Microsoft Sued for Defective Software

Door-opening Fascist writes "eWeek is reporting that a South Korean citizen action group, People's Solidarity for Participatory Democracy, is suing Microsoft for putting the SQL Slammer vulnerability into Windows. They are doing so on behalf of the South Korean people and businesses affected by SQL Slammer."

What they'll be told:

[Wakko Warner]

Shut up and patch your systems like the rest of the planet.

Software isn't a physical thing so it's impossible to make it bug-free.

You knew about this vulnerability for months, there was a patch for it, and you did nothing about it."

Pick a defense, any defense...

- A.P.

Funny this came up today...

[default luser]

I work for a major defense contractor, and our WAN got hit by Slammer today. Brought down all the remote sites for hours.

Silly how little explots like this can cost millions of dollars.

Microsoft fixed the problem before it happened

[Dishwasha]

Let it be noted that Microsoft already had SQL SP3 out which fixed the problem before it ever occurred. PSPD should try using a vulnerability that could actually hold water in court like Code Red or it's dirivative, or any other Word ActiveX open-execution macro vulernability.

Re:bad news for opensource

[Malcontent]

Opponents of open source frequently argue that proprietary products are better then open source because "you can sue somebody".

Here somebody is suing MS. Let's see how that works out.

Re:What they'll be told:

[Mr Bill]

I don't think they are complaining about their own systems being compromized, but the network effects of thousands of other computers grinding parts of the internet to a halt.

My mail server runs on Linux, but it was unavailable for at least 30 minutes because of the Slammer worm. Not because it was vulnerable, but because of all the idiots dumb enough to put SQL server on an open network...

This is what's needed

[Zeio]

If they expect governments to enforce the overzealous EULAs, and to insinuate the product has real monetary value and it should be criminal to misuse it, then they should be liable for its actions. The door swings both ways. To use the ridiculous but relevant car analogy, check out Ford/Firestone with the tire recall, they hat to eat a big huge monetary crap-sandwich to make up for that. They also have to provide parts for cars for 5 years after they sell them, by law, and they must also be subject to anti-lemon and consumer protection law.

While I don't foresee Microsoft getting chastised, lambasted and castigated as it should be here in the US where being a rich company has many, many benefits, I do see an opportunity for Microsoft to have to be held accountable for its actions in the EU and Asia. Also in Asian countries the logic is: If you expect me not to pirate this, it better do something good.

I hope this teaches Microsoft that the venue by which they made the 40 billion they have sitting in the bank is us, the victims of pre-installs on new PCs (I believe 80% of the MSFT revenue is from pre-install), we should get a piece of that if we are wronged by the software.

There is a huge disparity between what is claimed on the glossy box and what is delivered in reality, and the consumer needs to be protected from fraud and fiscal liability due to product failure.

It applies to every other business. Software should be the same.

Also, EULAs claim the license isn't transferable and resalable, I content that this means it then has no value. No one can tell you you can't sell your used car.

Setting precedents, and liability

[cfallin]

If this goes through, it could set a precedent of liability for software bugs... that's bad, of course.

Here's an interesting thought: maybe closed source software could be hit harder by this because keeping the source closed could be considered hiding the vulnerability? IANAL, of course.

Another thing - aren't there liability issues for engineers in other fields as well - like holding a bridge engineer accountable if the whole thing falls down? Of course, a software bug isn't quite that serious, but still...

let 's put things in perspective ...

[DataShark]

if we see this in a *absolut* way then it is a bad, bad, thing because it increases greatly the cost of putting a product in the market (be it open source or not).

Anyway there is a very important point about *incidents* like this : they get people's attention about the completly crazy EULAs that some SW companies (namely Micosoft) and content providers (RIAA/Hollywood mob) are currently imposing to they 're costumers ...

imposing a bit of regulation about the limits of what could be put in a EULA is IMHO a very good think ...

if the ppl who launched this lawsuit make the /. cummunity, and the online community in general, think a bit about this issues then they made already a very good thing ... (ah, and btw i 'm yet to see MS loose in court ... :-( )

Cheers from Portugal

Re:GPL = no warranty

[The Turd Report]

Except MS has the same wording in their license.

IANAKL

[Biff Stu]

(I am not a Korean laywer)

Does anybody know if the click-through license is worth a rat's ass in Korea? Does Korean law give the plantifs an edge that they wouldn't have in the US? Any Korean laywers out there?

Re:lemme get this straight...

