Slashdot Mirror
Microsoft Sued for Defective Software
Door-opening Fascist writes "eWeek is reporting that a South Korean citizen action group, People's Solidarity for Participatory Democracy, is suing Microsoft for putting the SQL Slammer vulnerability into Windows. They are doing so on behalf of the South Korean people and businesses affected by SQL Slammer."
Clearly they haven't read their software agreements. It specifically states that MS is not responsible for damage caused as a result of their products. A better chance to procecute MS would have been during the Code Red incident. One might have argued that not being proactive enough about patching consitituted "negligence" on their part. I guess it can't hurt to try!
First, this is not good if he wins, because someone could sue a GPL author for the same kind of deal.
How so? Last I checked, people who released software under the GPL didn't spend millions on advertising that claims said software is secure and reliable.
Plus, GPLed software has the source publicly available, so the argument could be made that reviewing the code before deploying it would comprise 'due diligence' on the part of anyone who wished to use that software, and that if someone didn't do that, it's negligence on their part.
With Microsoft, you can't take a look at their code, you just have to take them at their word (HAH!) when they say how good it is.
Google: AARD:
A Serious Message and the Code That Produced It.
Microsoft included a bug in the Win 3.1 Beta that caused Dr. DOS users to crash.
Unsurprisingly the makers of Dr. DOS lost their jobs, like many other victims of malicious code.
Hard sell for the exploit that caused slammer. Maybe other exploits/bugs.
.DLL. Even though no one ever used the .DLLs in question ( I think it was .hda, .hdq files ) they could have been. You could argue that someone could have written a program that used to long a URL and crashed IIS. The slammer was using a port in a way it was never intended to be used.
SQL has a pretty good record for security. The exploit had also been patched before the worm.
The exploit was not put in on "purpose". I guess it could have been, but that is a pretty hard to believe.
The virus spread fast, but only because there is not a million SQL servers out there exposed. So it spread across the web fast, big deal.
Furthermore good administration ( especially for a db server), ie. a good firewall could have blocked it. There is the desktop engine that could have been hit, but most apps that use it are still in the server category.
The exploit itself is not a defect. Sure it could be used by an attacker, but in itself it didn't make the software defective. This could spawn a big argument. Is an exploit that would never actually impede a program unless someone uses it really a bug?
Code red was a buffer overrun in an ISAPI
I agree that companies should be held accountable, but intent and the way a company handles the defect also.
MS essentially called a recall by issueing the patch. It said, send in the part and we'll fix it, but in a more modern approach. How can you sue a company that found the exploit and offered a free fix?
In case you didn't notice, free software (being free and supplied at no charge) carries no warranty, expressed or implied.
This is all fine because they made no representation to you about what it could do. They never made any claims that it was fit for purpose.
Sure - Mandrake, RedHat et al might be in trouble, but open source software and especially the writers are legally in the clear.
Personally I believe that if someone impliments OpenSSL badly _in a way that I cannot check_ and requires me to trust my data to them then they _should_ be liable for damages. (So this would cover, say, implimentations of SSL where the host was cracked or traffic sniffed at a later point where it was in plain text, or the key was compromised.) However, this is not the fault of the OpenSSL developers, and so they should not be liable.
In contrast to this Slammer was caused (in part) by Microsoft making it very hard to install a critical security fix, and not properly notifying people of the peoblem (in their usual 'security fix language' it was described as a minor issue), when part of their responsibility in selling you SQL server was making it secure. Thus they should be at least partly responsible for the damages.
Beep beep.
Just like those admins that didn't patch their boxes didn't exercise "due diligence"? Even though a patch was availible for months before? Negligent like them?
Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
I'll get modded down as redundant, but it needs to be said as many times as possible (and I don't see much of it in this thread [reading @ +1]):
A legal remedy here would set a really bad precedent - as a software developer who is not unrealistic about my skill level, I am terrified of software liability becoming either law or accepted assumption.
If MS loses this, I see absolutely no way I could defend myself if, god forbid, a program I wrote or even maintained caused catastrophic dataloss, or in worse cases, physical injury.
Note: Ironically, just *yesterday* I was bitch-slapped, albeit in an odd way, by Slammer: in certain situations, applying one of the hotfixes to SQL server that closes the Slammer vuln. without having SQL Server SP2 installed *completely* horks up SQL Server. The ISP (Rackspace) of a dedicated rack unit I "manage" on contract (client has almost no $$$) installed said hotfix in the process of physical maintenance, so I got a panicked call from my client in NYC that the "server is down". A couple of hours worth of research later, I was fine, but it sucked my afternoon away.
I hate the stacks of dependant/conflicting patches and service packs, not to mention the damn bugs, but I'd prefer to take the risks on this end than be open to litigation of software I write contains bugs.
--astro
Strangely, none of the posts so far have mentioned the author(s) of Slammer as being one of those responsible for this mess. They're certainly harder to find (ok, they'll probably never be found), but shouldn't the culpability be shared with those who exploited the problem? It's not as though the server didn't perform its primary function correctly (storage and retrieval of database records), it's that it had a security vulnerability.
To borrow the Ford Pinto analogy from previous posts, it seems somewhat like somebody cutting your brake lines and then you suing Ford for making the lines so easily accessible. I think the person who cut the lines is truely responsible.