Earlier this month, Apple closed a serious security hole. It was too late. More than 600,000 Mac computers were infected with malicious software that hijacked Google results, replacing them with spam links.
This was no run-of-the-mill hacking attack: The target was Apple, which historically has been only lightly targeted by cyber criminals, and some security experts said the company could have done more to prevent the attack.
The vulnerability was in Java, the widely used programming language overseen by Oracle. The problem was that Oracle had released a software patch to Windows computers in mid-February, while Apple, which insists on issuing its own Java patches, issued a fix seven weeks later. That allowed hackers to launch the worst malware attack in Apple’s history.
“It was a bad decision,” said Alexander Gostev, chief security expert of Kaspersky Lab.
But was it bad enough that Apple could be liable to the hundreds of thousands of Mac owners who were hacked?
If your doctor makes an error, you can sue for malpractice. If you buy a new car and it breaks the moment you drive it off the lot, there are “lemon laws” to protect you. But if your computer is hacked because of a flaw in the technology, legal experts say: Don’t go looking for a lawyer.
“It would be virtually unprecedented to hold Apple legally liable for being slow in fixing vulnerabilities,” said Eric Goldman, associate professor and director of the High Tech Law Institute at Santa Clara University’s law school. He added:
“In addition to the legal protection offered by Apple’s end user license agreement, no legal doctrine requires software vendors to provide malware-resistant code. I don’t think such a legal doctrine would be tenable given that all software code is necessarily imperfect.”
Successful lawsuits generally require that victims prove they suffered serious, lasting harm. That’s rarely the case with a computer break-in, according to Jane Winn, a law professor at the University of Washington who specializes in computer security.
Banks indemnify consumers from financial fraud, so having your online banking password stolen wouldn’t be enough. Having years’ worth of e-mails or Facebook posts spied on is embarrassing, but that wouldn’t cut it either. Even having your personal data stolen from a third party, such as retailer, might get you hooked into a class-action lawsuit, but the chances of success are slim.
Courts generally view software as works in progress that get fixed as problems arise. Software makers get leeway because even tiny tweaks to programming code can cause big, unexpected changes in how their products work.
“Even with all their money, I don’t think Apple could hire enough software engineers to make all of their products hack-proof,” Winn said.
But what if the stakes are higher, and lives — not just e-mails, passwords and search results — are on the line?
Hackers are now targeting everything from cars to power plants to prisons.
Researchers have shown that cars can be remotely taken over because of computer weaknesses. Medical devices such as pacemakers and insulin pumps have fallen to hacker attacks. If those attacks migrated out of the laboratory and into the real world, the protection afforded by software’s inherent imperfection wouldn’t hold up.
“Death or bodily injury, you win” in court, Winn said.
For now, consumers should note that the user agreement for Apple’s latest Mac software states that the company isn’t responsible for loss of data arising out of the use of its machines, and the most it would have to pay is $50 in jurisdictions that honor such limitations. Microsoft limits itself to damages up to the price of the software.
What that means is Mac users who were victims of the recent attack may walk away with nothing more than a deeper appreciation of what life’s been like for Windows users all these years.