[kiwikasper]

Actually, even tho Microsoft had a patch available for the SQL vulnerability months before Slammer hit, a subsequent patch re-opened the vulnerability. Maybe their techs did all the patches when they were released.

Re:"Putting" the vuln in?

[aliens]

I don't believe they ignored the problem or didn't fix it. IIRC they had a patch out 6 months beforehand.

You want to sue someone, sue the sysadmins who
A) Didn't patch
B) Left MS SQL right out on the open internet
C) In short didn't do their jobs.

If you're running MS products it might not be by choice, but there is no excuse for not being aware of patches and the state of your firewall. They were all probably too busy rebooting Windows desktops to have time, but still.

Xenophobic Bigotry by Koreans Against Americans

[reporter]

The suit against Microsoft is just another example of xenophobic bigotry that the Koreans have consistently exhibited against Americans. For decades, the Koreans restricted American businesses in Korea. The Koreans prohibited Americans from buying Korean businesses. When the Koreans did ease the ban, they then used informal methods to block non-Koreans from buying Korean businesses.

Case in point is the attempt by Micron to buy Hynix. Please read "Micron/Hynix Deal Dead [bizjournals.com]".

Indeed, the current president of South Korea was elected on a wave of anti-American protests. Please read "S.Korea Opens Talks with U.S. on Troop Deployment [reuters.com]".

Now, we have the Korean lawsuit against Microsoft. When a Korean buys Microsoft software, he is subjected to the same disclaimer to which an American is subjected. Namely, the disclaimer is that the software comes with no warranty or guarantee of performance. The disclaimer is printed boldly an almost every software package produced in the Western world. The disclaimer also appears on non-Microsoft products. Why is a Korean incapable of reading a simple disclaimer?

This lawsuit is rubbish and is nothing more than anti-American xenophobic bigotry.

In the face of all this anti-American xenophobic bigotry by the Koreans, how do we treat the Koreans? Please read "An Adopted Way of Life [asianweek.com]" and "Adopting a Culture: One Woman's Struggle for a Korean Identity [columbia.edu]". We Americans have adopted more than 100,000 South Korean orphans. The Koreans do not care about orphans. By contrast, we Americans have given them a home. The website for the "State Department [state.gov]", notes that Americans adopt about 2000 South Korean orphans per year.

ask Bill ...

[twitter]

why boxes at Microsoft were not patched against SQL Slammer. Do they sue themselves, fire the admin or simply replace the servers with free software?

Illegal copies of Windows

[sielwolf]

I'm also wondering if/how many of the copies of Windows that precipitated in Slammer were legal. Asia is notorious for its pirated software problems. Not that I'm insinuating anything but Microsoft might be able to say "Well a lot of the machines were illegal anyway therefore in breach of our support. I'm sorry but we can't be held accountable for criminal use blah blah blah-"

Possible?

product?

[zogger]

--didn't think of that one. If software isn't a product, then what is it?

I am not sure on the entire liability issue right this second, but comes a time that any "industry" needs to come to grips with reality, and I think that time will be soon probably. Computers and the software to run them have had decades now to get established and to come out of thier "honeymoon" stage, with the EULA "get out of jail free" cards. the hardware is warrantied. The software sure needs something.

There needs to be some sort of consumer protection and warranty. Eventually there will have to be, it's about inevitable. Everything else man made has one. If that means much less "new" is released and a lot more "improved", I'm all for it. If it means less variety but better quality, I am all for it. If it means that "paid for-sale" software with a warranty gets so expensive that "free" dominates with a shareware and volunteer concept, I'm all for it. and I see that as an EXACT dividing line, it's for sale, it needs a warranty, if it's a "freebie, here try this, see if you like it" type deal, it doesn't need a warranty. I think that is fair and rational.

OR, wait until a few more worms or whatever hit all one day, the mother of all net shutdowns, and have the government force something down your throat that is beyond a warranty into planned, controlled, licensed.

As an aside, can you imagine the first major software vendor TO offer a warranty? How much of a marketing edge would that be, given they had really done their auditing and were actually confident their offering was decent enough to offer the warranty? I think they would get uberrich, well deserved cash for superior outstanding coding efforts. I know some custom stuff does, but anything major mass market? Does it even exist yet? I honestly don't know, but myself as joe consumer, I might just be tempted to purchase an OS offering like that, and pay much serious cash for it.

Call me naive

[pkinetics]

but I see something a little different about this.

First, if Microsoft's EULA already prevents them from being sued, software is as-is, why do they release patches in the first place?

