South Korean Group Sues Microsoft Over Slammer

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,1054790,00.asp

By Dennis Fisher
May 5, 2003 

In a sign of users' increasing frustration with the security
shortcomings of many software applications, a civic group in South
Korea has made good on their threat to file a lawsuit against
Microsoft Corp.'s Korean subsidiary, a Korean ISP and the country's
Information Ministry.

The suit is the direct result of the havoc caused by the SQL Slammer
worm in January. The worm infected thousands of machines all over the
world running Microsoft's SQL Server 2000 software, but it hit South
Korea particularly hard. Some ISPs in the country were knocked
off-line for extended periods of time thanks to huge amounts of
network traffic generated by the worm. Damage in the U.S. was mostly
limited to smaller network outages, but at least one bank's ATM
machines were affected, as was the 911 system in one locality.

Slammer exploited a known flaw in the database software for which
Microsoft, based in Redmond, Wash., had released a patch six months
prior to the outbreak of the worm. But that apparently wasn't
sufficient to satisfy the plaintiffs in the Korean lawsuit. The
People's Solidarity for Participatory Democracy, suing on behalf of
more than 1,500 Internet users, 70 Internet café owners and an online
shopping site, says that Microsoft is at fault for allowing the
vulnerability into the SQL Server software in the first place,
according to a story in the Korean-language Chosun Ilbo newspaper. The
group had been threatening to file the suit for several months.

The action is predicated on the country's Product Liability Act, which
enables consumers to sue for damage resulting from products. There is
some question, however, as to whether software qualifies as a product
under the terms of the law.

Such lawsuits - especially those that name software vendors as
defendants - are relatively rare, thanks to the terms of the user
license agreements that accompany virtually every commercial
application sold today. License agreements typically require that
users agree to use the software as-is and surrender any rights to hold
the manufacturer liable for defects or damage caused by the
application.

In some cases, large corporate customers have service level agreements
that give them the ability to hold their ISPs liable for network
outages that affect the companies' ability to do business. But
individual consumers don't enjoy such protections and are essentially
left to their own devices when it comes to problems such as Slammer.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.