Exploit Based On Leaked Windows Code Released

mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"

Is it good or bad

[PhilippeT]

that the source was released? In a way it's good bugs will be identified. In another it's bad bugs will be exploited way faster.

well, the source is out there

[WebMasterJoe]

Wouldn't it be interesting to see the patch come out later today, from an anonymous source!

And counting

[millahtime]

So, what is this... like the 10,000 IE security hole reported in the last couple years. Why write another IE virus? Is there really any challenge left?

I'll be first to say it

[MicroBerto]

IF this is true, the release of the source is the nail in the coffin for Microsoft.

An exploit this quick? There's going to be some serious happenings going on at Microsoft. Also look for another Longhorn delay sometime due to everything that is found out.

I'm not sure what to think. I'm not happy that when I get back to work this summer, I'm going to spend way too much time fighting these problems/viruses and patching things up. I'm not happy businesses are losing money. I am, however, happy that Microsoft is forced to clean up their act even more, or they are going to lose market share.

Open source isn't 'communistic' -- it's capitalistic. Why? It increases competition.

We have an interesting 6 months ahead of us, folks.

A quick look at the source code

[Jacco de Leeuw]

Kuroshin [kuro5hin.org] has an article about the source code:

"In short, there is nothing really surprising in this leak. Microsoft does not steal open-source code. Their older code is flaky, their modern code excellent. Their programmers are skilled and enthusiastic. Problems are generally due to a trade-off of current quality against vast hardware, software and backward compatibility."

But this IE exploit shows that the author was wrong on at least one account:

"The security risks from this code appear to be low. Microsoft do appear to be checking for buffer overruns in the obvious places. The amount of networking code here is small enough for Microsoft to easily check for any vulnerabilities that might be revealed: it's the big applications that pose more of a risk. This code is also nearly four years old: any obvious problems should be patched by now".

Re:so THATS why it was leaked

[Anonymous Coward]

exactly, it almost seems they intentionally released it so that the crackers can take a crack at finding new exploits so MS can fix them... they seem to understand the benefits of open source, but want to take advantage of it while still keeping things closed.

or, one of the offshore programmers was stuck trying to fix a bug and posted a question to a board somewhere and put the code up so people could help fix it.

nyeh.

Get the source code from Freenet

[Anonymous Coward]

If you are running Freenet's unstable branch [freenetproject.org], you can download it from here [127.0.0.1]. Its about 200MB and will take a few hours to download (Freenet is averaging about 30k/sec these days). I grabbed it and it looks like the real thing.

Re:You thought Microsoft were tardy with

[justMichael]

According to my logs 20 - 30%* of the people browsing with IE are still using 5.x.

I know, UAs get faked all the time...

* Depends on which site you look at.

Tad Sad.

[His name cannot be s]

I'm a bit confused.

I mean, I've been doing C for almost 20 years. One of the first lessons I learned --And not for 'security' so much as crash free programs-- was not to do such things.

I mean, holy crap, it's too damn simple to see the bug. What kindof idiots do they have working at MS?

"The Very Best Kind" :p

Re:Open Source More Secure... maybe not

[mattdm]

That's exactly the point -- it's impossible to keep source code secret, as this proves.

Re:well, the source is out there

[hawkestein]

How would you know whether or not to trust it? It's not like the patch could be released as source, is it? Not all of us have the code.

Re:Open Source More Secure... maybe not

[orthogonal]

Oops... we just gave MS a chance to say keeping the source secret keeps flaws like this secret as well. :)

And you guys moderated this post of mine [slashdot.org] funny.

Bwah-hahah-ha!

Yeah, Ok, I was trying to be funny, but I guess I underestimated the truly innovative quality of Microsoft's incompetence.

all who have looked are tainted?

[Anonymous Coward]

I haven't looked at the code published in the exploit description. It is MS code and if I had looked all future work by me would be compromised. I will demonstrate in court that I closed my eyes just before looking at the code. I can't tell you what's in there, but there must be some M$ IP.

You haven't looked, have you?

