The source code of the Windows XP operating system is now circulating online as a huge 43GB mega-dump.
Although the software is nearly two decades old, it’s still used by people, businesses and organisations around the world. This source code leak leaves it open to being scoured for bugs and weaknesses hackers can exploit.
The leaked torrent files, published on the bulletin board website 4chan, include the source code for Windows XP Service Pack 1, Windows Server 2003, MS DOS 3.30, MS DOS 6.0, Windows 2000, Windows CE 3, Windows CE 4, Windows CE 5, Windows Embedded 7, Windows Embedded CE, Windows NT 3.5 and Windows NT 4.
— DEY! (@RoninDey) September 24, 2020
Tech news site The Verge claims to have verified the material. And Microsoft said it was “investigating the matter”, according to reports.
The leak came with files containing bizarre misinformation related to Microsoft founder Bill Gates and various conspiracy theories. This is consistent with past leaks from 4chan, a site often associated with extremist content and internet trolls.
Using the name “billgates3”, the leaker reportedly said:
I created this torrent for the community, as I believe information should be free and available to everyone and hoarding information for oneself and keeping it secret is an evil act in my opinion.
If the leak is genuine, this won’t be the first time a Microsoft operating system source code was released online. At least 1GB of Windows 10 source code was leaked a few years ago, too.
Vulnerabilities in the source code
The source code is the “source” of a program. It’s essentially the list of instructions a computer programmer writes when they develop a program, which can then be understood by other programmers.
A leaked source code can make it easier for cyber criminals to find and exploit weaknesses and serious security flaws (such as bugs) in a program. It also makes it easier for them to craft malware (software designed to cause harm).
One example would be “rogue” security software trying to make you think your computer is infected by a virus and prompting you to download, or buy, a product to “remove” it. Instead, the download or purchase introduces a virus to your computer.
According to a report from computer security company F-Secure, on average it takes about 20 minutes for a Windows XP machine to be hacked once it’s connected to the internet.
Is Windows XP still supported?
Windows XP hasn’t had “official” support from Microsoft since 2014. This means there are currently no security updates or technical support options available for users of the operating system.
However, until as recently as last year, Microsoft continued to release security fixes and virus preventive measures for it.
The most notable was an emergency patch released in 2017, to prevent another incident like the massive WannaCry ransomware attack from happening again. This malware affected 75,000 computers in 99 countries – impacting hospitals, Telefonica, FedEx and other major businesses.
Windows XP is still used by people, airlines, banks, organisations and in industrial environments the world over.
In 2016, the network which runs the Royal Melbourne Hospital, Melbourne Health, was infected with a virus targeting computers using Windows XP. The attack forced staff to temporarily manually process blood, tissue and urine samples.
Online, users have posted photos of Windows XP being used at places such as Singapore’s Changi Airport, Heathrow Airport and Zeventem Brussels Airport.
@HeathrowAirport @TheRegister extremely surprised Heathrow airport passenger pods are running Windows XP! Released in 2001 with no security updates any more… Suggest upgrading! pic.twitter.com/j1JhilFv9k
— James Mesney (@j_mesney) January 28, 2020
Jet bridge control panel at Zaventem Brussels airport: hello Windows XP Professional 🙂 pic.twitter.com/CFhZu9FeHE
— Didier Stevens (@DidierStevens) December 4, 2019
Although the exact figure isn’t known, one estimate suggests the operating system was running on 1.26% of all laptops and desktops, as of last month.
Is there still incentive for hackers to target Windows XP?
The availability of the Windows XP source code opens access for cyber criminals to search for “zero-day threats” in the code that could be exploited.
These are discovered flaws in software, hardware or firmware that are unknown to the parties responsible for patching or “fixing” them – in this case, Microsoft.
Zero-day threats are often found in older ATM machines, for example, as these can’t be patch-managed remotely. This is because they have an embedded version of Windows XP with limited connectivity.
To upgrade in such cases, a bank’s IT professionals would have to visit the machines one by one, branch by branch, to apply security patches for the embedded systems. One report suggests hackers can break through the defences and security features of these older style ATMs within 10-15 minutes.
There’s no easy way to confirm which ATMs are still running this 19-year-old software, but past reports indicate this could be the case. The Conversation has reached out to certain parties to obtain this information and is awaiting a response.
https://twitter.com/Specimum/status/1296670913287671815?
Possible defences
Windows XP was left to its own defences back in 2014 when Microsoft stopped mainstream support for the operating system.
But as one of Microsoft’s most widely-used operating systems, it’s still being run and could be around for many years to come.
According to Microsoft Support, since Windows XP is no longer supported, computers running it “will not be secure and will still be at risk for infection”.
Any antivirus software has limited effectiveness on computers that don’t have the latest security updates. The number of holes in software also increases as machines are left unpatched.
Luckily, most organisations have strategies (requiring money and human resources) to manage large-scale upgrades and isolate their most critical systems.
If your computers are still running on the extremely outdated Windows XP operating system, you too should migrate to a more modern one. No one can force you, but it’s certainly a good idea.
- is Lecturer, Ethical Hacking and Defense, Edith Cowan University
- is Associate Dean (Computing and Security), Edith Cowan University
- This article first appeared on The Conversation