This isn't a question about whether or not a user can sue, but a more basic matter of accountability and responsibility. These are the most fundamental issues in selling anything to the public.

Microsoft is responsible for this snafu, but they have never been held accountable. Their bugs, their glitches, their crashes. Its become a running joke with techies. It shouldn't.

When Slammer first hit, people said installing the patches required taking down the servers, running several patches, and praying it still worked. No garunatees about anything. What's the justification? Time wasn't available. Who could afford to do this? How high was it on MS list of things that had to be done?

But no one is mentioning those same arguments now. Its South Korea's fault for not doing the updates.

As I recall weren't the patches buggy enough to cause another major security hole?

We know Microsoft is responsible. We know who should be held accountable. But MS throws in a disclaimer and all is good. The disclaimer is not a silver bullet. There must be accountability for faulty software, no matter who wrote it.

Will it stifle open source development? Probably scare off crap coders is what it will do. If everyone working together reviews, checks, and verifies, they are going to catch most of the bugs before it goes out the door. The remaining bugs are fixed with patches.

I honestly don't see anything wrong with suing them. The EULA is not a catch all. The EULA should be thrown out, and rewritten. Users have the right to hold developers accountable.

Its about time someone figure out how.

Re:Duh

[rgmoore]

A better analogy would be the front door on your house. If you leave it unlocked, well that's pretty stupid. It's not the lock manufacturer's fault you didn't lock it.

But that's a bad analogy, too. Failing to lock a lock is not the same thing as failing to patch a server. Failing to lock your lock (or, to use an automotive equivalent to keep things consistent, leaving your keys in the ignition) is like failing to change the default password on a server- a basic thing that's an inherent part of the job. Patching a server is more like taking your car in as part of a safety recall.

Both cars with safetly defects and servers with vulnerabilities represent errors on the part of the maker that put the user in danger, and you can draw some strong additional analogies about the process of getting the product fixed. In both cases, for instance, the process of getting everything fixed can take some time- time for the problem to come to light, for the maker to figure out a solution, for users to be notified of the problem, and for the fix to be applied. The balance of liability shifts between maker and user as you progress through the process. If a user gets hurt by a previously unknown problem, you have a strong case for the maker's liability for selling a defective product. The longer the fix has been available, though, the more it becomes the user's responsibility to have the problem corrected. If a Pinto was damaged by fire a year after Ford issued a safety recall, or a MS user is burned by a vulnerability six months after the patch was made public, it is the user's fault for failing to have a needed fix applied.

Re:Read before you file

[chris_7d0h]

Not trying to say that this thing will go anywhere, but... Shrink-wrap agreements which you have the ability to read only AFTER a purchase holds no water in most counties. AFAIK, these kinds of agreements haven't been proven to bear any legal value in the US either.

Point is, hiding some whishful text, which the consumer can not see, inside a purchased product can not dictate any kind of restriction or other whishful commitment on the customer's part.

- Give me all you money!
- Why?
- You're wearing a shirt which on the inside, just beside the laudry tag states "Any wearer of this shirt agrees to give all their money to whom ever asks for it".

'ts Stupid.

Re:THIS WILL NOT AFFECT OPEN SOURCE

[drunk_as_in_beer]

Ok, fine, that's not what I'm worried about. I'm worried about how this will affect the closed source that I develop. You know, the kind that I get paid to write? You mean a customer can now sue me or the company I work for, even though they insisted on having the software completed in an unreasonable amount of time without testing, and put it into production well before it was ready for that? Wonderful.

Re:Silly lawsuit

[Guppy06]

"haven't noticed the NO WARRANTEE blurb in the MS EULA."

On the other hand, Microsoft software is "leased (not sold)," which means any damage done was done by Microsoft property.

How did it work with automobile recalls?

[afflatus_com]

If there is any legal eagles in the audience, what is the precedent involving a seriously defective car that causes injury/death/damage? This defect would have a notice sent out somewhere/somehow offering the capacity to take the car back to the shop and replace the defective part, but the user either didn't know or didn't follow through with the effort involved.

This seems to be what this software has done: there was a defect and a capacity for a customer to do work to fix it, they didn't do it, and damage resulted.

Any cases like this with products in the automotive area, and did they favour the defendant or the plantiff?