Funny thing. I can easily envision people stamping out T-shirts with pieces of the MS Windows source in them. Would I be tainted if I incidentally stumbled across one in the street? Would that person be potientially held liable by all programmers or future programmers he/she meets?

Re:Text of advisory

[Bigbowser]

dumbasses..... but doesn't posting that source code there makeslashdot liable to microsoft's evil wrath?

Microsoft learns a lesson today

[Laconian]

..that the "many eyes" tenet of open source really DOES work!

Pop Quiz: IE5 or IE5.5 too?

[gfecyk]

Also known as: Was this fixed long before the fact? Does IE 5.5 contain this same vulnerability?

Sticking with Win2K for a moment, IE5.5 is part of SP4. Office 2K SR-1 or later needs IE5.5. Who is still running IE5(not .5 or any of .5's service packs) that would be vulnerable to this, and are the folks who run 5.5(sp1/sp2?) for some reason still vulnerable?

Re:And awaaayyy we go!

[1000101]

"Can the same thing happen to linux? Or do exploit authors prefer windows?"

IMHO exploit authors prefer windows simply because they want to maximize their impact. Why spend all those hours writing a virus when it will only cause problems for a few percent of the computers out there. I would think they get much more satisfaction when they see "500 million" machines infected on CNN.

Re:And awaaayyy we go!

[Dalcius]

I think you'll find that the more 'serious' crackers who aren't interested in harvesting boxes for DDoS purposes will be going after servers. And looking at how many servers run *NIX, Linux is going to be a very popular target, especially since many services are shared.

With high quality crackers going after Linux boxes, I think either A) somehow nobody outside of the cracker community hears about exploits and companies are keeping quiet when they get hit, or B) OSS really does have an edge.

I'm more inclined to believe the latter.

Cheers

Re:well, the source is out there

[Thud457]

It'd be more interesting if Microsoft accepted the sumbission of the patch!

Re:Ha Ha Only Serious

[DJ Rubbie]

The counterargument(s) to that point is...

- Since the Linux kernel got started it was open, and it had a lot LESS flaws than Windows during the same time period.
- With code open to everybody, the credibility of the writers depend on the quality they were assessed, and so they must write good code.
- Windows, being closed in nature, can hide their flaws to an extent, until they were opened like so. Still, when it was closed it didn't stop hackers from finding holes.

2 attacks for 2004...

[All_Star25]

There seems to be an average of at least 1 attack a month on an enemy of open source so far (SCO/MyDoom, M$/source leak). So needless to say, who's next?

Source Code

[g0bshiTe]

Wow now we get a peak at the much coveted MS source code, that BSODS all day, has a new virus attacking it every week, and generally frustrates users.

I wonder who will be the first to incorporate this leaked source. Judging by the exploit found, it's no wonder they want to keep the code secret.


"Bill Gates can't gaurante Windows to work. How can you gaurante me that?" John Crichton

Re:What the fuck?

[david.given]

In the old days, when I was young system admin, it was called "Monkey Testing".

This is moderated as funny... but it's true. You can even get software to automate the process. It just sends random keypresses and mouseclicks to the application under test, very very fast. You leave it running overnight. If you're application is still stable the next day, it passed.

It's scary how many bugs a simple test like this can throw up...

Re:Smells

[sk8king]

The image file ISN'T running a command. I'm not claiming that I understand the code or what specifically triggers the problem [negative offsets or something], but there is something special about the bitmap image that causes the rendering program to break in such a way that data in the image can be copied into memory and then executed.

Images are just data and everyone agrees with that, but you can display source code [C, perl whatever] as a bitmap file if you really want to, in numerous ways. Won't look like much, but you can't deny that the code is now a picture. Why can't a picture be formatted in such a way as to be interpreted as code.

The problem here is the renderer [have I mentioned that already], not the picture.

Re:well, the source is out there

[WebMasterJoe]

How would you know whether or not to trust it? It's not like the patch could be released as source, is it? Not all of us have the code.

