Suit Holds Microsoft Responsible for Worm Holes

[InfoSec News <isn () c4i org>]

http://www.washingtonpost.com/wp-dyn/articles/A37244-2003Oct2.html

By Jonathan Krim
Washington Post Staff Writer
Friday, October 3, 2003

Microsoft Corp. is engaging in unfair business practices for its 
failure to better secure its software against computer viruses, worms 
and other cyberattacks, according to a lawsuit filed in Los Angeles.

The suit, filed late Tuesday in a California court, is on behalf of a 
single consumer who claims to be the victim of identity theft as a 
result of a hacking incident. 

But it is designed to be a class-action case if other consumers with 
similar claims step forward, and will be closely watched as a steep 
rise in cybercrime raises questions about whether software makers 
should be held responsible when their programs are compromised.

In general, software manufacturers have not been liable for security 
and other product failures because users are required to sign license 
agreements that insulate the companies from legal responsibility.

But a recent spate of worms and viruses that crippled hundreds of 
thousands of computers worldwide has led to a growing clamor for 
holding software makers more accountable.

Microsoft's Windows operating system, which powers more than 90 
percent of personal computers, has been a particular target of 
hackers. With seeming ease, hackers have stayed one step ahead of the 
company in exploiting vulnerabilities in Windows, e-mail software and 
other Microsoft programs.

"The vast majority of successful Internet attacks are attributable to 
major vulnerabilities in Microsoft's . . . software," the suit 
alleges, adding that the company does an inadequate job of warning 
customers about the problems and helping to fix them.

The suit takes a different tack from previous efforts to claim damages 
due to software flaws. It argues that because consumers have little 
choice other than Microsoft software, its failure to provide secure 
programs constitutes an unfair business practice under California law.

"If you live in the modern world, you must use Microsoft," said Dana 
B. Taschner, a Newport Beach lawyer who filed the case on behalf of a 
Los Angeles woman who is a film editor. "You can't on the other hand 
say, 'We're not responsible.' "

Microsoft spokesman Sean Sundwall said the company is still reviewing 
the suit but would fight against allowing it to become a class action. 
Adding numerous additional plaintiffs -- with the potential of 
multiple damages -- is typically the way law firms fund litigation 
against large corporations.

"This complaint misses the point," Sundwall said. "The problems caused 
by viruses and other security attacks are the result of criminal acts 
by the people who write viruses." Still, he said, "Microsoft has made 
security a top priority and is committed to developing the most secure 
software possible."

The suit echoes a position paper issued last week by a group of 
computer security executives who argued that Microsoft's ubiquity 
poses a national security risk because one attack can do such 
widespread damage.

The authors said that policymakers should consider the current 
"monoculture" of software when evaluating ways to improve computer 
security.

In addition to compensation for losses, the suit seeks to require 
Microsoft to improve security notification.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.