Some Chrome users took a close look at the End User License Agreement (EULA) for its new Chrome browser, apparently a closer look than Google’s legal department, and did not like what they saw.
One section of the EULA gave the company “a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through” the new browser.
Concerns about copyright and privacy were raised on numerous Web sites, including a news aggregator called Tap the Hive, which was the first to point out the EULA contents. Critics suggested the language would allow Google to use any Web content displayed in Chrome without getting copyright permission.
In other words, content created in Chrome would belong to Google, even though Chrome was just the conduit to enter that content. That would include me typing this into Movable Type, as the blogging service is accessed via a browser.
However, a Google attorney sent a statement to Tap the Hive and the news site Ars Technica that it was an honest mistake, the result of copying in an old EULA from other products and using it in Chrome. Google promised to remove the language from that section of the EULA and apply it retroactively to those who downloaded it.
Well one problem down, a few others to settle. The security site SecuriTeam has found a serious weakness in Chrome’s handling of malicious code. Chrome uses an older version of WebKit, the open-source browser technology also used in Apple’s Safari browser, that includes the vulnerability.
Chrome has a download progress bar that, when clicked, will execute the file that has just been downloaded. If it’s an executable, a window will pop up, warning the user about downloading malicious code. But if it’s a Java archive file, a .JAR, it will run it with no warning.
Another vulnerability, which has a proof of concept on the site Evil Fingers, makes it possible to craft a specific link to crash the browser.
That’s why we have beta testing.
