shaver

Ronald van den Heetkamp has claimed that he found a vulnerability that affects all released versions of Firefox, and so the Mozilla security group and others have been investigating it, as we do all such claims.

In this case, it appears to me as though Ronald is simply mistaken. The files to which Ronald demonstrates access do not have the user’s settings, though he claims otherwise. Those files (the user’s data) are not stored in the Program Files hierarchy on Windows, or the equivalent on other operating systems. Instead, the preference files that he is showing in his “exploit” are ones that are defaults that are shipped with Firefox, and made freely available on the web. Again, these are not user settings, but defaults that are shipped with all copies of Firefox and contain no personal information.

(NB: this issue should not be confused with the recent “flat chrome” directory traversal vulnerability that affected users of some extensions, and which 2.0.0.12 fixes.)

I don’t know if Ronald will issue an update to his post, as he did for a previous mistaken vulnerability report, but since the story has been taken at face value by Slashdot and likely others, I thought I’d post about it here.

Edit: this is the same thing that RSnake and others on his blog discussed last May; comments there are possibly of interest. Ronald participated in the thread but didn’t think it was an important problem back then, if I understand his comment correctly.

One thing that came up periodically when people on the HTML working group were discussing version selectors was the notion that there is legal liability associated with breaking compatibility. Chris Wilson is the person who most frequently brings up this point (unsurprising, given his affiliation and experiences with IE), though he may well not be the only one. I’ll excerpt one example here:

We (Microsoft) have to be in control of our own destiny there. Unless you’re suggesting that the WG would shoulder the financial burden when we (Microsoft) are sued because we broke compatibility and caused some company’s multi-million-dollar intranet app to break.

And later, though not referring to liability but rather a government “lockout”:

A single government who locks us out of their market because we broke their intranet app (even if they were ua-switching and giving us bad content, and it was “clearly their fault”)? Probably a very big deal.

I have a couple of questions, then, for the combined legal minds of the lazy web:

• What would be the legal basis for a suit by a customer, given the provisions of typical EULAs which explicitly disclaim pretty much all warranty they can? Let’s assume that the compatibility break is caused by an upgrade to a new version of software (Firefox 2 to Firefox 3, for example) that’s under the control of the customer. You can choose your jurisdiction, and assume the worst case for the vendor having end-of-lifed the previous version, etc.
• Can anyone find an example of such a suit having been brought?
• Not a legal question, but very much on my mind: given the impact that IE7 had on Korea, why would they have gone ahead and done the release anyway, if it was such a big deal for them to be locked out of a national market?

I invite your informed, or perhaps just creative, speculation on the topic! Personal attacks on Chris Wilson, or rehashed “Microsoft is evil so they got the illuminati to block Korea’s secret sanctions in the UN” conspiracy theories are not welcome, and might well be moderated out or disemvoweled.