Re: South Korean Group Sues Microsoft Over Slammer

[InfoSec News <isn () c4i org>]

Forwarded from: Kurt Seifried <kurt () seifried org>

http://www.eweek.com/article2/0,3959,1054790,00.asp
http://english.chosun.com/w21data/html/news/200304/200304300025.html

I see several problems with this suit and suspect it will fail. It
seems overly broad, and while it covers one primary event (the Slammer
worm) it is actually comprised of a number of completely separate
incidents/issues. It also leaves out several notable groups of
potential defendants.

1) Users who actually had MS-SQL or MSDE installed (as it turns out this is
a lot of products) and were infected by Slammer
1a) I have not seen the South Korean "Product Liability Act" but I assume it
means you can only sue the person who sold you the product, or the original
manufacturer (i.e. the end seller or Microsoft). I do not see how an
ISP/government agency comes into this.
1b) For MSDE users who is responsible? The vendor of the end software that
uses MSDE or Microsoft? This is not clear as the vendor often includes MSDE
in ways that do not allow it to be updated unless the vendor issues an
update. This gives Microsoft a LOT of room to maneuver.
1c) Microsoft has consistently made it clear that products need to be
patched, in the case of MS02-061:
"Maximum Severity Rating: Critical"

1d) Improper use of affected products. It can easily be argued that people
affected by the Slammer worm were negligent in the use and maintenance of
the affected products. There are very few situations I can think of for
legitimately opening up MS-SQL products to the Internet at wide.
1e) A patch was available for many months from Microsoft, thus it can be
argued that they exercised their duty to customers, it now falls upon
customers and third party software vendors to ensure that the patch is
installed and is compatible with software packages.
1f) Software license agreements and all that stuff we love to hate, I won't
even touch this can of worms other then to mention it.

2) Customers of affected ISPs
2a) The issue in question here is what the Service Level Agreements and
other contracts with the affected ISPs say. I suspect many ISP's include
terms like "act of god", "customer negligence" and "circumstances outside of
our control", if this is the case then the case against them is greatly
weakened.
2b) Was the disruption caused by the customer in question (i.e. the uplink
was flooded) or other customers (i.e. the downlink is flooded), if it's the
uplink then again the ISP has a lot of room to move.

3) Can losses be proven?
3a) In the case of on online store this is difficult, it seems simple at
first. Simply show graphs and statistics of online sales over the last
week/month/year(s) and note a large dip at the time Slammer occurred. Easy
huh? But is that dip due to the online store not being available due to
Slammer or because many client systems were affected, i.e. dialup
users/broadband users were sufficiently slowed down that they gave up on
using the Internet that day and went outside or something.
3b) In the case of an online user this is difficult, they can claim that the
Internet slowed to a halt, but how many will have useful evidence (such as
traceroutes) to end sites to prove that it was their end. Simply reverse the
online store defense and claim that the sites the user tried to access were
heavily lagged and at fault, not the user's ISP. Proving "damages" occurred
because you could not access the Internet is unlikely for most users.

This suit is especially messy in that it relies on laws not yet applied to
such circumstances (i.e. it may be precedent setting) and also rests on a
huge number of technical details (firewalls. patching. etc.). It will be
interesting to see what happens (assuming it doesn't get quashed right
away).

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.