Russ Cooper posted the following message concerning the leak on the NBugTraq list today:
1. NT source is NT 4.0 SP3, contains 27000+ files (658MB). It is all NT4.0 Server except IIS, includes IE 4. No references to Mainsoft (seehttp://www.eweek.com/article2/0,4149,1526830,00.asp .) 2. W2K is SP1, a very small subset, IE 5, SNMP, PKI, networking and someSDK stuff. 28000+ files (338MB - although many of these are empty mailmessages and other crap.) Does contain 3 references to MainSoft. Much ofwhat is there is available elsewhere. MS confirmed the leak at; http://www.microsoft.com/presspass/press/2004/Feb04/02-12windowssource.asp I'd be very surprised if this leak results in any significant new risk.Given how hard people have pounded away at the binaries in the past,pouring over 55,000 source file to find something new in old versionswill likely/hopefully be a very unfulfilling task. Cheers,Russ - NTBugtraq Editor
1. NT source is NT 4.0 SP3, contains 27000+ files (658MB). It is all NT4.0 Server except IIS, includes IE 4. No references to Mainsoft (seehttp://www.eweek.com/article2/0,4149,1526830,00.asp .)
2. W2K is SP1, a very small subset, IE 5, SNMP, PKI, networking and someSDK stuff. 28000+ files (338MB - although many of these are empty mailmessages and other crap.) Does contain 3 references to MainSoft. Much ofwhat is there is available elsewhere.
MS confirmed the leak at;
http://www.microsoft.com/presspass/press/2004/Feb04/02-12windowssource.asp
I'd be very surprised if this leak results in any significant new risk.Given how hard people have pounded away at the binaries in the past,pouring over 55,000 source file to find something new in old versionswill likely/hopefully be a very unfulfilling task.
Cheers,Russ - NTBugtraq Editor
This seems to me as one of the better outcomes of this whole situation, which started yesterday with a newsitem on neowin.net and quickly stormed the internet.
Update:
Couple of corrections. 1. There were 27,142 NT 4.0 SP3 files totaling 338MB. 2. There were 28,782 W2K SP1 files totaling 658MB. 3. It does appear that all of both versions are present, minus IIS. 4. 10,425 of the 27k NT files are actually source totaling 193MB uncompressed. 5. 8,367 of the 28k W2K files are actually source totaling 217MB uncompressed. Sorry for any confusion. I still contend that the risk is relatively low consider the age of the packages. Both are copies from before the MS security push, and both have had 3 service pack releases since. Obviously only time will tell. Cheers, Russ - NTBugtraq Editor
Couple of corrections.
1. There were 27,142 NT 4.0 SP3 files totaling 338MB.
2. There were 28,782 W2K SP1 files totaling 658MB.
3. It does appear that all of both versions are present, minus IIS.
4. 10,425 of the 27k NT files are actually source totaling 193MB uncompressed.
5. 8,367 of the 28k W2K files are actually source totaling 217MB uncompressed.
Sorry for any confusion. I still contend that the risk is relatively low consider the age of the packages. Both are copies from before the MS security push, and both have had 3 service pack releases since.
Obviously only time will tell.
Cheers,
Russ - NTBugtraq Editor
Still doesn't look very bad to me, except for the relationship between Mainsoft and Microsoft.