Lawsuit Against Microsoft Over Insecure Software

Cinematique writes "Reuters reports that a California-based lawsuit alleges the Redmond software giant produces software with little concern for security and that their products are highly susceptible to, "massive, cascading failures." Should Microsoft's software be treated any differently than, say, automobiles?"

Following their lead

[(54)T-Dub]

Valve might want to take a look at this lawsuit considering their potentially devestaing loss reported earlier today. According to Gabe Newell, from whom the source code of their latest was stolen, a hacker gained access to his machine "via a buffer overflow in Outlook's preview pane." Read his entire message here.

Re:Following their lead

[gfody]

there is a turn around time.. that is, how long it takes for an exploit to become known well enough that ms is made aware of it plus the time it takes for ms to develope and release a patch.

to borrow your analogy, it sucks to be one of the few people who's car exploded before the manufacture realized there was a problem and issued a recall.

I know of a current exploit in explorer (mshta) that can be used to download and execute any application on your computer simply by loading a website. I know it works because a friend of mine used it on me to show off (and I'm up to date with current patches for winxp).

The scary truth is that until enough harm is done with this exploit it will go undiscovered and unpatched and in the mean time you and I and everybody else are vulnerable to it (unless you don't use windows).

Re:Following their lead

[Talez]

I know of a current exploit in explorer (mshta) that can be used to download and execute any application on your computer simply by loading a website. I know it works because a friend of mine used it on me to show off (and I'm up to date with current patches for winxp).

Link please. Lets leave the anecdotal evidence arguments back in the 20th century where they belong.

Re:Following their lead

[elemental23]

He's probably referring to one of these, some of which can reportedly run arbitrary code.

and for OSS software?

[chrysalis]

The problem is : if Microsoft is judged responsible, what would happen to others in the same situation ? Especially to free software ?

Re:and for OSS software?

[NanoGator]

"The problem is : if Microsoft is judged responsible, what would happen to others in the same situation ? Especially to free software ?"

I'm glad somebody else finally said this.

There are a few simple things to consider:

- Software is written by error-prone humans.
- Software is maliciously used by people who concoct creative ideas.
- Linux may be more secure by default, but it's still a human error away from having the same type of problem hit it.

I'll tell you all something, if I'd be scared shitless about releasing an app on the web if it turned out I could be responsible for somebody else being a bastard with it.

Re:and for OSS software?

[WhiteWolf666]

I suspect that when you PURCHASE software, there are reasons that the developer is more 'legally' accountable for their products then when you use open-source and/or free software.

Generally, there seem to be more protections against poor products when a transaction is involved-->it is much easier to release your product 'as-is' then it is to sell it.

Microsoft may also be a unique case----I suspect that the sheer complexity and audacity that is the MS EULA might be easier to challenge in court then a simple, "You can have my software if you like, it might blow up your computer, but its not my problem, and don't say I didn't warn you".

Additionally, MS claiming that they are developing trustworth products, advertising claims that you can rely on their software, and the overwhelming monopoly position they have on the desktop may place a greater, if not unique, burden upon them.

You don't often see MS claiming that Window's security faults are your problem, do you? Except in the fine print of a legal document which probably wouldn't stand up in court.

The question is, what sort of general consumer protection laws would apply if the EULA is declared invalid?

Re:and for OSS software?

[NanoGator]

" why should software be treated differently than other products? And I have yet to see a lucid argument that it should."

It's very simple: Software is in a unique environment where just about anything can happen. Afterall, computers are very generalized in what they do. The nature of this generalized environment is that somebody can be malicious in so many different ways that it's ridiculous to believe that anybody can every make anything totally secure. Once somebody is *in*, then that's it. They can destroy the data on the computer, they can lock it up so nobody can use it, or they can infect another machine.

As for physical products, there's an entirely different environment happens. There are controlled ways to use this product. It's reasonable that your car is on the road driving a certain speed. It's reasonable that if the tire explodes for whatever reason, it does so in such a way that it doesn't get tangled up int he car and lock it up, causing rollover. So what happens when it turns out that the tires are defective, they get recalled. Software can be patched, but not recalled.

So let's talk about a computer on the net here. You've got a Windows computer using Outlook Express. It's on the net 24/7 thanks to broadband. (Spare me the usual uptime jokes about Windows, they were funny back in 99.) Somebody sends you an email, and it causes something to happen in Outlook Express. The exploit was use of a feature in Outlook. Let's say that the hacker didn't use a buffer overflow or anything like that, they just used the default features and found a way to cause mischief with them.

