The vulnerability warnings come so often now that they don't even register as news. Microsoft, the largest software company, is probably responsible for more software vulnerabilities than any other company in the world. For example, just last week the company posted information about critical flaws in the Windows 2000 RAS component, Internet Explorer's (IE's) Gopher technology, and an older Web-related technology in SQL Server. This year, Microsoft announced its Trustworthy Computing initiative, and although the company seems earnest about tackling security head-on, few positive and concrete examples of real progress are available. And although we've been dealing with—and in many cases cursing—the steadily increasing number of problems with Microsoft's software, the company's customers have done little to address the problems.

Until now, that is. A vocal and growing minority of Microsoft's users is starting a call to action, and some have dollar signs in their eyes. Other customers with real buying power, such as various factions of the US government, are complaining directly to Microsoft and threatening to move to rival systems such as Linux if the company doesn't turn around its security woes.

The notion that Microsoft should be held accountable for insecure software isn't new, but a movement to hold the company financially liable for its insecure software is. Critics have often lambasted the software industry for its rarely challenged End User License Agreements (EULAs), which effectively protect vendors from responsibility when their software breaks down. "Today, Firestone can produce a tire with a systemic flaw and they're liable," Bruce Schneier, chief technology officer of network-monitoring firm Counterpane Internet Security, told Reuters recently. "But Microsoft can produce an operating system with multiple systemic flaws per week and not be liable."

That situation might soon change. Microsoft has almost $40 billion in liquid assets and is a ripe target for the sort of class action lawsuits that hobbled tire-maker Firestone and various tobacco companies in recent years.

Microsoft, of course, says that its products are more reliable than those in other industries when you factor in usage rates. "Society has benefited from high-volume, low-cost software and a rapidly evolving ecosystem," says Microsoft CTO Craig Mundie. "Microsoft can't control [the entire] process. If the printer driver tanks the system, who do you hold liable?"

We blame Microsoft, Craig. For example, consumer advocate Ralph Nader recently backed a plan that would let the US government use its market power to force Microsoft to fix its security problems or face losing lucrative government contracts. Nader revealed details of the plan just weeks after the Pentagon released a study that stated open source solutions such as Linux would save the government millions of dollars. But Nader's opinion is that the government's buying power could have more far-reaching effects than propping up Linux. "The Department of Justice is spending years in court trying to restrain very modest elements of Microsoft's monopoly abuses," Nader wrote in a letter to Mitchell Daniels, director of the US Office of Management and Budget (OMB). "There are serious problems with the Microsoft monopoly, including those associated with harm to innovation, security, and pricing. The federal government spends billions of dollars on software purchases from one company that is continually raising prices, making its products incompatible with previous versions in order to force upgrades, deliberately creating interoperability problems with would-be competitors, and is well known for engaging in many other anticompetitive practices. Would a business that was spending this much money be such a passive consumer?"

And Reuters reported this weekend that Air Force Chief Information Officer (CIO) John Gilligan has complained about security problems directly to Microsoft. "I'm spending more money patching and fixing than we did to buy [the software]," he said. "I can't afford to do this anymore."

Finally, here's an odd fact to consider. Just this week, I received several emails from readers who honestly don't want Microsoft's software reliability to improve; unstable, unreliable, and insecure software products virtually guarantee job security for a large portion of the IT world. If Microsoft's software were as easy to use and reliable as the company advertises, these IT personnel would be out of a job.

So should users hold Microsoft liable for the numerous software vulnerabilities that the company acknowledges week after week? The Trustworthy Computing initiative is one fairly damning factor in determining blame: The company's highest executives have admitted again and again that the company needs to do more to create secure and reliable software. That, combined with the seemingly never-ending supply of security bulletins and software patches seems to suggest that the company, indeed, could do more to address security. I'm just not sure that Microsoft breaking out the checkbook is the answer.

End of Article


You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

The people who install the software should be held liable because the don't want to take the time to read directions, install patches and service packs. What is wrong with Microsofts Security Web Site or are you one of those people who doesn't know how to do research? Everything that you need to know about Microsofts Applications are at their web site or do you want Microsoft to hold your hand while you work with the app? You people are pitiful and lazy!!!!!!!!!!!!!

Jeff Richardson- June 24, 2002

Hell yeah! I think Microsoft should be held liable, perhaps even criminally, for not only defective software, but negligence and fraud as well. I recommend Mark Minasi's book "The Software Conspiracy" in support of my position.

It's time to make Mr. Gates feel some of our pain.

Bob Lee- June 25, 2002

I am not going to deny that Microsoft is wrong in it's business practices. But a thing to consider is that if this lawsuit were to be won, it could set a very ugly legal precident. One that would do far more damage to smaller software companies, than it would do to the deep pockets of Microsoft. This in essence is making them responsible for every security hole known or unknown. Does this mean I can sue Symantec because a brand new trojan slipped through my firewall. What software company would ever want to enter into the security/OS arena, with liability such as this.

Corey- June 25, 2002

Personally I find this whole argument to be a silly exercise in "how to sue someone for a LOT of money when your unhappy". Let us start with the statement about how the company Firestone was held liable for bad tires, and Microsoft is not being held liable. This is what is known as a classic example of comparing Apples to Oranges. For starters, Firestone did not slap a BIG label on each and every tire disclaiming liability if you were killed by the use of their tires. Second, Tires kill people, software does not. The bottom line is simple. If you find the product does not work for you, then go out and buy something else. Now please don't tell me that nothing else is floating around out there. You could always try Unix, maybe Luinx, maybe even a Mac. In other words get off the pot, and use something else if you are unhappy with what you have. The fun part about this whole thing is that once everyone moves to Luinx, everyone will start complaining about that OS because now all of the hackers will be going after Luinx because Microsoft will have gone bankrupt. What ever happend to the IBM critics out there?

Ronald H. Burr- October 23, 2003