News and views from a software developer's perspective
Monday, September 01, 2003Is It a Flaw?
The SoBig.F worm is sent as an executable file attachment in an email message. The worm does not spread unless the recipient runs the executable file. I assume Outlook and Outlook Express run the executable if the user opens the attachment. (I don't use either application, nor have I tested either.) That being the case, who is responsible for the worm spreading?
My first inclination is that Microsoft is responsible. An executable file should never be run if it is opened from an email client application. However, after further consideration, I don't think we can say that Microsoft is legally liable. The fact that Outlook Express will run an executable file if it is opened as an attachment is a feature. In my opinion, it's a horrible feature, but still a feature. The fact is, that Outlook Express behaves exactly as it was designed to behave. Users are not supposed to open attachments that contain executable files, unless they know who it is from and are expecting to receive it.
I suppose this is obvious. The point I want to make, is that SoBig.F is different from other worms in a significant way: in SoBig.F, the software is behaving exactly as it was designed to behave. In the case of MSBlaster, the worm exploits a bug in the software, so the software is not behaving as it was designed to behave.
And now a question of a more philosophical nature. The person who wrote SoBig.F is not abusing any software. He is just using a feature of the software (the email client), but he is not exploiting any flaw. Is that person liable? It's possible to answer "no," which means you take the position that the user that opened the attachment is liable.
In summary, there are three parties that we could consider liable. First, there is Microsoft, which made it too easy to run an executable file that was sent in an email attachment. Second, there is the author of the worm software, who wrote software that behaves in a way that the reasonable man would consider malicious. And third, there is the recipient, who caused the executable file to run.