Okay, so somebody went with Microsoft's defaults and they ended up sending a virus to everybody in their contact list. Is Microsoft responsible?

Well, that's the funny thing about computers, the answer is not black and white. First, when the feature was originally developed, was Microsoft negligent for allowing that sort of exploit? that's a toughie. In some ways, yes, in some ways, no. Should Microsoft have anticipated somebody'd be an ass with it? Hindsight is 20/20. Did one programmer put in the activex feature and another programmer put in the 'email everybody on your contact list' feature? Was there a disconnect that prevented the foresight that somebody did that? If so, what about the user? Were they being responsible? Did they take the proper security precautions?

Even back in 1995, there was talk about internet security. Watch out for malicious files. Careful what you open! Should the user have at least looked at the security settings? Some would say, yes. Computers are not simple devices. Nor are they assembly line machines, almost all of them are unique in some form or another. It's sort of like depending on TV to have your values in mind when it blasts programming to your children.

What about patches? Microsoft can't 'recall' the product reasonably. (look at all the pirated copies of Windows out there) So what do they do? They release a patch. Should users stay on top of patching? Of course! MS puts all this effort into fixing stuff, at some point they just cannot be blamed for the damage caused by a virus or worm.

Anyway, I've babbled too much here. You asked why software is different. The short and very simple answer is that responsibility is shared between both the software maker and the user to a larger degree than most products. Worse, the exploits that are often used don't really apply in a negligence case in the real world. Buffer underruns come to mind. Somebody has to be fairly slick to figure that one out. It's sort of like figuring out the exact sonic frequency it'd take to make a car's tires explode, and then figuring out a way to broadcast it in such a way that it affects cars all over the place. Is Firestone responsible for negligence for not protecting thier tires against this type of attack? Afterall, materials resonate at certainn frequencies. Are they negligent for leaving that vulnerability o

Re:and for OSS software?

[Keeper]

If your code isn't properly split into many small, specific tasks, then you're doing something wrong.

If you make statements like this, you obviously don't have a clue about programming anything more than little helper utilities.

All code is split into small, specific tasks. They're call functions.

The interation between the small specific tasks is where you have problems. You get even more problems when parts of the system have to maintain some sort of "state" about what's going on.

Mix 1000 of these things together, and it's hard to keep working right. Now mix 10,000 of them. Now deal with 100,000 of them.

Next, throw a few extra simple things like threads into the mix and tell me that you will know the implication of the interaction of all of those pieces at any given moment in time.

Oh man...

[identity0]

How long before SCO joins in and sues Microsoft? "Your honor, this code is so crappy, it *clearly* had to come from us!"

I don't know what people want them to do.

[Sheetrock]

Lawsuits aren't going to do anything but make lawyers richer.

Besides, every time I see an exploit, it's after Microsoft has already issued a patch. This would seem to suggest that they aren't as responsible for the problems as many seem to think they are; as soon as they're aware of an issue, they fix it. Maybe they could design the stuff secure out of the box, but they'd be the first manufacturer to accomplish such a feat.

Stop using it if it's a problem. There are alternatives now.

Re:I don't know what people want them to do.

[GlassHeart]

every time I see an exploit, it's after Microsoft has already issued a patch.

That's not a coincidence. A good way to find out where software are vulnerable is by examining the patch issued to fix it. It's only a matter of finishing that analysis and making the exploit before most people have patched, which can be months later.

If Microsoft can be held legally liable, then it's extremely likely that in the future patches would be automatic and not optional. It's also likely to be more expensive, to cover the cost of "malpractice" insurance.

Problems...

[littlerubberfeet]

It specifically says in M$'s TOS that the software is not to be used for any life-critical applications. In fact, QNX is the only compnay that will license software for life critical stuff. Microsoft also has a non-responsability clause in their TOS. This is going to be a long, drawn out fight, like the one against tobacco companies.

Statistically, one could probably claim that Microsoft products have killed people in an indirect manner.

More Questions than Answers

[notcreative]

What are the costs to the user when software vendors are held to the same reliability standards as auto makers?

Should there be differentiation between operating system stability and application stability?

What responsibility does the user have for securing their own property?

How will different countries answer these questions, and what is the implication for US software vendors if there are 80 separate standards of culpability for an operating system?

And since I should have at least one answer, the speed of light is slower in materials with a higher index of refraction.

WHY THIS IS NOT GOOD...

[borgheron]

Any ruling making Microsoft liable could be used by the legal system as a precendent to make ALL software companies and/or individuals who produce software *personally* liable damages arising from use. This may look like a "we've got 'em now" scenario, but it might come back to bit us.

