Just when you thought the Windows security picture couldn’t get any worse, Microsoft confirmed Friday that source code from its well-worn Windows NT 4.0 and Windows 2000 operating systems had been leaked on the Internet.
On Feb. 10, the company announced two new security holes that affect all of the company’s desktop and server operating systems, one of which is potentially as dangerous as the flaw exploited by last year’s MSBlast worm.
But the leak of source code raises the threat considerably for companies running Windows desktops and servers. While Microsoft is downplaying the immediate risk to its customers, there’s plenty of reason to be alarmed.
While the source code that is now running loose in the wild is from Microsoft’s older operating systems—Microsoft stopped supporting NT 4.0 desktop systems and Windows 2000 is nearing the end—there are still large numbers of systems that run on them. More importantly, portions of the code may still be part of Microsoft’s most recent versions of Windows.
This creates something of a Cuban Missile Crisis for Windows user. Anyone interested in finding new security holes in Microsoft’s operating system might now be able to find vulnerabilities right in the source code. As a result, they could exploit those holes before Microsoft can issue a patch, and attacks could come without warning.
The actual risk from the leaked source code may turn out to be negligible. People who do nothing to protect their companies may emerge unscathed. But until Microsoft confirms which code has been leaked, and gives a clear picture of the risk that the code places on its customers, there’s no telling what will get thrown at Windows systems, from where, or when. Times like these call for paranoia.
Here are a number of steps you can take right now to reduce short-term risk to your systems:
Make sure that you’ve got all your systems on a network up to the most recent set of Microsoft hot-fixes. That’s easier said than done; you’ll need to ensure that the patches don’t break any of your current applications. For anything that is broken by the patch, you’ll have to make the call–is this important enough to the company to risk leaving systems open to attack?
Take a hard look at the types of network traffic you’re letting pass through firewalls; if it isn’t essential to a critical application, then shut it down.
If Microsoft is forced to pick up the pace of deploying fixes to security holes, then the task of manually managing the installation of fixes will become a major resource drain—and the longer it takes to roll out each new patch, the greater your window of vulnerability.
Baseline the types of traffic on your network now, and watch for spikes that can’t be explained by normal application usage. One of the latest known bugs in Windows, for example, exploit the Windows Internet Name Service (WINS)–a sudden peak in WINS requests might indicate an attack.
If you’re running an all-Microsoft infrastructure, this may be the time to consider adding some diversity to your infrastructure. Investigate whether you can move some applications to other operating systems as a backup or outright replacement. Weigh the cost of investing in training staff, migration of applications and additional systems management against the potential cost of an outage or loss of data; but remember the probability of that loss is now a lot higher.
For some executives, these measures may seem obvious. But the damage done in the past year by threats that were already well known to the information technology community illustrates that people don’t always do what they obviously should.
