Online security experts say the hacker attack on Microsoft last week could have been worse than the company admitted, exposing security flaws that should have been addressed long ago.
Though Microsoft admits its corporate networks were attacked, it denies initial reports that hackers accessed source code for its major operating-system products.
Microsoft says: "This situation appears to be much narrower than originally reported. Our investigation shows no evidence that the intruder gained access to the source code for our major products, such as Windows Me, Windows 2000, or Office."
On view Microsoft does say the hacker or hackers could "view source code under development for a future product", but that the perpetrator did not modify or corrupt that code.
Microsoft's claim is nothing more than an attempt to diminish its embarrassment, says Jeffrey Tarter, editor and publisher of Softletter. He adds: "Once a hacker opens a file, I don't think there's any way Microsoft could know whether the code was downloaded or what had been done to it."
While Windows source code would clearly be valuable loot, it is unclear what kind of damage, other than illegal distribution, would result from this particular hack.
Naughty Initial reports say the hacked information was sent to a site in Russia. Programmers there could conceivably use the code to distribute illegal copies of Windows, but, Tartar says: "The hackers will just do mischief with it like posting the source code on bulletin boards."
While Microsoft says it is confident "the integrity of its intellectual property remains secure", the fact that anyone could hack into the networks of the world's largest software company says something about its attitude toward security, Tartar adds.
Tarter said: "Any network has vulnerabilities, but it should not have been possible for a hacker - no matter how good - to get at source code, Microsoft's most valuable asset.
"The interesting question is whether the hackers did mess around with any files. It'd be a wonderful excuse for bugs Microsoft could use for the next two or three years."
Free tests And if Windows source code appears on Web bulletin boards and chat rooms, so much the better, according to Tarter. "Putting Windows out in the open might have some benefit to Microsoft, as programmers might look at it and suggest ways it could be better," he says.
Security experts say if Microsoft suspects a hacker could have manipulated source code, the company would have to painstakingly check code against changes logged by authorized programmers - a process that could take months.
The source code for Microsoft programs, such as the Windows operating system, is under more or less constant modification by Microsoft's team, as it looks for errors and works on upgrades, says Russ Cooper, the moderator for an online forum for computer security, NTBugTraq.
Back door ripple Changes in source code would have a ripple effect, he notes: "It's not like the copy of Windows you buy on a CD-ROM in the store. What if I make a change in Windows Me that will be shipped to consumers with a 'back door', so I can break into their systems? The possibilities are endless."
The hackers appeared to have accessed Microsoft computers by the QAZ Trojan, typically delivered via e-mail, according to an unnamed source cited by the Wall Street Journal.
But Cooper doubts the QAZ program alone could enable access.
Cooper sayss: "The claim that the QAZ Trojan caused this is highly doubtful. The QAZ program can identify a computers's IP address, so a hacker might establish a connection, but in order to do that, I would have to go through Microsoft's firewall. Out-of-date antivirus software and a broken firewall is highly unlikely."