Well that didn’t take long. Some of the source code to Windows NT 4.0 and Windows 2000 was leaked on or about Thursday and over the weekend someone coded up an exploit for some of the leaked code. I bet the security through obscurity camp are jumping for joy. “See,” my strawman says, “if the source had remained closed this exploit would have never been a problem!”
Not so fast. Whether the source code is released or not, people can find security flaws in software. There’s also no requirement that evil-doers publish information about exploits, which means that the blackhats may have had this exploit for years. The flaw has been there from the start, it’s only now that it’s been found by someone who would publish it instead of (or in addition to) exploiting it for personal gain.
That’s right, someone could have been out there using this exploit all along, although it’s unlikely due to the nature of this specific flaw. But now that it’s been published, IE 5 users can protect themselves, which means that the source code leak has led to more security instead of less security. As esr says, "Many eyes make all bugs shallow."

Leave a Reply