Microsoft is Investigating Windows XP Source Code Leak

Posted on September 26, 2020 by Paul Thurrott in Windows with 20 Comments

The source code for Windows XP with Service Pack 1 (SP1) and Windows Server 2003 has allegedly leaked online, alongside snippets of code for other outdated Microsoft platforms like MS-DOS and Windows CE.

“We are investigating the matter,” a Microsoft statement notes of the incident.

This isn’t the first time Windows source code has leaked online: Full or partial source code dumps for Windows NT 3.5, Windows 2000, and Windows 10 have leaked at different times in the past, as has the source code for the OS for the original Xbox console and the Xbox Series X graphics system.

Microsoft hasn’t supported Windows XP in over 6 years, and the system is now so out-of-date that it’s unlikely, but not impossible, that hackers could use the code to find vulnerabilities in modern and supported versions of Windows.

And here’s a fun tidbit: The Verge has uncovered an early and unreleased theme for Windows XP, called Candy, that (badly) emulated the Mac OS X “Aqua” look and feel.

Tagged with

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (20)

20 responses to “Microsoft is Investigating Windows XP Source Code Leak”

  1. Avatar

    William Armstrong

    This is the same leak that has been passed around for the last 15+ years.

  2. Avatar

    dougkinzinger

    I remember when I beta tested Windows Whistler - what became XP - it had different themes too, the one I recall was similar to the Windows 2000 theme with gradients, but had some stylized blue bits near the top right of the application windows, if memory serves. Long time ago.

  3. Avatar

    topbuzzer

    Who use Windows xp anyway. It's pretty old now. But do you think windows xp code is that much important as it's pretty old and I don't think by getting windows xp codes anyone anything with the latest version of Windows.

  4. Avatar

    bkkcanuck

    In reply to vegito03:

    Likely you do.... when you withdraw money or use an ATM.

  5. Avatar

    bkkcanuck

    In reply to oscar1:

    That is no 'small part' it is the heart of the operating system the kernel (and utilities). What you don't have in the public domain is the skin that sits on top -- the UI. You have to ask what it is that a company may consider a risk at having the source code for their operating system public. Is someone going to copy the source code and make a new operating system with stolen code? No, You would be sued into the ground faster than a company creating a mac clone with binary code. What could incentivize a leak of source code - well one major item might be looking for security holes for malicious attacks... but there is no incentive here since pretty much all the code that is security related is in the kernel. Source code is important IP to the owning company, as well as their customer base... This leak of Windows XP and 2003 OS code is at most a curiosity - but of little real importance.

  6. Avatar

    proftheory

    I know even the Big Companies get hacked (and not just because they are running Windows) and have data exfiltrated but why is it still accessible?

    I would have expected that stuff to be tape backuped and put offline somewhere.


  7. Avatar

    jimchamplin

    I'm sorry, I have my doubts about this "Candy" theme. It has too many earmarks of amateurish third-party themes from the early XP days. Even the first versions of Watercolor were better off than this. The fact that things like the sidebar icons in the common dialog are unthemed, and the listboxes in the Display Properties window point to this not being authentic. Add to it the icons are in their final, finished post-Beta 2 state (look at that Recycle Bin!) and there's no watermark on the desktop.


    I'm not saying the Verge is lying, but this looks... iffy, especially when we're not shown a Winver box to know what build we're seeing. It's definitely not from 2000. On the other hand, nowhere in the article do they claim that these shots are of the leaked code, just that it's the theme, so I may be way off-base here. :)

  8. Avatar

    oscar1

    They have had a number of source code leaks by now as Paul points out, whats up with that? Cant they control the security around the source code?

    • Avatar

      topbuzzer

      In reply to oscar1:

      Yaa but who uses windows xp right now, that's what Microsoft though and loosen the security maybe

    • Avatar

      markjulmar

      In reply to oscar1:


      As mentioned by others, a lot of developers over the history of the company have access to it and it's easy to copy. In addition, MVPs can get access to it, and I think it's been made available to some educational institutions as well as a learning asset. There's no hacking or company security issue here -- it's just a factor of how many people have access to it.

    • Avatar

      hrlngrv

      In reply to oscar1:

      You'd think that as soon as XP reached EOS, its source code would have been made unavailable to all but the few programmers still maintaining it for ATMs, other dedicated hardware, and the few enterprises willing to pay for further upgrades.

      If the leak came from one of those programmers, it shouldn't take long to investigate.

      However, my money is one carelessness by someone charged with archiving it somewhere safe. Actually, it'd be amusing if it had been recovered from an unemptied recycle bin.

    • Avatar

      bkkcanuck

      In reply to oscar1:

      Much easier said than done... source code is rather small overall, can be copied to a flash drive - and carried out. The number of developers that would have access to it is rather large over the history of the project (developers have to have access to really the entire history of a project so that when there is a defect identified they can identify when it was introduced and all that it affects). The security of source code is usually a factor of the morality and integrity of your developers and one bad apple can lead to leaks like this (the fact it does not leak more often -- is a miracle). More-so in the age of working from home and COVID.

      • Avatar

        oscar1

        In reply to bkkcanuck:

        Apple has had no source code leak from macOS X/macOS, how do you explain that? They have had a minor iOS leak but not from their desktop system.

        Security has very little to do with  "morality and integrity " and very much more with the security measures being taken.

        • Avatar

          jim_vernon

          In reply to oscar1:

          Why would you ignore the iOS leak?

        • Avatar

          bkkcanuck

          In reply to oscar1:

          The underlying OS of macOS (Darwin) is open source... Apple leaked it themselves.


          In fact, any company I have worked for -- it would not have been that difficult to walk out with a copy of the source code... if I had wanted to (entire banking systems). Moral or not, the source code would have no value for me... My knowledge in the industry is worth more than the source code... which tends to be compromised by many factors... I have no doubt I would be better off starting out designing a new system from scratch than using existing source code. Even compiled, it would not be that difficult to figure out that the code behind the system was stolen... All factors put together - the source code is really not worth that much other than to the company whose system it is.

  9. Avatar

    esmcelroy

    As far as hacking concerns go, I'd be mostly worried about the Windows CE leaks - how many embedded systems haven't been updated in over a decade, especially mission-critical systems?

Leave a Reply