Later, GJC

Except.

With the horrible network congestion and system compromisation that has come with the recent rash of massive MS worms, you do not have to have agreed to a EULA in order to be harmed by Microsoft's poor design and blatant disregard for security.

In other words: it has reached the point where even people who are not Microsoft product users are harmed by Microsoft's irresponsibility. The messes created by the holes in MS products make EVERYONE a possible target for collateral damage.

Lawsuits aren't the way

[ThogScully]

I'm up for some MS-bashing as much as the next slashdotter, but this isn't the way to beat Microsoft or get them to release secure code.

Capitalism holds the answer - provide a better alternative that takes away their market share forcing them to improve or be left behind. With them being a monopoly, this problem is far greater in difficulty, but progress is always being made. Free software is getting viably close to many of the roles that many people use Windows for.

I'd rather wait for that to happen than have another frivolous lawsuit like this. I'll feel better about the successs of better software all around if MS gets to be better because of competition from free software getting better.
-N

Interesting Case

[pavon]

At first I though that this could be a very interesting case for many points. But its central argument appears to be poorly constructed. They are suing microsoft because their monopoly makes their insecurity a bigger problem. I'm all in agreement with the "monoculture is bad" argument for many reasons, but you can't sue someone for being a monopoly, or for the bad effects being a monopoly. Companies can only be held accountable for leveraging a monopoly, and this case has already been heard and decided on. The fact that we know more bad stuff that can happen because of their monopoly does not provide any more evidence that they are indeed leveraging their monopoly, so why do they think bringing them to court again over the same issues will result in a different ruling. Do they really think they have more resources and motivation to pursue this than the US and state governments combined?

The other two claims are the interesting ones. Can software writers be held accountable for damages caused by flaws in their software? Even if they put an "anti-warrantee" in their license? (I hope not) Are click-through licenses agreements valid in this case? These are all question that would have to be asked.

Re:Except that...

[blamanj]

Severity isn't the only issue. If your automobile was faulty in a way that caused it to safely pull over to the side of the road but it wouldn't restart for half an hour, you'd still see recalls for lost time and money.

The danger here isn't just that it feeds a lot of lawyers, and isn't making software manufacturer produce less buggy code -- that's something that's been needed for a long time.

The danger is that someone like MS says "OK, we'll accept liability, but only if it's our software, running on our operating system, with no additional code on the system that we didn't install, and only on hardware we approve of, and we end up with even more of a monopoly.

Fit for purpose?

[samj]

Here in Australia we take things into account like the price of the goods and the purpose for which they were intended. You're not, for example, going to have much luck suing someone over those $2 scissors you were using to conduct major surgery, but you may succeed with the $200 surgical variety.

Now if MS were happy charging a reasonable (given the price of hardware, say, $100 - 10% of a machine's value rather than $1500 and 150%!) price for their software, and weren't running around trying to force their way into everything with a processor then they'd probably be safer from such claims than they are now.

Consider this....

[thewiz]

Back in the 1980s, a Japanese worker was killed by a robot on an assembly line due to a software failure. And robot control systems are very throughly tested before a new model of robot is released. Microsoft is trying to muscle their way into the embedded marketplace; do you want software that has plenty of known defects/security issues running your robot?

Re:Except that...

[stonecypher]

...no one gets killed when Dr. Watson pops up and you have to restart Word.

Notably, lawsuits can be filed for things that just cost tremendous amounts of money. Case in point, the supposition that the Halflife 2 beta may have been leaked through an Outlook preview pane exploit, as other /.ers have already pointed out. Also, consider all of the hubbub about viruses shutting down public services, possibly including a transportation service and a nuclear power plant system in recent history.

Of course, this all begs the question "why the hell were the nuclear power plant, train system, and half-life build system connected to the internet in the first place?" Folks, here's a gigantic hint: software is insecure. If you want something to be secure, take it off of the fucking intarweb. The nuclear power plant just doesn't need Fark that badly. Let them read it on their PDAs.

Like the people maintaining those systems don't know better.

IF you read the article...

[javaxman]

you'll notice the case seems to hinge on Microsoft's monopoly status.

If they did not have a monopoly on desktop computer systems, this type of lawsuit wouldn't be a problem for them. Since, due to all sorts of vendor lock-in promoted by Microsoft itself, it is difficult for users to pick a different desktop, the lack of security in their software ( i.e. buffer overflows everywhere ) ... I don't know. Since I'm not a lawyer, this is where the case falls apart for me.

