RealTime IT News

Is Microsoft Liable for Software Breaches?

A proposed class action lawsuit asking that Microsoft be held liable for software security vulnerabilities has reportedly been filed in a Los Angeles court, prompting a new round of discussion about the legal liabilities faced by large software vendors.

According to a Reuters report, the complaint charges Microsoft with unfair competition and infringement of California's consumer laws. It further alleged that Microsoft issues its security alerts too early, giving virus writers and intruders enough time to create exploits before consumers can apply patches.

The lawsuit also accused the software giant of issuing security bulletins that are too technical and complex for end users.

Microsoft plans to fight the attempt to justify a class action suit, arguing that the problems caused by destructive viruses and attacks are the result of "criminal acts" and not because of vulnerabilities in software products.

With software security flaws hogging the headlines in recent months, the legal challenge to Microsoft has spawned a new debate about whether technology firms should be held liable for weaknesses in the software they market.

John Pescatore, VP and network security research director at Gartner Group, does not believe the lawsuits will stick because of the strict end-user licenses associated with software but he argued that the legal battles will force Microsoft to clean up its act.

In an interview with internetnews.com, Pescatore said the lawsuits will force software vendors, particularly Microsoft, to make and market better, more secure and less vulnerable products.

"I certainly think it's a good thing to try to push increasing liabilities onto software vendors. But, I can see any of these lawsuits sticking with the way things are today. The end-user licensing agreements still put the onus on the consumers to ensure patches are applied," Pescatore said. "I don't think any of this first way of lawsuits will be successful but, hopefully, it will help apply the pressure on the vendors."

In the end, Pescatore argued, software vendors must weigh the costs of making stronger, secure products against fighting numerous lawsuits.

Despite his optimism, Pescatore believes the move to pin liability on Microsoft will lead to government regulators stepping in and requiring useless disclaimers.

"We knew cigarettes were dangerous. Well, the regulators made the cigarette manufacturers put warnings on the cigarettes packets. We now have ladders with 27 different warning stickers instead of addressing the issue of whether the ladder is secure," he explained.

Typical end-user agreements on Microsoft's flagship Windows products require the user to ensure the software is patched. "Every one of the major attack we've seen recently was successful because of unpatched systems. Microsoft had a patch was out before the attack so, in a straight legal sense, I can't see how they can be held liable," Pescatore argued.

However, he warned that the increasing specter of 'zero day' attacks that exploit flaws without patches could put Microsoft (and other vulnerable vendors) at risk of lawsuits.

The California class action suits comes on the heels of two major exploits targeted at Windows users. Last month, the 'Blaster' virus wreaked havoc on millions of PCs after taking advantage of a vulnerability in Microsoft's Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface.

Even though a 'critical' patch for that flaw was widely available since July, the worm quickly replicated because end users had never applied the patch. Immediately after, a copycat W32.Welchia.Worm also attacked the DCOM RPC hole. It was created as a 'friendly' worm good intentions (to patch systems from 'Blaster' and also exploited a separate vulnerability for which a patch was available.