Microsoft late Thursday confirmed that some of the secret code underlying its Windows NT and Windows 2000 operating systems has been leaked on the Internet. The company played down any potential security concerns the leak might cause.

Incomplete portions of Windows NT and Windows 2000 source code were "illegally made available on the Internet," Microsoft spokesman Tom Pilla said. Microsoft has no information on the source of the leak and has called in the FBI, he said.

There is no indication that the leak was the result of any breach of the Microsoft corporate network or the company's internal security, Pilla said. Also, "at this point in time there is no known impact to customers," he said.

Source code is pre-compiled code in the form of readable lines of text, usually with comments. It can be compiled into code that can run but can't be read. The Windows code on users' PCs is all compiled code.

A breach of the Windows source code - a mix of assembler, C and C++ code - could expose users to an increase in cyber-attacks because it would make it easier for hackers to find holes in the operating systems that they can exploit. It would also mean that Microsoft's closely guarded intellectual property is now out in the open, said Joe Wilcox, a Washington, D.C., Jupiter Research senior analyst.

Those who say they have downloaded the source code claim to have a 200M-byte compressed file that expands into roughly 600M bytes of code. Microsoft officials told industry analysts that this is roughly correct and that it represents about 15% of Windows source code.

Jupiter Research's Wilcox said a much greater percentage of the Windows code may have leaked. "It was my understanding that Windows 2000 was about 35 million lines of code." People who have seen the leaked code say it contains about 13.5 million lines.

The code leak could lead to a host of new attacks on systems running Windows 2000 and Windows NT, warned Thor Larholm, a senior security researcher at PivX Solutions LLC, in Newport Beach, Calif.

"Depending on what particular code was leaked I would say this has a lot of potential for new security vulnerabilities. The next weeks to come will confirm whether we see a rise in exploits," he said.

But Rob Enderle, principal analyst at Enderle Group in San Jose, said that with the amount of Windows code already available through various Microsoft programs the security implications are limited. "A release of source code on the Web is more embarrassing in these days of open source then it is damaging," he said.

The IDG News Service is a Network World affiliate.