But maybe a monopolist which continues to abuse it's position _should_ be held to a higher standard than others ? Is it not arguable that MS has the resources required to audit all of it's code and fix such issues ? Maybe not technically true, but arguable in court...

The auto analogy is quite close..

[A_Non_Moose]

well, for the joke that sprang to mind immediatly:

It goes;
A Mechanical Engineer, Marketer and Programmer were driving in the mountains, when the car's brakes failed and they crashed into one of the breakdown barriers (big mounds of gravel to stop trucks).

The Mechanical Engineers says, "I will look under the car and determine why the brakes failed, and how to fix it so it does not happen again".

The Marketers says, "I've got to tell the car company, so that word can get out if this needs to be a recall notice".

The Engineer and Markerter look at the Programmer who says, "I think we should push it back up the hill and see if we can get it to crash again".

Think about it... this seems very close to Microsoft's Mentality: all windows users are crash test dummies.

Case(s) in point: The remote code execution in Windows Media Player that allowed content to be executed (similar to the MIDI flaw in dx9.0a and below) was fixed in 6.x versions and re-opened in subsequent versions, not once, but at least 3 times!

The RPC vulnerability wasn't fixed until the second time, hence the need for *another* patch because Microsoft had not FIXED the vulnerability, just enough to protect against the first exploit.
(little dutch boy story ring a bell, mr pavalov?)

And their strategy for integrating everything into the OS is actually driving XP users back to 98se.
Yes, 98se where the IM client, browser, outlook express, media player, passport and another half dozen things aren't integrated into the OS (as proven by 98lite).

Why?

It *annoys* the piss out of people.

Wonder why?

Microsoft is a Special Case, and should Eat It

[ewhac]

Though I am adamantly opposed to shrinkwrap "licenses," the one thing they do that I happen to agree with is the disclaimer of liability.

Writing solid software is hard. Writing solid software to run on cheap, unreliable hardware is even harder. Though we ridicule software vendors, crashing software is a fact of life. One day, new technologies or engineering practices may appear to make writing reliable software easier, or to allow the user to "reverse" the machine back to the last known good state so they can at least save their work. But for now, software is flaky and, undesireable though it may be, users need to plan appropriately.

That said, however, I believe there should be an exemption to the liability shield. Off the top of my head, the following factors should be considered to determine if liability should apply:

• The scale of the failure (millions of compromised machines versus one guy's pr0n collection);
• The vendor's demonstrated history of design/product flaws at first release;
• The vendor's demonstrated history of correcting design/product flaws after release.

The scale of each factor would be weighed to determine whether the software vendor should suffer liability. This standard should be set fairly high. If a company is consistently pro-active in correcting bugs, releasing patches, and informing users; or the failures are comparatively minor; or their products exhibit failures on a comparatively rare basis -- in other words, if they are clearly a good, conscientious citizen of the computing community -- then the vendor should escape liability. OTOH, if a company can be shown to persistently use flawed methodologies and designs, and they regularly ignore bug reports until the excrement hits the rotary impeller, and the bug can cause widespread havoc, then the vendor should be exposed to liability.

Needless to say, Microsoft's 25-year history of releasing junk and not giving a $#!+ about it should be a reasonable foundation for a liability suit.

Schwab

Re:No

[fajoli]

It shouldn't be held to the same liabilities as an automobile. An automobile has the potential to hurt or kill people in it if it has defects. It is the responsibility of the auto company to make sure their cars will not hurt people due to their engineering flaws. In the case of Windows, no one is stopping you from using another operating system if theirs is not stable enough for your use. I think you should be able to get a refund if their software doesn't do what it says it can and then move to Linux, OS X or whatever else you would like to use. Suing MS for bad software is like saying you cannot use something else. I use something else so why can't California?

Yet automobile manufacturers are also sued for nonhazardous situations. I think Toyota was sued for premature engine failure due to sludge build-up. I think suing Microsoft is more in line with this thinking.

Using your logic, there is no expectation of fitness for use for software at all. You can have all the features in the world. Just don't expect to use them.

'Use something else,' you say. How would you like your car "Microsoft" dealer to tell you that after you discover your car is a lemon? Oh, by the way, all the other manufacturers cars don't work on Microsoft Roads. And there is no refund.

Microsoft and life-critical systems

[dstone]

This man speaks the truth: "if I were on life-support, I'd rather have it run by a Gameboy than a Windows box"
-- Cliff Wells, 2002.03.13, in comp.lang.python (original UseNet article)