An interesting article appeared in Forbes, "Sandbox Vendors Ignore Microsoft License Agreements," in which the author points out that, in "Microsoft's Customer License Agreement (CLA) for embedded systems... there is no provision for a vendor to ship appliances with multiple virtual instances of Windows, or its popular Office productivity suite. In fact, shipping Windows in a virtualized environment is expressly prohibited."
From the article it appears that some vendors, such as FireEye, are violating Microsoft's license agreement with each shipment of their Sandboxing product. Additionally, in a relatively unusual and aggressive move, apparently also shifts the liability and responsibility for Microsoft licensing violations onto the customer in its EULA, which states in part:
THIRD PARTY SOFTWARE IS (IN ADDITION TO THE TERMS AND CONDITIONS OF THIS AGREEMENT), SUBJECT TO AND GOVERNED BY (AND LICENSEE AGREES TO AND WILL INDEMNIFY FIREEYE FOR NONCOMPLIANCE WITH) THE RESPECTIVE LICENSES FOR SUCH THIRD PARTY SOFTWARE.
Given that some vendors are apparently violating their license agreements with Microsoft when they ship their Sandboxing products, the question remains - how does this impact the customer? It appears to me that, by installing a FireEye product that include unlicensed Microsoft software, customers are likely also violating the Microsoft licensing terms when they run the Sandbox products and spin up Windows VMs. And, based on the language in the FireEye EULA, technically FireEye customers are actually on the hook both for their own violation of the Microsoft license, but also FireEye's violation in distributing the units; and FireEye's customers may be liable to both Microsoft and FireEye.
So, what's the deal? What are best practices when making purchasing decisions for products that include third-party components? And is there real risk to customers?
- As with any purchase, you should have your legal counsel carefully review terms of all applicable contracts, and the review should include a review of any pass-through licenses for those products that include third-party software or components;
- Most networking and security products today do include third party components, and all mainstream commercial Sandboxes today include commercial third party components. You should look for the equivalent of an "includes genuine Microsoft software inside" type of disclosure.
- For example, when you buy a Fortinet Sandbox it will come with the Microsoft license card, with Microsoft stickers for each Microsoft license included with the product. This is required by the new Microsoft CLA for embedded virtualized security devices (i.e., the new Sandboxing amendment to the CLA), and the license card and license stickers come from Microsoft. If you don't see them, they you should inquire with the vendor. See [http://www.fortinet.com/sites/default/files/basicfiles/MPI.pdf](http://www.fortinet.com/sites/default/files/basicfiles/MPI.pdf)
- Also consider open source disclosure and disclosure for other third party commercial components.
- For example, the Fortinet EULA contains disclosure about the embedded open source components. Indeed, the Fortinet EULA contains (as is required) the complete text of the applicable license provisions. You should see similar disclosures from FireEye, as they are also based on Linux and contain a variety of open source components. As a matter of fact, a review of the FireEye EULA shows that the required open source disclosure is indeed missing - this should also raise concern.
- What's the downside for users/purchasers of violating the licenses for the included components? As Mr. Stiennon notes in his article, Microsoft is unlikely to come after users. But, presumably Microsoft has a right to expect and demand compliance with its licensing terms both from vendors and end users. We suspect that Microsoft is likely in discussions with the other Sandbox vendors and they likely will eventually be brought into compliance. It will be interesting to see (though it will likely not be publically disclosed) if there is any penalty for releasing a product and building a business based on playing fast and loose with third party intellectual property rights. It is also unclear how past shipments (products that violate the license terms) will be handled. And in the perhaps unlikely event the discussions between Microsoft and the vendors do not resolve the issue, it will be interesting to see how Microsoft addresses the non-compliance.
At the end of the day, the practice of network security is all about eliminating threats and reducing risk. The recent introduction by numerous vendors of advanced threat protection (ATP) appliances (i.e. Sandboxes) certainly is a step forward in thwarting sophisticated malware. But, it is possible that buying such an appliance from certain vendors may create new, separate legal liabilities and unforeseen risks.