This is a very interesting topic. Consider the automobile analogy(which is very good IMHO).

I steal a car, and get into an accident. The owner's insurance is still liable. I'm sure if the car killed someone or die due to the recall feature else, the manufacturer would be liable. It would make sense to allow the recall work to be done.

Similarly, if a hacker breaks into a system w/ lax security and launches a DoS from the Acme corporation, legal action from the victim may be taken against Acme through downstream liability.

I'm no lawyer, and I don't even play one on TV, but looking at these situations, if Microsoft denied an update for a hacked system and it caused damage, I'd put money on it that MS could have some liability for damages imposed.

Allowing Security updates w/o functionality is probably a wise way to go. Obviously, they don't want to support hackers, but it may be best for self preservation, especially from the media. If worms and viruses start spreading even faster due to more unpatched systems, the compu-illiterate people buying their next system at Best Buy would get a bad/worse opinion of MS.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/243/26604#26604