Re: [ISN] South Korean Group Sues Microsoft Over Slammer

From: InfoSec News (isnat_private)
Date: Wed May 07 2003 - 02:14:06 PDT

  • Next message: InfoSec News: "[ISN] Security group: ICQ is flawed"

    Forwarded from: Kurt Seifried <kurtat_private>
    
    http://www.eweek.com/article2/0,3959,1054790,00.asp
    http://english.chosun.com/w21data/html/news/200304/200304300025.html
    
    I see several problems with this suit and suspect it will fail. It
    seems overly broad, and while it covers one primary event (the Slammer
    worm) it is actually comprised of a number of completely separate
    incidents/issues. It also leaves out several notable groups of
    potential defendants.
    
    1) Users who actually had MS-SQL or MSDE installed (as it turns out this is
    a lot of products) and were infected by Slammer
    1a) I have not seen the South Korean "Product Liability Act" but I assume it
    means you can only sue the person who sold you the product, or the original
    manufacturer (i.e. the end seller or Microsoft). I do not see how an
    ISP/government agency comes into this.
    1b) For MSDE users who is responsible? The vendor of the end software that
    uses MSDE or Microsoft? This is not clear as the vendor often includes MSDE
    in ways that do not allow it to be updated unless the vendor issues an
    update. This gives Microsoft a LOT of room to maneuver.
    1c) Microsoft has consistently made it clear that products need to be
    patched, in the case of MS02-061:
    "Maximum Severity Rating: Critical"
    
    1d) Improper use of affected products. It can easily be argued that people
    affected by the Slammer worm were negligent in the use and maintenance of
    the affected products. There are very few situations I can think of for
    legitimately opening up MS-SQL products to the Internet at wide.
    1e) A patch was available for many months from Microsoft, thus it can be
    argued that they exercised their duty to customers, it now falls upon
    customers and third party software vendors to ensure that the patch is
    installed and is compatible with software packages.
    1f) Software license agreements and all that stuff we love to hate, I won't
    even touch this can of worms other then to mention it.
    
    2) Customers of affected ISPs
    2a) The issue in question here is what the Service Level Agreements and
    other contracts with the affected ISPs say. I suspect many ISP's include
    terms like "act of god", "customer negligence" and "circumstances outside of
    our control", if this is the case then the case against them is greatly
    weakened.
    2b) Was the disruption caused by the customer in question (i.e. the uplink
    was flooded) or other customers (i.e. the downlink is flooded), if it's the
    uplink then again the ISP has a lot of room to move.
    
    3) Can losses be proven?
    3a) In the case of on online store this is difficult, it seems simple at
    first. Simply show graphs and statistics of online sales over the last
    week/month/year(s) and note a large dip at the time Slammer occurred. Easy
    huh? But is that dip due to the online store not being available due to
    Slammer or because many client systems were affected, i.e. dialup
    users/broadband users were sufficiently slowed down that they gave up on
    using the Internet that day and went outside or something.
    3b) In the case of an online user this is difficult, they can claim that the
    Internet slowed to a halt, but how many will have useful evidence (such as
    traceroutes) to end sites to prove that it was their end. Simply reverse the
    online store defense and claim that the sites the user tried to access were
    heavily lagged and at fault, not the user's ISP. Proving "damages" occurred
    because you could not access the Internet is unlikely for most users.
    
    This suit is especially messy in that it relies on laws not yet applied to
    such circumstances (i.e. it may be precedent setting) and also rests on a
    huge number of technical details (firewalls. patching. etc.). It will be
    interesting to see what happens (assuming it doesn't get quashed right
    away).
    
    Kurt Seifried, kurtat_private
    A15B BEE5 B391 B9AD B0EF
    AEB0 AD63 0B4E AD56 E574
    http://seifried.org/security/
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed May 07 2003 - 04:42:34 PDT