In the real world, this probably would not be the official patch. But MS would have to decide between using the rogue patch, or writing a patch independently of the publicly-available source. The latter choice means a known vulnerability with a known solution would be in the wild while the vendor looks in the other direction (theoretically) while writing its own patch.

And then, if this sort of thing happens again in the future, we would want to find out if MS used the rogue patch and claimed to write their own independently. By then, the company will be the equivalent of today's SCO - not really releasing anything of value, but suing people for using some phantom bit of source code that they bought the rights to a few years before.

better security review

[Anonymous Coward]

As a kernel developer I'm familiar with the number of people who audit stuff put into the Linux kernel. To get a patch approved, you usually need to convince 4 or 5 people that your patch is a good idea. You could get away with 1 (Linus), but the top people are unlikely to consider your patch if it hasn't been approved by their chain of command first. All of those people examine it for functionality, stability and security. The higher level ones usually won't look at it very closely, but I imagine core kernel code gets a lot more attention than device drivers.

You also post it to the LKML. That has a lot of eyeballs, but most of them aren't familiar with kernel internals and don't more than glance at patches. If you're lucky (although perhaps lucky isn't the word) you'll get twenty skilled eyeballs looking at and criticizing your code. Most times the number is only two or three, and it can be even fewer.

If you take an average of ten knowledgeable people examining your code, then I think you can agree that it is plausible that Microsoft has just as thorough a review as critical OSS projects like Linux. Four or five people looking at code before a commit would put it within a factor of two of Linux. The skill of the people doing the audit would be much more important at this stage.

Once you get a release of Windows code, no one examining it in the general community is knowledgeable about Windows specifics, but it may get a lot of attention from a lot of skilled people, just because of the novelty. I would think that parts of it will be subject to much more scrutiny than Windows or Linux source code usually ever is.

Why?

[pair-a-noyd]

Why is it that Windows can be explotied so handily by exposing the source code and Linux is so hard to exploit despite it's source code being 100% open to everyone on earth??

Re:so THATS why it was leaked

[santos_douglas]

Think about it, the conspiracy theorists are right - the leak was on purpose. Call it Phantom Open Sourcing: pretend to leak your buggy source code, lots of programmers look it over and find all sorts of problems for free! All their developers continue working on new products and a few are assigned to make the new updates compliments of the leak. This will be hailed as the most brilliant management cost cutting strategy in history.

Re:But the question is...

[Xeth]

As long as RedHat and SuSe? Sure, they might not have a stranglehold on the market like they do now, but they'd likely turn a profit.

Re:Text of advisory

[AstroDrabb]

You are allowed to use copyrighted information to some extent for certain purposes such as educationl, parady, etc. You can use a small clip from a song, you can display a paragrahp from a book, etc. I doubt anyone would consider showing 10 lines or so of source code out of millions a copyright violation. The grandparent post is obviously for education purposes only : )

Guess you haven't worked at MS before. :)

[Anonymous Coward]

FTE's who will likely be the ones writing the code to replace the bad code found will not get OT. Only the contractors get it, and then it has to be pre-approved (and guess what, if you're a contractor responsible for writing bad code, if they let you keep your job, you sure aint getting OT for fixing your mistake).

Also, those who code reviewed the offending code and let it through are likely to loose their jobs.

All in all, heads are going to be chopped on the main campus. Cutler will have to reshuffle his team, and theres a few FTE's sweating right now. :)

Re:What the fuck?

[tomstdenis]

Which is why you load unsigned values. By "int" I meant "an integer".

For example, from my LibTomCrypt a macro to load a variable length mp_int [mycrypt_pk.h INPUT_BIGNUM] logic works as follows

1. inlen == sizeof input
2. y = 0, current offset

for all bignums
1. if y + 4 > inlen return error
2. load 32-bit unsigned into x, advance by 4
3. if x+y > inlen return error
4. load x byte mpint
5. check if mpint loads correctly.

[I'm in the middle of doing massive updates to my PK code though...;-)]

But that's the jist of it. Really simple and since I use macros I only have to work out/code the logic once.

