Is Microsoft Liable for Software Breaches?

A proposed class action lawsuit asking that Microsoft
be held liable for software security vulnerabilities has reportedly been filed in a Los
Angeles court, prompting a new round of discussion about the legal
liabilities faced by large software vendors.

According to a Reuters report, the complaint charges Microsoft
with unfair competition and infringement of California’s consumer laws. It
further alleged that Microsoft issues its security alerts too early, giving
virus writers and intruders enough time to create exploits before consumers
can apply patches.

The lawsuit also accused the software giant of issuing security bulletins
that are too technical and complex for end users.

Microsoft plans to fight the attempt to justify a class action suit,
arguing that the problems caused by destructive viruses and attacks are the
result of “criminal acts” and not because of vulnerabilities in software
products.

With software security flaws hogging the headlines
in recent months, the legal challenge to Microsoft has spawned a new debate
about whether technology firms should be held liable for weaknesses in the
software they market.

John Pescatore, VP and network security research director at Gartner
Group, does not believe the lawsuits will stick because of the strict
end-user licenses associated with software but he argued that the legal
battles will force Microsoft to clean up its act.

In an interview with internetnews.com, Pescatore said the lawsuits
will force software vendors, particularly Microsoft, to make and market
better, more secure and less vulnerable products.

“I certainly think it’s a good thing to try to push increasing
liabilities onto software vendors. But, I can see any of these lawsuits
sticking with the way things are today. The end-user licensing agreements
still put the onus on the consumers to ensure patches are applied,”
Pescatore said. “I don’t think any of this first way of lawsuits will be
successful but, hopefully, it will help apply the pressure on the vendors.”

In the end, Pescatore argued, software vendors must weigh the costs of
making stronger, secure products against fighting numerous lawsuits.

Despite his optimism, Pescatore believes the move to pin liability on
Microsoft will lead to government regulators stepping in and requiring
useless disclaimers.

“We knew cigarettes were dangerous. Well, the regulators made the
cigarette manufacturers put warnings on the cigarettes packets. We now have
ladders with 27 different warning stickers instead of addressing the issue
of whether the ladder is secure,” he explained.

Typical end-user agreements on Microsoft’s flagship Windows products
require the user to ensure the software is patched. “Every one of the major
attack we’ve seen recently was successful because of unpatched systems.
Microsoft had a patch was out before the attack so, in a straight legal
sense, I can’t see how they can be held liable,” Pescatore argued.

However, he warned that the increasing specter of ‘zero day’ attacks that
exploit flaws without patches could put Microsoft (and other vulnerable
vendors) at risk of lawsuits.

The California class action suits comes on the heels of two major
exploits targeted at Windows users. Last month, the ‘Blaster’ virus wreaked havoc
on millions of PCs after taking advantage of a vulnerability in Microsoft’s
Windows Distributed Component Object Model (DCOM) Remote Procedure Call
(RPC) interface.

Even though a ‘critical’ patch for that flaw was widely available since
July, the worm quickly replicated because end users had never applied the
patch. Immediately after, a copycat
W32.Welchia.Worm
also attacked the DCOM RPC hole. It was created as a
‘friendly’ worm good intentions (to patch systems from ‘Blaster’ and also
exploited a separate vulnerability for which a patch was available.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web