A Los Angeles filmmaker's lawsuit targeting Microsoft's vulnerable software could signal a sea change for the software industry if judges and jurors decide that vendors should be legally responsible for damages caused by flaws in their products.
Alleging that "Microsoft's virtual monopoly has created a global security risk" and that its "integration and complexity promotes vulnerability," the court papers call for more adequate and effective notification of security vulnerabilities and injunctive relief to prevent the violation of laws and deceptive trade practices.
"We think it's fundamentally unfair for a company to so dominate the marketplace that consumers don't have an option and yet say it's not going to be responsible or provide warranties if you have a problem," says Dana Taschner, attorney for plaintiff Marcy Levitas Hamilton.
The litigation says the vast majority of successful Internet attacks are attributable to major vulnerabilities in Microsoft's operating system software, which is used by more than 90% of computer users.
"They have a number of pretty good legal arguments," says Stewart Baker, technology department head at legal firm Steptoe & Johnson. "The risk that they face is that the climate will turn against them."
Baker compares the litigation to that faced by the tobacco industry. He says tobacco companies won cases for 20 or 30 years because the climate of opinion at the time was that people knew tobacco was bad for them prior to using it. Over time, opinion changed and juries came into cases predisposed to believe that tobacco companies deserved to pay a big chunk of the damage the product did.
"The risk here is that if security problems get worse and worse, juries and judges will be less willing to listen to arguments from software companies and more and more inclined to make them pay for the problems everyone is encountering," says Baker. "It's not a straight legal analysis, it's the standing of the company in the public eye."
Though the litigation targets only Microsoft, legal experts say the case may impact vendors across the industry.
"I think it sends a wake-up call to other vendors who maybe aren't quite as quick in sending advisories and providing patches as Microsoft," Michael Overly, a partner in the IT group at Foley & Lardner, says in regard to notification provisions in California Senate Bill 1386.
Baker says the litigation will face at least a few significant obstacles. Chief among them, a legal disclaimer in the end-user license agreement. He also notes that proving legal liability for failing to prevent bad acts by someone else is far more difficult to prove than liability for an injury caused by negligence.
FOR MORE INFORMATION:
Send your feedback to the SearchSecurity.com news team.