Best wishes,
Robert

Patch was released long before Slammer

[Anonymous Coward]

I don't see this as a valid lawsuit. Microsoft had relesaed a patch for the vulnerability that slammer uses months before the worm showed up.

the poster is an idiot

[nsda's_deviant]

the eWeek article is refering to this Chosun Ilbo article [chosun.com] in a Korean daily newspaper. The lawsuit is part of the 3 way lawsuit against the South Korean Information Minister, ISPs, and the South Korean division of Microsoft. Again this is the SOUTH KOREAN division of Microsoft for failing to inform Korean ISPs of the patch and its signifigance. These are people and businesses who were knocked off the grid for days and had nothign to do with microsoft's licensing. Thus a class action lawsuit. The idiot poster makes it sound completelly different.

For those with memory problems...

[Conor Turton]

Yes there was a patch out BUT it couldn't be installed on a great deal of systems without some serious hacking, something which Microsoft ADMITTED TO. It actually broke some installations. Not the kind of thing you want to be responsible for as a BOFH on a SQL Server serving 10,000's of users.

Re:What they'll be told:

[Wakko Warner]

You miss the point. It is very possible to craft a physical object which is perfect, for all intents and purposes. (Take a look at the SL-1200, or, more realistically, any machine with relatively few moving parts, such as a baseball bat.)

Software companies like to argue that, because code is intangiable (and, to a lesser extent, because development cycles are so darn short these days) it is impossible to spot and fix every bug in it, so no one should realistically expect software to be reliable all the time.

This argument has become more and more valid over time as companies use it more and more often to justify increasingly defective products.

- A.P.

Re:no warranty does not matter

[Ramze]

This is exactly right. Just as you can sue for damages caused by unintended use of a product (like... sayy... when your kid swallows a toy that didn't have a warning label on it to keep it away from small children). There are certain unspoken "contracts" between a buyer and a seller, and if an unspoken contract is broken, the offender can be sued for damages. Courts have long held that there are certain rights that cannot be signed away by a contract (such as a EULA), and therefore many of the statements in Microsoft's EULAs about the company not offering any warrantees may not shield it from being held liable for damages in court.

I recall from my business law class that workers once sued a company who manufactured a type of machine they used at work. The machine had a steel casing around it to prevent people from accessing the moving parts. I don't recall how exactly, but part of the casing was removed by the workers and replaced with a cardboard box (perhaps for easy access), and one day, someone was walking on top of the huge machine and stepped on the cardboard covering. Their leg went right through it, of course, and they lost their leg in the gears below. They sued -- not their company, but the manufacturer of the machine for not clearly labeling that removing the casing (or replacing it w/ another material) could be a safety hazard & WON!!! Do I agree with the ruling personally? no... but, there is an implied contract that states that the manufacturer has a duty to warn the buyer of potential safety hazards. The metal casing was assumed to be protection enough, but there was no warning to the customer that removing it while in operation might be unsafe, thus... they were liable.

I could forsee a case against Microsoft for not giving advice for proper protection against viruses (such as putting up a firewall, using anti-virus software, not opening e-mail attachments from people you don't know & never opening an executable (bat, exe, com, vbs) without knowing exactly what it is, etc. Of course, you couldn't win any damages for physical pain and suffering, but perhaps monetary compensation for work, money, and/or computers lost due to their negligence in warning a user.

hmm... I'd have to ask a lawyer about that b/c it could be considered "common sense" in the computing age, but... hey... if you can win a few million for spilling hot coffee on yourself from a fast-food place, who knows?!?!? ;-)

Re:Xenophobic Bigotry by Koreans Against Americans

[Anonymous Coward]

The basis for Korean culture is family. Everything revolves around family, blood ties, etc. (Korean proverb- My family's happiness is my happiness).

When a child is orphaned, s/he is basically in a cultural void. There are no resources apportioned to orphans because 100% is given towards family.

And as a system, it has its' faults, but it insures grandma is never dumped off in a nursing home (unless all of her relatives are dead).

I disagree!

[mabhatter654]

How many of you are up-to-date on your recall notices for other stuff? Cars, toasters, appiances, tvs, child car seats, etc...

yet if your car was to suddenly veer off the road from a known defect you'd expect the auto company to deal with it! Driving the car down the road doesn't generally cause the wheels to just 'fall-off'! That is the issue with MS.

Maytag repair guys are what 100,000-to-1 with their insalled base? even doctors are about 100-200-to-1. yet PCs are supposed to be 10 or 20-to-1 for admins. It's a crock! If any other business system was this terrible, it would be bankrupt in a year! And MS only answer is that the admin should run around and babysit the system? They offer automated updates, then again blame the admin for not "testing". You all check the gas quality going in your car before you fill up right. Or, you consult medical texts after going to the doctor just to be sure he called your illness right.

