The Windows XP and Windows Server 2003 source code leaks online

As ever, be careful what you download…

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

The Windows XP and Windows Server 2003 source code leaks online

Various media outlets are reporting that the source code for the legacy operating systems Windows XP and Windows Server 2003 have leaked online.

According to reports, the source code for both operating systems is being shared via torrents on file-sharing sites.

And, according to The Verge, it really *is* what it claims to be: Microsoft’s source code for good ol’ Windows XP and Windows Server 2003.

Now the good news is that most organisations aren’t using these operating systems anymore. Microsoft sounded the death knell on Windows XP back in 2014, and stopped releasing security patches.

(To be pedantic, Microsoft stopped releasing Windows XP security patches *until* 2017 when they raced out a fix for the “ETERNALBLUE” exploit that was most infamously used by the WannaCry ransomware. But that was very much an exceptional situation.)

But that’s not to say that Windows XP is entirely dead. For instance, last year the UK Government confirmed that 2,300 NHS computers were still running Windows XP, and no doubt there are other organisations out there working with older computers, running operating systems that are never being patched.

Winxp

The public release of operating source code potentially opens opportunities for hackers to uncover security holes in the software that they might try to exploit. In some cases these same vulnerabilities *might* still exist in more modern versions of the operating system too.

Sign up to our free newsletter.
Security news, advice, and tips.

As ever, my recommendation is to run a modern version of your operating system – whether it is a flavour of Windows or not – and keep it updated with security patches.

There’s an associated danger, however, with the news that Microsoft’s source code has leaked out. Lots of people are probably curious and tempted – using their high speed broadband connections – to download it in all its 42.9 GB glory.

The risk is that high demand could perk the interest of cybercriminals, who might plant poisoned versions of the torrent on file-sharing sites in the hope that users might download it and could accidentally infect themselves with malware.

It would be pretty galling to be hit by cryptomining code or have your files scrambled by ransomware just because you were curious about Microsoft’s source code.

There’s one other word of caution. It is reported that some of the torrents don’t just contain source code, but also material (files and movies) related to nonsensical Bill Gates conspiracy theories:

Bill gates conspiracy archive

An odd thing, you might think, for someone to distribute alongside Microsoft’s source code.

Don’t believe everything you read on the internet, and always be cautious about what you choose to download and run on your PC.

h/t Images of torrent contents from @RoninDey on Twitter.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

9 comments on “The Windows XP and Windows Server 2003 source code leaks online”

  1. cybernetix

    They have been leaked for over a decade. The Pirate Bay. If you ever owned a disk of it, or the ISO from Microsoft, you simply just have to extract it.

    1. Voltano · in reply to cybernetix

      Lol iso is not source code. Nice try though.

    2. hahahah · in reply to cybernetix

      hahah when you dont know what you talking about, shut up your stupid month

  2. i'm a person

    I think someone will make an OS based off of this

  3. Oliver Corser

    For the uneducated, what's the difference between source-code and the disk I get from MS?

    1. Marcelo Fortes · in reply to Oliver Corser

      It means, the way programmers and software engineers from Microsoft did to create the Windows System or how software its created, its a bunch of instructions in programming language such C and C++ that looks like that:

      /* C program for Merge Sort */
      #include <stdio.h>
      #include <stdlib.h>

      // Merges two subarrays of arr[].
      // First subarray is arr[l..m]
      // Second subarray is arr[m+1..r]
      void merge(int arr[], int l, int m, int r)
      {
      int i, j, k;
      int n1 = m – l + 1;
      int n2 = r – m;

      /* create temp arrays */
      int L[n1], R[n2];

      /* Copy data to temp arrays L[] and R[] */
      for (i = 0; i < n1; i++)
      L[i] = arr[l + i];
      for (j = 0; j < n2; j++)
      R[j] = arr[m + 1 + j];

      /* Merge the temp arrays back into arr[l..r]*/
      i = 0; // Initial index of first subarray
      j = 0; // Initial index of second subarray
      k = l; // Initial index of merged subarray
      while (i < n1 && j < n2) {
      if (L[i] <= R[j]) {
      arr[k] = L[i];
      i++;
      }
      else {
      arr[k] = R[j];
      j++;
      }
      k++;
      }

      /* Copy the remaining elements of L[], if there
      are any */
      while (i < n1) {
      arr[k] = L[i];
      i++;
      k++;
      }

      /* Copy the remaining elements of R[], if there
      are any */
      while (j < n2) {
      arr[k] = R[j];
      j++;
      k++;
      }
      }

      /* l is for left index and r is right index of the
      sub-array of arr to be sorted */
      void mergeSort(int arr[], int l, int r)
      {
      if (l < r) {
      // Same as (l+r)/2, but avoids overflow for
      // large l and h
      int m = l + (r – l) / 2;

      // Sort first and second halves
      mergeSort(arr, l, m);
      mergeSort(arr, m + 1, r);

      merge(arr, l, m, r);
      }
      }

      /* UTILITY FUNCTIONS */
      /* Function to print an array */
      void printArray(int A[], int size)
      {
      int i;
      for (i = 0; i < size; i++)
      printf("%d ", A[i]);
      printf("\n");
      }

      /* Driver program to test above functions */
      int main()
      {
      int arr[] = { 12, 11, 13, 5, 6, 7 };
      int arr_size = sizeof(arr) / sizeof(arr[0]);

      printf("Given array is \n");
      printArray(arr, arr_size);

      mergeSort(arr, 0, arr_size – 1);

      printf("\nSorted array is \n");
      printArray(arr, arr_size);
      return 0;
      }

  4. Terry Leather

    @Oliver
    Someone feel free to correct me if im wrong but if you think of whats on the Windows disk as a car, then the source code is like the instructions to build the car from scratch.

    Sure if you have the car you can try and take it apart and reverse engineer bits and pieces of it if you have the right knowledge and tools.

    But its going to be a complex process that consumes a lot of time and resources and likely will never be 100% accurate.

    However, if you have the instructions, it takes most of the effort out of it.

    You can see exactly how every piece works and modify it all pretty easily.

    It also generally makes it way easier to see flaws as you see directly how things operate instead having to play with different inputs and outputs and reading memory etc (Hence the concern when stuff like this is leaked. It just makes the bad guys job that much easier).

    1. Bob · in reply to Terry Leather
  5. semi colon

    Well, as someone who is grown up with WINDOWS XP, and pursued a career in software engineering, it would be always interesting to know what kind of peace of code (in general) exist behind all of that fancy stuff in XP, lol

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.