Windows XP source code leaks online

Photo by Mario Tama/Getty Images
If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Microsoft’s source code for Windows XP and Windows Server 2003 has leaked online. Torrent files for both operating systems’ source code have been published on various file sharing sites this week. It’s the first time source code for Windows XP has leaked publicly, although the leaked files claim this code has been shared privately for years.

The Verge has verified the material is legitimate, and a Microsoft spokesperson tells us that the company is “investigating the matter.”

It’s unlikely that this latest source code leak will pose any significant threat to companies still stuck running Windows XP machines. Microsoft ended support for Windows XP back in 2014, although the company responded to the massive WannaCry malware attack with a highly unusual Windows XP patch in 2017.

While this is the first time Windows XP source code has appeared publicly, Microsoft does run a special Government Security Program (GSP) that allows governments and organizations controlled access to source code and other technical content.

This latest XP leak isn’t the first time Microsoft’s operating system source code has appeared online. At least 1GB of Windows 10-related source code leaked a few years ago, and Microsoft has even faced a series of Xbox-related source code leaks this year. Original Xbox and Windows NT 3.5 source code appeared online back in May, just weeks after Xbox Series X graphics source code was stolen and leaked online.

It’s not immediately clear how much of the Windows XP source code is included in this leak, but one Windows internals expert has already found Microsoft’s NetMeeting user certificate root signing keys.

Parts of the source code leak also reference Microsoft’s Windows CE operating systems, MS-DOS, and other leaked Microsoft material. Bizarrely, the files also include references to Bill Gates conspiracy theories, in a clear attempt to spread misinformation.

Update, September 25th 11:50AM ET: Updated with comment from Microsoft.

Comments

All I can think of is Foone’s request for someone to leak the 3d movie maker source.

the verge should probably explain to their readers why having access to the source code is so important.

I think we all know…

Oh that grassy knoll…

Can we maybe get an explanation on why this matters for people that don’t write code or know much about the implications of a "source code leak?" Thanks.

The source code allows malware creators to target vulnerabilities that are more difficult to detect when you don’t have source code.
XP is quite old, but it might very well be that later OSes inherited some parts of the code so the same tricks might still work in Win7, Win8 or Win10.

"Might very well be?"

You mean "definitely is." Windows is a collection of 30+ years or cruft, that somehow operates as an OS.

It’s like the digital version of the junk drawer you have in a kitchen: useful items, surrounded by tons of stuff that you don’t dare throw away because you have A) no idea what’s it for anymore, and B) it might be useful one day.

The source code for later versions of Windows is so unwieldy that Microsoft had to make a special source control system just to manage and maintain it.

rec’d just for the kitchen analogy

The source code for later versions of Windows is so unwieldy that Microsoft had to make a special source control system just to manage and maintain it.

You mean Git?

Boom.

Microsoft migrated to Git recently but they were previously using Perforce with some custom internal extensions (even with Git they had to create their own extensions since most git repos aren’t full scale operating systems like Windows).

Yes, except heavily customised for their needs

You mean VFS for Git? Because that’s not "heavily customized," it’s open source, and it’s totally possible to use Git without it.

It’s also available to everyone on GitHub and Azure DevOps.

hence the long backwards compatibility?

Don’t rephrase me. I said "Windows XP-style exploits might work on later OSes". And "might" part is important, as due to introduced improvements (ASLR etc) some exploits, that worked before, won’t work anymore.

And the analogy is slightly incorrect. I’m pretty sure Microsoft would be happy to throw away a lot of stuff – way more than they throw away now. And, to be fair, they’ve tried it with Windows RT and Windows on ARM for Surface X. But they are kinda big company with big customers who will be very upset if the new version of Windows will suddenly become backward-incompatible. So it’s not "you don’t throw away stuff because it might be useful one day FOR YOU", it’s more of "you don’t throw away stuff because it might bee useful one day FOR OTHER PEOPLE IN YOUR HOME". People get very upset if they see "Windows" and can’t run their favourite programs from 90s/00s on it.

XP is quite old, but it might very well be that later OSes inherited some parts of the code so the same tricks might still work in Win7, Win8 or Win10.

This is probably the most important aspect to all this.

There’s about 50 million lines of code in windows. When new versions come out, significant parts are re-used. That means that bad actors could have proxy access to significant portions of the source code for current versions of Windows desktop and server, and attempt to develop attacks based on it.

There are security implications for sure. If Microsoft would ever release source code for these old operating systems for people to use freely then they could upgrade it and add features. I think of the old Doom and Quake source code releases. There were so many additions to those that are nice features the original games didn’t have. For instance, the original Doom didn’t even have mouse look. You could use a mouse but only to look side-to-side and not up-and-down. Not to mention being ported to a ton of systems that didn’t originally run it.
This leak can’t legally be used by projects like WINE (to let you run Windows programs under Linux) or ReactOS (open source Windows clone) but if Microsoft would only open source it themselves then it could. They’ve opened a few things. There’s also source available for stuff like older versions of DOS but you’re not allowed to share changes, if I remember correctly.

@jhall39

While having the source may allow you to view what is in the OS, compiling it to build the OS is an entirely different matter. I will guess that even if the entire source tree of XP was released, no one outside of MSFT would be able to compile it.

You’d be surprised, people successfully compiled WinNT4 from the leaked sources (check out opennt even tho it’s dead)

They actually went back on the license, I think now you can do anything you want with it (and they posted it on GitHub)

Not good for ATMS

Look at the bright side: ReactOS staff will be able.to have a better understanding of howmsome things worked.for their own project.

Nope. If ReactOS wants to remain legal, they have to do a clean room implementation. If they look at the XP code, their project is no longer something built from scratch and is copying XP, which violates Microsoft’s copyright. They will not look at this at all.

That’s not how code audit works. They can review code, even reverse engineer components, in order to understand how they work; this is how projects like React and Wine have made many of their breakthroughs.

What they CANNOT do is use literal code lifted from source or RE and implement it. And of course their implementation also cannot be too similar to MS, but they were never forbidden to read code and devise their own solutions. That’s something even MS agreed in their last audit they made.

While it’s true that it isn’t required as long as their implementation is different, ReactOS uses a clean room design so they won’t be violating copyright even if the implementation ends up more or less identical.

View All Comments
Back to top ↑