Tom

Re:Text of advisory

[SmackCrackandPot]

How many people haven't tried writing their own image file read/writers, got a few conditionals wrong up and written out a dodgy image file that crashes their own applications, the PC let alone the desktop.

Given Windows XP ability to display thumbnail views of JPG's, TIF's and MPG's (even though it can display the first frame of MPG-2, but not actually play the movie), there could be some serious fun to be had there...

they use GOTO?

[Anonymous Coward]

if (!Read(abDummy, cbSkip))
goto Cleanup;

My god... I thought this was one thing they taught us not to do in schoool. But here it is in Windows! My god, don't they screen for these things at the interview?

"A quick look at the source code" is all MSFT took

[schmaltz]

Is that what you meant to say? :) It's plain from this first exploit that basic coding security precautions are not being followed (or retroactively applied) at Microsoft.

I'm bracing for the coming flood of exploits. The OSS community may prove themselves honorable and pitch in to help, but it's the script kiddies, and those whose moral compass is broke, that I'm worried about.

Re:Open Source More Secure... maybe not

[Serveert]

Or, you can say that it's impossible to keep the source closed up in today's world of outsourcing, irate employees and whatnot. So the best way to adapt is to keep it open so there are no surprises. ;)

Re:Text of advisory

[adrianbaugh]

Ah, OK. Is there any well-defined point at which it ceases to be a trade secret (on account of everyone and his dog having a copy[0])?
Also, is it slashdot, the comment poster, or both, who is screwed?

[0] Note: I don't have a copy.

Re:Open Source More Secure... maybe not

[Anonymous Coward]

Now, IE6, which is not at risk, has far surpassed the at-risk version in usage.

References, please. I know of some companies that will NOT move to IE 6.0 because of increased vulnerabilties that do not exist in 5.0 or 5.5. I myself have had bad experiences with IE 6.0. Where did you get your facts?

Re:Open Source More Secure... maybe not

[malfunct]

These "easy to find" bugs were probably fixed in the huge code audit that MS did as part of thier security initiative that happened AFTER the date of the leaked code.

Not to say your point isn't valid, just that the real question is how do you get more intelligent eyes reading the code looking for this stuff. OSS isn't necessarily better, its just that highly popular projects have lots of eyes. I know plenty of projects that get far fewer eyes and have TONS of bugs. Now that MS is being forced to be secure they are having lots of eyes so we will see in longhorn if this improved anything.

I will say this, its easier to trust something that you can look through yourself, it may not be safer but you like it better because if you wanted you could see what was wrong. Its like driving a car vs riding with someone. You are often more at ease when you are behind the wheel because you can see/make/correct the mistakes whereas with another person driving you just have to trust. It has nothing to do with which driver is better.

I will say that linux and apache are just great projects with hoards of great developers. Its a testament to the possiblities of the open source model, but its not proof that the model is better. There are plenty of OSS projects that just suck, and those don't show me that the model is broken.

Finally I will say there isn't the same incentive to make perfect code in a corporation that there is in the OSS community. The corporation is only going to do enough to get th money rolling in because the money is the reward. The OSS programmer is going to write to the very best of his ability because the code itself is the reward. Still doesn't make one model necessarily better than the other. The way we will make microsoft improve its products is quit upgrading until they can prove they have a superior product. It seems from the press releases that the pressure of Linux may actually be forcing MS to improve.

good info on 2d graphics

[glk572]

check out http://www.dcs.ed.ac.uk/home/mxr/gfx/2d-hi.html lot's of good info on 2d formats, tiff is a good read, bmp is a pretty shitty format anyway. As for why it's upside down, why not?

Re:Open Source More Secure... maybe not

[Serveert]

Or, you can say that keeping the source locked down is impossible these days given irate employees and outsourcing.

Re:Open Source More Secure... maybe not

[El]

More importantly, what would be Micrsoft's reaction if you sent them a note saying "By the way, do you guys know there is a buffer overflow problem in IE5?

My guess is they would say "We don't support IE5 amymore. Upgrade to IE6SP1". Followed by legal action against you for disclosing M$ trade secrets.

anybody consider that the leak was intentional?

