Microsoft could face security failure liability

Last month, Steven Adler, senior security strategist for Microsoft in Europe, the Middle East and Africa, stood up before a crowd of company executives and IT professionals and apologized for the damage and losses caused by the recent onslaught of computer viruses that have attacked his company’s software.

Adler’s apology, made at the Gartner Security Summit in London, raises the question of just how liable the world’s largest software provider is for security vulnerabilities affecting its customers. A recent lawsuit filed against Microsoft by a Los Angeles woman who suffered identity theft and claimed that the prevalence of Microsoft software “creates a global security risk” serves to heighten the question. The woman is seeking class-action certification and if that is granted the case could then include other Microsoft software users.

Adler, like other major IT executives, said that the company had not done enough in the past to protect its customers from security vulnerabilities but has pledged to mend its ways, and its software. Microsoft has recently adopted a “trusted computing” strategy, which aims to build more secure software from the onset, although the effort is not expected to produce significant results until the company releases its new operating system, codenamed Longhorn, in 2005.

A U.K. representative for the company said Friday that the Los Angeles lawsuit “misses the point” by targeting Microsoft instead of the people who write the viruses. She added that the company has recently taken measures to streamline its security process and advise users of new patches and vulnerabilities.

But is this enough?

For Dale Sweitzer, a network administrator for Crossville Ceramics in Tennessee, as long as Microsoft continues to work hard on improving security, the pledge is enough.

“I’d be happy if (Microsoft) put the same standards in trustworthy computing that we put into we put into our work in the field,” Sweitzer said.

“If I did the job Microsoft currently does, I’d be fired,” he added.

Sweitzer oversees the security of 160 geographically separated PCs and spends most of his time applying patches. Although he is frustrated with the patching process, he sees no better alternative for the short-term, saying that it would be too difficult to retrain users to use more secure platforms like Linux.

It is Microsoft’s dominance of the desktop market that is increasingly coming under scrutiny when it comes to evaluating software security, however.

A report released by IT security researchers last month linked the heavy reliance on Microsoft software to increased security vulnerabilities, given that it was easier for virus writers to single out and attack the most prevalent systems.

U.K. security researcher mi2g Ltd. issued a report Thursday saying that viruses and worms mostly targeting Microsoft systems cost users $64.5 billion in productivity loss, hardware and software upgrades and recovery in the third-quarter of this year.

Mi2g Chief Executive DK Matai Friday said that this kind of damage is likely to continue if the problem of “biodiversity” – the adoption of multiple software platforms and systems – is not addressed.

“In order to slow down the rapid spread of viruses, it’s important to have a diverse range of operating systems and servers in a corporation,” Matai said.

Diversity looks unlikely to happen in the short-to-medium term given Microsoft’s hold on the software market. In the meantime, it remains to be seen if Microsoft and other major IT vendors will be held accountable for losses that occur because of attacks targeting their systems, or if the virus and worm writers are taken more to task.

“We are doing all we can to improve the security of our software,” Adler said at the Gartner Summit. But then he conceded, the security situation is still “a bit of a mess.”