We have not covered much about the Microsoft source code leak that has been inundating the computer security news-sites recently, mostly because its not very relevant to open-source security. However, an exploit has been found due to the leak already. This brings up one of the major bonuses of open-source code: it does not at all depend on obscurity. Defense-by-obscurity leads to sloppy coding habits and opens the door to massive security vulnerabilities should the code be leaked, especially if its no longer supported, but still widely used, like Windows 9x. Bear in mind that, according to the Microsoft EULA, no one else is technically allowed to patch the code, and Microsoft likely won't. They might even claim that the ruling against them on the Java VM issue with Sun means that they cannot, since that was the reason given for dropping support for legacy products in the first place. . . .
A security company on Monday alerted clients of a new vulnerability to Internet Explorer 5, one attributed to the recent leak of Microsoft Corp. Windows source code. Microsoft confirmed the problem late in the day.

A security company on Monday alerted clients of a new vulnerability to Internet Explorer 5, one attributed to the recent leak of Microsoft Corp. Windows source code. The quick attack appears to contradict some optimistic expectations that the recent leak of Windows 2000 and NT code would not pose a significant opportunity for hackers.

In a statement released late on Monday, the company said it was investigating the reported exploit, but added that "This exploit is a known issue that Microsoft had discovered internally and addressed with the latest release of Internet Explorer--Internet Explorer 6.0 Service Pack 1."

According to a message posted by SecurityGlobal.net LLC's Security Tracker Web site, a vulnerability was reported in Microsoft Internet Explorer Version 5 that lets a "remote user execute arbitrary code on the target system."

A hacked bitmap file can trigger an integer overflow and execute arbitrary code, the security bulletin said.

The author of the warning said that this flaw was uncovered by reviewing the recently leaked Windows source code.

The link for this article located at eweek.com is no longer available.