microsoft’s cash-cow - OS licences. And so the company embarked on a spoiling operation. First of all though it needed to address the perceived faults in Windows; the most significant of which was security.
There are many explanations as to how Microsoft managed to seize control of the market for computer operating systems, but one of them was the company’s willingness to put strategy before quality. By pushing the right software out there at the right time, it could wrong foot its competitors. By spending less time than others testing, checking and rechecking its code, not only could it move faster but also produce new software cheaper. It was a winning combination but one that resulted in a disproportionate number of bugs.
At the time, the bugs were an irritation but not seen as anything major. However, as Microsoft became more powerful by bullying and squeezing everyone else in the computer industry; as technology meant data could be sent to anyone in the world at increasing speeds; as computers began to link into an open international network - the Internet; and as Windows became the de facto computer system, the bugs (famously held out as features by Microsoft whenever it was tackled on the issue) became security holes.
Now vital information, vital services were stored and run by computers. A bug had huge implications and Microsoft with its less-than-perfectionist culture just couldn’t stop producing them. And so Bill Gates - as much for his own staff’s benefit than the wider market - embarked on a “trustworthy computing” campaign which told everyone that you could be secure in the knowledge that Microsoft knew about security.
This all worked fabulously well. Holes kept appearing but people as a whole bought the line and believed that Microsoft really was doing a good job. Its mistake though - and one that has now backfired spectacularly - was to go on the attack.
It couldn’t help it - Microsoft is a carnivore. It shoots first and asks questions later. And so it was only natural that with Linux continuing to make big play about how its security (among other things) was better than Windows’, that Microsoft would start laying into the very things held up as reasons to ditch Windows.
The trouble is, Linux’s security is superior to Windows’. Not only that but thanks to the open-source movement, there are now thousands of programmers out there that understand the basics of operating systems. Microsoft’s hunting bugle was also the signal for open source advocates to charge Windows.
And so, for the past few weeks, we have had the faintly ridiculous situation where Microsoft execs appear confidently informing everyone that Windows and Explorer, and other MS kit, are as safe as houses, while at the same time the company has had to release emergency patches for holes that undermine the entire software.
Microsoft has used its clout to make security a consumer issue. Now it has come back to bite it firmly on the arse. It is unthinkable that the TV news would have covered computer security issues just a year ago. But now, thanks to trustworthy computing and the like, average Joe is being informed about such matters as source code and vulnerabilities and spoofing and worms.
What is most ironic is that the appearance of Windows source code on the Net is of little real significance. Those capable of understanding what it all means probably know most of it already thanks to the sharing programme imposed on Microsoft following its anti-trust trial in the US.
The idea of the source code being somehow super-secret is a perception that Microsoft has created and used for its own ends. Now, however, its leak will have millions of customers that understand very little about computers, nor want to, fretting that their computer is about to be taken over by evil hackers intent on deleting their family photos from their hard disk. They will know that Windows is to blame and they will hear that there is an alternative called Linux.
Has Microsoft become the architect of its own downfall?
Find your next job with techworld jobs