[Anonymous Coward]

Consider this. MS leaks the code through a vendor of a previous version intentionally. There are two benefits:

1. proper QA is done right, as only open source can allow (they get the benefit of QA that only the dynamics of open souce allows, all without acknowledging open souce has a superiour model in this aspect)

2. they can push XP as a superiour OS, and get more users to upgrade to XP and drop 2000/NT

Does anybody else see this?

Re:Leak a good thing for MS

[inode_buddha]

It's got to be interesting to run over the whole thing with something like valgrind [kde.org]. Not that I'm going to try, nor do I want a copy of their code anywhere near me.

Re:A quick look at the source code

[Karth]

Well, the question here is not whether it's been fixed in IE 6, it's whether it's been fixed in IE 5.5. Anyone with Windows 98SE down cannot upgrade to IE6. It won't run on 98SE or below, where IE 5.5 can.

Re:What the fuck?

[alannon]

There are also no exposed pointers in Java, thus no way to clobber the stack by writing to a negative array offset, as in this exploit. Reading or writing to a negative array offset in Java will result in a RuntimeException of some sort. Buffer overflows are also impossible in Java, since writing off the end of an array will result in a similar exception.

Re:huh

[Anonymous Coward]

The point is that this guy was downright irresponsible and should be treated as such.

Both parties are irresponsible. Microsoft is notorious for doing nothing about security holes which are pointed out to them. Their inaction leads to people bypassing Microsoft altogether and just posting exploits in an attempt to force the matter. DOJ is supposed to go after Microsoft when they sit on their ass instead of fixing security holes, but we've all seen how well that has worked out.

The "good citizen" thing to do would be to contact Microsoft, inform them of the security hole, the sample exploit and a patch. But, since this is taken from illegally obtained source code I doubt the author wants to risk it. In the end, this is just the result of Microsoft treating security problems as PR problems.

My bet is that if they do anything at all about this, Microsoft will simply bitch. As is typical with Microsoft, a security hole is just another PR issue -- in this case an opporunity to spread Open Source FUD. It will still take Microsoft forever to patch this, despite having exploit code, identification of the hole and an obvious means to correct the problem.

Re:A quick look at the source code

[Jacco de Leeuw]

Well, the author wrote: "The security risks from this code appear to be low. Microsoft do appear to be checking for buffer overruns in the obvious places". I found that a bit ironic because the next day an exploit was found.

Although an exploit was found, the security risk is low. That's probably true, because most people have upgraded from IE 5.x to 6.x or some other browser.

Still, I just checked the stats on a webpage about a moderately advanced security topic that I recently made. It turns out that almost 5% of the visitors use IE 5.x. Yikes...

Palm does too

[PetoskeyGuy]

Part of obtaining Palm Certification for your software involves surviving the Gremlins. You can't use the Palm logo on your program without it. It's even built into their emulator right on the menu. And yes you find some weird shit.

Re:Open Source More Secure... maybe not

[imnoteddy]

What evidence do you have that this bug was not found until the code was leaked?

I worked at MS once (hated it, quit) and the bug tracking system had a category of "won't fix" bugs - bugs they knew about but had no intention of fixing.

Re:off topic, but orthogonal kind of prompted this

[grozzie2]

By the way, does anyone know why the bitmap formap is writte upside down?

This is really easy. Back in the good old days, when developers measured memory in kilobytes rather than megabytes, and cpu speeds were expressed in single digit mhz rather than single digit ghz, performance was a BIG issue. The layout of the data inside a bitmap was set up to mimic the memory layout of a video card, so that you could literally just copy the data with no transforms.

Over time, video memory layouts changed, computers got faster, and now have more on cpu cache than they used to have memory. The rage in software development has come full circle. Instead of trying to optimize things to see how efficient they can be written, it seems to be a goal to see how much overhead one can put into a given application before it actually starts to do something useful. Some things tho seem to be trapped in thier legacy heritage, and the format of a bitmap is one of them.

