Should you be concerned about the Windows XP leak?

Windows XP code is almost 20 years old, but it could still live on in newer operating systems.

cso doj data breach binary security by wildpixel and dny59 getty images
WildPixel / DNY59 / Getty Images / Dept. of Justice

Reports hit the Web last week that the Windows XP source code has been leaked and posted to 4chan, one of the seediest boards not on the dark web.

A link to a 42.9GB file was posted but quickly scrolled off. 4chan does not archive its posts so once the message scrolled off it was gone, but the link is getting around in other ways. The code is being hosted by Mega, a file-sharing service with its own dubious past.

Reports from other sites say the code is legitimate. Microsoft has only said “We are investigating the matter."

What is still unclear is whether the code is the whole codebase or just a portion. Those who have examined the code have said it covers Windows XP Service Pack 1, Windows 2000, and Windows Server 2003. The code has been circulating privately for years, according to the leaker. One theory is that the source of the code is an academic institution.

So, is this cause for alarm? To a degree, yes. Six years after Microsoft ended all support for the XP codebase, XP has just 1% of the user base, according to NetMarketshare. Windows Server 2003, which was based on the XP codebase, also went out of support in 2014. So direct impact of a new exploit should be minimal.

But Microsoft reuses code with each new version of its operating system. If you go through the Patch Tuesday fixes, you’ll see that fixes cover Windows 10, Windows Server 2019/2016/2012. Windows 7 reached end of life this past January and is no longer being patched, but the server operating systems have much longer lifespans.

You saw this most recently in “ZeroLogon,” the serious Active Directory vulnerability that was so severe the Department of Homeland Security issued a directive to all government agencies to apply the patch immediately and strongly implored private industry to do the same. That vulnerability covered Windows Server 2012 through 2019. But we don’t know if Server 2008 and 2003 are affected because Microsoft stopped supporting them.

And right on time, because there's an exploit in use out there. (That’s what happens when you tell the bad guys where to look.) Kevin Beaumont, senior threat intelligence analyst with Microsoft’s Threat Intelligence Global Engagement & Response team, issued a warning that he has found an exploit in the wild.

So it is theoretically possible that the bad guys can comb through the XP code and find an exploit that impacts Server 2016 and 2019.

For now, the toothpaste is out of the tube, there’s nothing that can be done, except keep your eyes on Microsoft Security Response Center and Patch Tuesday alerts.

An Opportunity for Microsoft?

Part of me wonders if there is a positive outcome for Microsoft. For years, game developer id Software had a tradition of releasing the source code of game engines that were a few revisions old. At the time, id was led by John Carmack, one of the most gifted game developers in the world.

When a game was out of date, and he had developed a whole new gaming engine, he would remove licensed third-party code and toss the source out for all to play with under a GPL license, and see what they came up with. All kinds of mods would be made, but more important, it gave coders a chance to show off their chops.

At the time I was heavily into the first-person shooter genre that id had single-handedly created, and I followed the community closely. It seemed like hardly a week went by when I didn’t see a report that a modder had impressed a game company with their work and been hired.

Quite a few gamers got jobs at game companies thanks to Carmack, and I wonder if the same will happen here. Will people come up with Windows modifications and will Microsoft bring them on board?

(Irony of ironies, Microsoft is in the middle of a $7.5 billion acquisition of gaming giant Bethesda Softworks, which bought out id Software in 2009. Carmack went to work for Oculus VR and is now doing Artificial General Intelligence (AGI) research, which is defined as AI that can pick up intellectual tasks like a human being does rather than standard AI that does only what it’s told. And if anyone can create Project 2501, it’s Carmack.)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2020 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)