I'm sorry, this stuff should just work. Compaies have invested 10 years and billions of dollars into windows and it still doesn't just work! Billy designed the system so that MS had 'plausable deniability' After all, they don't make hardware [not their fault], or drivers [not their fault], or systems [oems didn't test, not our fault], or software [sure we have Secret APIs but not their fault], they pretend to train admins [but not their fault if admin shamans don't dance right], and of course users because they make the computer do "stuff" MS might not have planned! [if MS did plan it, they'd charge more!] They have no techincal support without outrageous fees [Linux cost is mostly support--and you can afford to use it!] Well, it's basicly like OSS only costs more. They offer the same package of benifits!

That said, I don't think a lawsuit is the way to go either. We're trying to get rid of stupid IP laws, not tie ourselves to them more! If the liability cost of software goes up, then free software will die a horrible death. We're not sophisticated enough to have software "building codes" yet and license "Software Accountants" to set them up. Even then without 100% control of a system, you just can't have that kind of liability...Then again, maybe that's what MS wants [OK we know they want it] total control of the systems and your wallets!

Re:Silly lawsuit

[PetWolverine]

This is a good point, and might make something good come of what otherwise sounds like a ludicrous lawsuit. If retaining "ownership" of the software, and only "licensing" it to us, makes software companies liable for bugs, maybe they'll start letting us actually buy the stuff we pay for.

Not bloody likely, though. This lawsuit is being brought in South Korea, so that even if they win, the precedent doesn't really apply over here (here being U.S. in my case).

EWeek article on WHY many didn't patch

[Reziac]

Sidebar from an article on Slammer in the Feb.3, 2003 issue, page 12:

"...many IT departments did not install the initial patch because installation could not be scripted. Instead, DBAs were required to manually stop each instance of the software running in their organizations, rename or remove some files, and paste the patch files into each instance ... it's only with Service Pack 3 that it became easy to install".

Non-MSft customers suing for damage caused by MS?

[edb]

Certainly until this comes to court (wherever), it will be pretty hard to tell what this really is about. However, in looking at the PSPD web page about this lawsuit, it appears to me as if it is claiming damage to all Korean Internet users caused by the MS bug (hard to dispute), and the crux of the question the court will have to decide is whether MS was negligent in allowing the bug to be released. The claim is that by negligently allowing the bug to escape Redmond in the first place, MS shares responosibility in the consequential damages that ensued.

All these comments about EULA, and whether a product was purchased, and you get what you pay for, and Open Software has no warranty, etc. are not relevant.

If MS released software into the wild which caused widespread actual loss to Internet-connected systems and their owners, whether or not those owners were MS customers, then is MS liable for those damages?

Starts to sound like going after the author of a virus/worm. The boundary between the actual virus/worm which exploits a security flaw and the ubiquitous system which contains the flaw gets very fuzzy in the eyes of a lawyer who might be able to prove negligence.

Of course, IANAL (sounds pr0n-like, doesn't it?), but I wonder about ambulance-chasing or its equivalent, and definitely view it with mixed emotions. No matter how much I might side with the plaintiffs in this case.

Re:One more responsible party

[moncyb]

No, it's more like if Ford made a defect in the locking system where there is another hole right below the keyhole, and if you stick a pencil in it, the door pops open. No key needed. Who is more stupid? The company who made a car with such a stupid design flaw, the idiot who bought a car with stupid defects and stupid design flaws, or the idiot who thinks it's fun to abuse the situation and go joyriding in everyone's cars?

Re:Maybe...

[RoLi]

I take it from your attitude that you're not a programmer, or if you are, you have some sort of access to a magical AI that fixes every miniscule bug for you. Bear in mind that this lawsuit is potentially dangerous for every kind of programmer, not just the noodleheads at MS.

I'm so sick of you MS bootlickers (yes, that's exactly what you are).

MS SQL has 11% marketshare (according to MS themselves), yet the only mass-infection hit it and not somebody else. Coincidence?

IIS runs only 25% (and sinking) of webservers, yet ALL mass-infections so far hit it and none Apache which runs over 60%.

It's a fact that MS software comes with a higher risk than anything else. No system is perfectly secure, true, but if you really think that MS software is equally secure as anything else, especially GPL software, then you are living in a dreamworld.