Re:Open Source More Secure... maybe not

[KReilly]

But I think the point is that it was leaked. That nobody can keep an eye on their code if it is used this widely. If the code had been under public scrutiny since day one, more flaws would be found, but the overall code would be stronger, not weaker. This is why everyone can complain about tons of holes in linux, but miss the fact that just as many (if not more) exist in windows, and its just a matter of time before they get found out. With Linux, you have to take the additude, the sooner, the better.

Folklore.org link from Apple early days

[tugrul]

Monkey Lives [folklore.org]

Re:Open Source More Secure... maybe not

[Cramer]

/me whistles innocently...

[cramer:ttyp1]dominion:~/[1:38pm]:uname -a
Linux dominion 2.3.42-SMP #11 SMP Sun Feb 6 20:06:02 EST 2000 i686
[cramer:ttyp1]dominion:~/[1:38pm]:cat /etc/redhat-release
release 4.1 (Vanderbilt)

[ttyp0]foobar:~/[2:46pm]:uname -a
Linux foobar 2.3.18-SMP #10 SMP Mon Sep 20 17:27:00 EDT 1999 i686 unknown
[ttyp0]foobar:~/[2:46pm]:cat /etc/redhat-release
release 5.1 (Manhattan)

[jfbeam:pts/0]chickenboo:~/[2:11pm]:uname -a
Linux chickenboo 2.4.2-SMP #1 SMP Tue Feb 27 17:04:47 EST 2001 i686 unknown
[jfbeam:pts/0]chickenboo:~/[2:11pm]:cat /etc/redhat-release
Red Hat Linux release 6.2 (Zoot)

(And no, they are not publically accessible machines.)

IE5.0 still accounts for the majority of browsers

[Anonymous Coward]

My logs show that 75% of the traffic to my website are from IE 5. The remaining 25% are IE 6.0 and Mozilla Gecko based browsers.

What's your point?

[schmaltz]

You don't agree and the idea's old... so what? The idea ain't goin' away... just because it's impossible to prove doesn't mean it's not worth mentioning. Also impossible to determine was who had the greater motivation-

Microsoft, with a couple hundred million users they'd really wouldn't mind being compelled to buy their next O/S

Or some surly hacker who doesn't care if he loses his job?

Fear is a powerful motivator against the latter... and Microsoft's greed, which has compelled them to illegal market-manipulating tactics in the past, seems the greater force. We haven't seen much response [microsoft.com] from Microsoft about the source leak, yet it may prove to be the 9/11 for the computer business, if virus writers get busy with it.

Back doors...

[Anonymous Coward]

It has been mentioned that the leaked source code might reveal some long-suspected back doors... I wonder if these and other unknown vulnerabilities were secretly known to MS and others, and are in fact the back doors?

Re:A quick look at the source code

[SoTuA]

Upgrading isn't always an option. For example, at work we have a system that relies heavily on specific versions of Apache and Perl. But, the Apache and Perl teams still patch bugs in my "old" versions of the software.

I don't have this option with MS.

Oulook using IE engine to render HTML email

[FutureShoks]

Does Outlook use this portion of the IE engine to render HTML emails?

Therefore, if I was to run IE5 and Outlook and was to render a piece of spam with a malicious image, could I be open to attack?

Re:Open Source More Secure... maybe not

[edxwelch]

"These "easy to find" bugs were probably fixed in the huge code audit that MS did as part of thier security initiative that happened AFTER the date of the leaked code."
This is just speculation, besides, if they found a security hole in IE5 it would be their responsibiltiy to published the fact rather than leave IE5 users out there vunerable.

Re:they use GOTO?

[Lehk228]

honestly i think any programming course should start out using goto for all loops and iterations because it shows much more closely what the CPU actually sees in compiled code, executable does not have "while" loops, "do while" loops, or "for" loops, it runs a series of instrucions, sometimes one of these instructions will cause it to go to another part of the code if a particular condition is met. goto is the only "loop" a processor understands, all other loops are build from that concept.

Re:What the fuck?

