Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lawsuit Against Microsoft Over Insecure Software

Posted by CmdrTaco on from the well-at-least-proving-it-is-easy dept.

Cinematique writes "Reuters reports that a California-based lawsuit alleges the Redmond software giant produces software with little concern for security and that their products are highly susceptible to, "massive, cascading failures." Should Microsoft's software be treated any differently than, say, automobiles?"

11 of 537 comments (clear)

  1. Following their lead by (54)T-Dub · · Score: 5, Interesting

    Valve might want to take a look at this lawsuit considering their potentially devestaing loss reported earlier today. According to Gabe Newell, from whom the source code of their latest was stolen, a hacker gained access to his machine "via a buffer overflow in Outlook's preview pane." Read his entire message here.

    --

    "I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
    1. Re:Following their lead by gfody · · Score: 4, Interesting

      there is a turn around time.. that is, how long it takes for an exploit to become known well enough that ms is made aware of it plus the time it takes for ms to develope and release a patch.

      to borrow your analogy, it sucks to be one of the few people who's car exploded before the manufacture realized there was a problem and issued a recall.

      I know of a current exploit in explorer (mshta) that can be used to download and execute any application on your computer simply by loading a website. I know it works because a friend of mine used it on me to show off (and I'm up to date with current patches for winxp).

      The scary truth is that until enough harm is done with this exploit it will go undiscovered and unpatched and in the mean time you and I and everybody else are vulnerable to it (unless you don't use windows).

      --

      bite my glorious golden ass.
  2. and for OSS software? by chrysalis · · Score: 5, Interesting

    The problem is : if Microsoft is judged responsible, what would happen to others in the same situation ? Especially to free software ?

    --
    {{.sig}}
    1. Re:and for OSS software? by Tim+C · · Score: 3, Interesting

      I'm not aware of a single piece of software that I own that does come with a warranty. Furthermore, I do not remember ever even so much as hearing of any that did.

      Off the top of my head, I can think of three clauses that are common to all EULAs for proprietary software:

      * no reverse engineering
      * no copying
      * no warranty

      If MS can be held liable for defects, then so can all software producers. Speaking as one, I don't like the sound of that.

      --
      It's official. Most of you are morons.
  3. WHY THIS IS NOT GOOD... by borgheron · · Score: 4, Interesting

    Any ruling making Microsoft liable could be used by the legal system as a precendent to make ALL software companies and/or individuals who produce software *personally* liable damages arising from use. This may look like a "we've got 'em now" scenario, but it might come back to bit us.

    Later, GJC

    --
    Gregory Casamento
    ## Chief Maintainer for GNUstep
  4. Lawsuits aren't the way by ThogScully · · Score: 4, Interesting

    I'm up for some MS-bashing as much as the next slashdotter, but this isn't the way to beat Microsoft or get them to release secure code.

    Capitalism holds the answer - provide a better alternative that takes away their market share forcing them to improve or be left behind. With them being a monopoly, this problem is far greater in difficulty, but progress is always being made. Free software is getting viably close to many of the roles that many people use Windows for.

    I'd rather wait for that to happen than have another frivolous lawsuit like this. I'll feel better about the successs of better software all around if MS gets to be better because of competition from free software getting better.
    -N

    --
    I've nothing to say here...
  5. Interesting Case by pavon · · Score: 4, Interesting

    At first I though that this could be a very interesting case for many points. But its central argument appears to be poorly constructed. They are suing microsoft because their monopoly makes their insecurity a bigger problem. I'm all in agreement with the "monoculture is bad" argument for many reasons, but you can't sue someone for being a monopoly, or for the bad effects being a monopoly. Companies can only be held accountable for leveraging a monopoly, and this case has already been heard and decided on. The fact that we know more bad stuff that can happen because of their monopoly does not provide any more evidence that they are indeed leveraging their monopoly, so why do they think bringing them to court again over the same issues will result in a different ruling. Do they really think they have more resources and motivation to pursue this than the US and state governments combined?

    The other two claims are the interesting ones. Can software writers be held accountable for damages caused by flaws in their software? Even if they put an "anti-warrantee" in their license? (I hope not) Are click-through licenses agreements valid in this case? These are all question that would have to be asked.

  6. Consider this.... by thewiz · · Score: 5, Interesting

    Back in the 1980s, a Japanese worker was killed by a robot on an assembly line due to a software failure. And robot control systems are very throughly tested before a new model of robot is released. Microsoft is trying to muscle their way into the embedded marketplace; do you want software that has plenty of known defects/security issues running your robot?

    --
    If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
  7. IF you read the article... by javaxman · · Score: 5, Interesting

    you'll notice the case seems to hinge on Microsoft's monopoly status.

    If they did not have a monopoly on desktop computer systems, this type of lawsuit wouldn't be a problem for them. Since, due to all sorts of vendor lock-in promoted by Microsoft itself, it is difficult for users to pick a different desktop, the lack of security in their software ( i.e. buffer overflows everywhere ) ... I don't know. Since I'm not a lawyer, this is where the case falls apart for me.

    But maybe a monopolist which continues to abuse it's position _should_ be held to a higher standard than others ? Is it not arguable that MS has the resources required to audit all of it's code and fix such issues ? Maybe not technically true, but arguable in court...

  8. Re:I don't know what people want them to do. by GlassHeart · · Score: 4, Interesting
    every time I see an exploit, it's after Microsoft has already issued a patch.

    That's not a coincidence. A good way to find out where software are vulnerable is by examining the patch issued to fix it. It's only a matter of finishing that analysis and making the exploit before most people have patched, which can be months later.

    If Microsoft can be held legally liable, then it's extremely likely that in the future patches would be automatic and not optional. It's also likely to be more expensive, to cover the cost of "malpractice" insurance.

  9. Microsoft is a Special Case, and should Eat It by ewhac · · Score: 4, Interesting

    Though I am adamantly opposed to shrinkwrap "licenses," the one thing they do that I happen to agree with is the disclaimer of liability.

    Writing solid software is hard. Writing solid software to run on cheap, unreliable hardware is even harder. Though we ridicule software vendors, crashing software is a fact of life. One day, new technologies or engineering practices may appear to make writing reliable software easier, or to allow the user to "reverse" the machine back to the last known good state so they can at least save their work. But for now, software is flaky and, undesireable though it may be, users need to plan appropriately.

    That said, however, I believe there should be an exemption to the liability shield. Off the top of my head, the following factors should be considered to determine if liability should apply:

    • The scale of the failure (millions of compromised machines versus one guy's pr0n collection);
    • The vendor's demonstrated history of design/product flaws at first release;
    • The vendor's demonstrated history of correcting design/product flaws after release.

    The scale of each factor would be weighed to determine whether the software vendor should suffer liability. This standard should be set fairly high. If a company is consistently pro-active in correcting bugs, releasing patches, and informing users; or the failures are comparatively minor; or their products exhibit failures on a comparatively rare basis -- in other words, if they are clearly a good, conscientious citizen of the computing community -- then the vendor should escape liability. OTOH, if a company can be shown to persistently use flawed methodologies and designs, and they regularly ignore bug reports until the excrement hits the rotary impeller, and the bug can cause widespread havoc, then the vendor should be exposed to liability.

    Needless to say, Microsoft's 25-year history of releasing junk and not giving a $#!+ about it should be a reasonable foundation for a liability suit.

    Schwab

    --
    Editor, A1-AAA AmeriCaptions