The initial response of many security pundits was that this disclosure would have little effect on the overall security of Windows, but the reason they gave was less than reassuring, since many said there were already so many well-known holes in the code that having the source code wasn't necessary to compromise Microsoft systems.
Details
Understandably, Microsoft has been downplaying the threat posed by this disclosure of several megabytes of source code, but Microsoft also quickly followed the disclosure with a recommendation to immediately upgrade all Microsoft browser versions to Internet Explorer 6 SP1.
The majority of the disclosed code was initially reported to be for the Windows NT 4.0 and Windows 2000 operating systems. However, more recent reports point to the source code for Internet Explorer 4 and 5 as being the code that was released, and that would be consistent with Microsoft's recommendation for people to upgrade to IE 6 SP1.
The disclosure has been reported in some newsgroups as having originated from a Microsoft partner that had legitimate access to the code. Microsoft's press release on the disclosure said that the company would be pursuing legal remedies and that the code was not released due to any apparent breach of the company's own network or any internal security vulnerabilities.
Applicability
This could potentially affect all Internet Explorer versions prior to IE 6, even if they have all appropriate security patches applied.
Risk level - unknown but probably very serious
There have been so many serious vulnerabilities discovered in IE by trial and error that it seems quite likely that many more will be found by potential attackers after they carefully analyse the actual source code.
Mitigating factors
There are no known mitigating factors because the exact nature of this disclosure of source code (and how hackers will exploit it) is not yet known.
Fix
The only fix is to upgrade to IE 6 SP1, and even that may not be a comprehensive fix, since so much of the source code in IE 6 is probably legacy code inherited from earlier versions of IE.
Final word
If there is any good news in this for Microsoft, it lies in the fact that this disclosure was probably not due to any security problems at Microsoft. Plus, this should probably drive upgrades to the latest version of IE, which can mitigate some other well-known security problems and threats.
Talkback
after the source code came out, everyone panicked. but why? if the software is well-built, there is really no reason for concern. linux source code is all over the 'net, and no one seems to mind. the fact is, windows is so easy (and free) to patch, users should just do it and quit complaining. the only ones who might have problems are those who have pirated software--too bad, you get what u pay for!
Isnt a little odd that this alleged leaking of source code happening just after Microsoft halted it's plans to find and eliminate every single serious security flaws on windows? If I remember well, they did it without futher explanation.
It seems to me that Microsoft want to blame hackers for the crappy security of it's OS.
Shame on your, Bill.