[ajna]

In fact I helped code part of this functionality when I interned at Palm, on the Pose project. There was already a Gremlins functionality (along with GremlinHordes, which were Gremlins with different seed conditions) that would send bits of Shakespeare to text entry boxes, click randomly (weighted for actual button locations) and generally wreak havoc for a predetermined number of events. What I helped add was a logging, playback-from-log and minimization routine that would find the minimal subset of the events that would crash the Palm app being tested at the time. Fun stuff, that was. Since Pose/Poser is open source, you can now see my handiwork in file EmMinimize.cpp (or was it EmMinimization.cpp?) in the source distribution. http://www.palmos.com/dev/tools/emulator/#source

Code Audits

[the eric conspiracy]

So the old theory that keeping source code secret will help prevent security attacks has now proven to be invalid, for the reason that you can't be sure that the code will in fact reliably remain secret. When the code inevitably gets out you will have a shitstorm of problems.

Now open source has in reality been proven the best way.

And security by obscurity fails again.

Representative

[rixstep]

This shouldn't be a discussion about whether open source is inherently more stable (which it surely is). What the leak gives everyone is a chance to see into the coding practices of Redmond. That is what is interesting.

No one thought they were stellar; some already knew how bad things are; some figured, naturally, that if you could poke holes in their stuff like we've seen, something must be very, very wrong.

But now people are going to see with their own eyes - and that, I insist, is what is interesting here. So keep your eyes peeled (sorry, PJ).

Re:Was this leak accidental?

[CaptainTux]

What can be done to ensure that this code is kept out of opensource projects?

The nature of open source software makes actually verifying the existence or non-existnece of code very easy. Microsoft wouldn't even need to contact anyone to tell them they thought they were including Microsoft code in their product. They could just download it and check. As could everyone else.

The main problem is, and this is why I think MS has not actually gone to court against major oss projects yet, is that doing so would force them to show the offending lines of code in order for it to be compared to the oss source. If this incident has shown anything it is that revealing source is not something Microsoft wants to ever do -- even for products that are near or at/past EOL.

That said, I think that project managers REALLY are going to need to be vigillent in monitoring contributions to their projects especially when programmers claim to be introducing Microsoft compatibility with the code. Chances will be good that some unethical programmers will try to slip some Microsof owned code into a project. I can actually see some pro MS people joining oss projects just to try to do this then notify MS so they can take legal action. But, if a project manager is doing their job, this should be an easy problem to fix.

Re:off topic, but orthogonal kind of prompted this

[John Miles]

This is really easy. Back in the good old days, when developers measured memory in kilobytes rather than megabytes, and cpu speeds were expressed in single digit mhz rather than single digit ghz, performance was a BIG issue. The layout of the data inside a bitmap was set up to mimic the memory layout of a video card, so that you could literally just copy the data with no transforms.

Which is actually not as good an idea as it sounds. When you refresh the screen (or a large window) upside down, CRT refreshes, which always go from top to bottom, become much more obtrusive. The system looks and feels slower due to more screen-tearing, even though it's technically 1% or so faster.

This is why display systems that put (0,0) at the lower-left corner are a pet peeve of mine. Upside-down rendering = a slightly more elegant mathematical model that yields significantly worse-looking results in real life.

There is...

[Cyno01]

The right combo of blinkenlights, color, speed, pattern etc can trigger a seizure in people even without epilepsy.

Re:Who Runs IE 5 anyway?

[Anonymous Coward]

The company I used to work for still ran Windows 95 machines... IE 5 was prominent on all of their Win95 and Win98 machines.
It would be unethical to disclose who that major manufacturing company is. Hehe.

MS crypto subsytem?

[bigberk]

I wonder if any of the leaked source code includes the MS crypto system. If so, this could be very bad news for Microsoft seeing how people have already discovered a slew of critical vulnerabilities [eeye.com] but are biting their tongues to wait for MS to fix the flaws. Now you have a bunch of crackers running their debuggers on actual source code... they are going to craft and use exploits before they're public knowledge or officially fixed.