Buoyed by a filmmaker's recent lawsuit targeting vulnerabilities in Microsoft's software, security industry leaders are calling on the courts to help raise software vendors' accountability for damages caused by flawed products.
Sun Microsystems CSO Whitfield Diffie told attendees at the Information Security Solutions Europe (ISSE) event in Vienna last month that software vendors should be held liable for flaws -- a philosophy he's expressed more than once in the last few years.
"Currently, it's a case of firms saying, 'You pay. We promise you nothing. Have fun.' But we need to put in place legal targets -- perhaps for 2010 or 2015 -- and improve our methodology to provide much higher security standards if we are to accept liability," Diffie said, according to a British news report.
Diffie's remarks come just weeks after Marcy Levitas Hamilton of Los Angeles filed a potential class-action lawsuit against Microsoft, contending that Microsoft's unfair business practices are forcing consumers to use insecure software. The plaintiff is calling on the courts to force Microsoft to adequately address its security problems.
"We think it's fundamentally unfair for a company to so dominate the marketplace that consumers don't have an option and yet say it's not going to be responsible or provide warranties if you have a problem," says Dana Taschner, the attorney representing Hamilton.
Some of the lawsuit's language mirrors a widely publicized paper by several infosecurity heavyweights, including Bruce Schneier of Counterpane Internet Security and Becky Bace of Infidel Consulting, warning that Microsoft vulnerabilities are a national security risk. The paper gained notoriety after another of its authors, Dan Geer, was fired by his employer, @stake, following its publication.
Outlook, SSL Make SANS' Latest
By Anne Saita
Microsoft Outlook and Outlook Express e-mail applications made the fourth annual SANS Institute's Top 20 Internet Security Vulnerabilities list, begging the question: What took so long?
For years, we've been warned of viruses within e-mail attachments that used the popular Outlook to help them spread. But, until now, there were bigger hacker targets on the Internet, more worthy of recognition on the SANS list.
Peer-to-peer file sharing and SNMP were other first-time entries among the top 10 Windows-based vulnerabilities outlined by SANS, the Department of Homeland Security, and Canadian and British cybersecurity agencies.
Secure Sockets Layer (SSL), cleartext services and misconfiguration of enterprise services were first-timers among the 10 most commonly exploitable Unix/Linux services.
The list, compiled from worldwide data on hacker exploits, is intended to provide organizations a baseline for fixing network systems. It includes remediation tips and will be updated when more critical threats come along.
"Microsoft is in the best position to fix software problems," Schneier says. "Until there's a financial interest in fixing the problem -- like liability -- it's not going to happen."
Attorney Stewart Baker, technology department head at the Washington, D.C., law firm Steptoe & Johnson, says Hamilton's lawsuit might have merit.
"If security problems get worse and worse, juries and judges will be less willing to listen to arguments from software companies and more and more inclined to make them pay for the problems everyone is encountering [based on] the standing of the company in the public eye," says Baker.
Baker compares Hamilton's lawsuit against Microsoft to litigation that targeted the tobacco industry. Tobacco companies won cases for 20 or 30 years, he says, because public opinion at the time blamed smokers who used a product they knew was unhealthful. Over time, however, as lawyers demonstrated tobacco companies contributed to nicotine addiction, the public demanded that "Big Tobacco" pay billions in damages.
Baker says the Microsoft litigation will face significant obstacles, least of which is the legal disclaimer all end users must agree to while registering the software.
"The shrink-wrapped end-user licensing agreement limits liability; however, there's a risk that courts will say that the terms are unconscionable," says Baker. "Consequences for vendors could become severe once that concept goes into play in judicial circles. It's going to make the risk of liability much more palpable."