We always hear this words "It is your responsibility" in case some one stolen money from your credited card or your password of your email.
Why we don't say the same words to software vendors if they have security vulnerability in their software make us lose a lot of money.
When we install any software, have to sign off EULA for software's vendor. But, we have to accept this license to install the software.
So, I think most of use tried to read this EULA agreement before sign it off. You could find a lot of EULA analyzer tools on the Internet could highlight the important points to you, such as Privacy, Vendor rights, your responsibility.
The point here, as long as we don't have any other options to install the software, the vendor must be liable of his software. By the end of last month, Symantec Web Security Response Webblog wrote about "Privilege Escalation Exploit In the Wild", one week later they wrote a follow-up on this vulnerability. This vulnerability as written in "SECDRV.SYS Driver". Microsoft posted Microsoft Security Advisory (944653) about this vulnerability. Lets analysis the FAQ as posted in Microsoft Security Advisory (944653).
What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting the Macrovision secdrv.sys driver on supported editions of Windows Server 2003 and Windows XP. This affects the software that is listed in the “Overview” section.
What is secdrv.sys?
The driver, secdrv.sys, is used by games which use Macrovision SafeDisc. The driver validates the authenticity of games that are protected with SafeDisc and prohibits unauthorized copies of such games to play on Windows. The secdrv.sys is included with Microsoft Windows XP, Windows Server 2003 and Windows Vista to increase compatibility of the games on Windows. Without the driver, games with SafeDisc protection would be unable to play on Windows. SafeDisc remains inactive until invoked by a game for authorization to play on Windows.
The question which raises here, If this vulnerability exploited and Microsoft customers lost millions of money, would Microsoft/Macrovision liable for this?. The answer is NO.
Lets have a look on "Windows Server 2003 End-User License Agreements", by using EULA Analyzer or read this EULA you could find
23. LIMITATION ON AND EXCLUSION OF DAMAGES. You can recover from Microsoft and its suppliers only direct damages up to the amount you paid for the software. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.
This limitation applies to
- anything related to the software, services, content (including code) on third party Internet sites, or third party programs; and
- claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
It also applies even if
- repair, replacement or a refund for the software does not fully compensate you for any losses; or
- Microsoft knew or should have known about the possibility of the damages.
It is unfair if the customers lost millions of dollar and they can claim only the amount they paid for the software. Ira
Winkler ;The author of
Spies Among Us; wrote a wonderful article on this point with a title "
Vendor liability: A pointless argument?". Also, Art
Coviello ,
RSA's president,
in last
RAS Conference 2007 which held in London made this
interview with
ZDnet.
At the end I see the software vendor should be liable for their software as users responsible of their mistakes.
No comments:
Post a Comment