14 DAY TRIAL // Microsoft could start coughing up the money for security holes in Windows Vista. And the fact of the matter is that Vista is by no means the only product that the Redmond company could be held liable for in terms of poor security. In fact, all software Microsoft builds has the potential result of reducing the company to digging deep into its pockets in order to "fix" inherent security vulnerabilities. United Kingdom's House of Lords Science and Technology Committee authored a report into Personal Internet Security concluding that Microsoft, along with other software vendors, should accept responsibility for the security vulnerabilities in their products.
Microsoft's liability in association with security holes in its software is correlated in the perspective of the House of Lords Science and Technology Committee with scenarios in which the vendor would demonstrate negligence. "We recommend that the government begin discussion, at European level, with a view to establishing the principle of vendor liability in the IT industry," commented Lord Broers, the chairman of the committee, according to PC Pro. "The time for introducing vendor liability may not be now - but it will come, and it will be an essential element of a mature industry."
Microsoft has been, since the introduction of the Trustworthy Computing initiative, increasingly focused on delivering an enhanced level of security. The Redmond company's latest operating system, Windows Vista, an epitome of customer protection from the offerings of current Microsoft platforms, is also regarded as a new standard in Windows security. In this regard, Vista is a complete product of the Secure Development Lifecycle, a Microsoft strategy designed to bulletproof software from the development stage.
"Our overall goal is clear - whenever an engineer designs or writes code, we want that person to think about how the code might be exploited. When attack scenarios, threats and test cases are swirling around in a developer's mind as they architect, design or write code, chances are he or she will write more secure code and plan better defenses. Clearly there is an overwhelming amount of stuff to think about, requiring a healthy amount of due caution and discourse with teammates and outside experts," explained James Whittaker, Microsoft Security Architect back in May, in a blog post on SDL and testing.
At this point in time, Microsoft - in response to customer feedback - releases security updates on a monthly basis covering all products. The Redmond company will only be held accountable for security holes if it can be proven that it premeditatedly put customers at risk. "One would have to show Microsoft was fully aware that problem was there and allowed it to continue. Clearly there's no totally fool-proof system," Broers added. "If they leave the flaws there and do nothing about it, they should be liable."
In this context, could the Animated Cursor Security bug in Vista qualify as negligence on Microsoft's behalf? The Redmond company acknowledged from the get go that Vista is not a silver bullet, or a panacea for security issues, and stated repeatedly that the operating system is by no means 100% secure. Still, it took Microsoft from December until April to release patches for the vulnerabilities in GDI, including the Windows Animated Cursor Remote Code Execution flaw. What would be a potential timeframe for resolving security vulnerabilities that will not result in a negligent policy of the software vendor? Will the impact of the exploits targeting a certain flaw also be taken into account? The sole conclusion at this point is that liability for security vulnerabilities is still a long way away.