That is an interesting question, no? After all, this company has made all of its software open-source, and if someone else is able generate update, they can "cut in" on Ksplice's market share. (This is forking the service, you're speaking of, not really the software.)

But this is not really a problem unique to Ksplice; it applies to any service based open-source model. And as such, what Ksplice has going for it is expertise: they were the ones who developed the Ksplice tools, they have an intimate understanding of the interplay between the kernel and hot updates, they are the ones who know how to "tweak" patches in order to make them work with the Ksplice system (as I understand, there are some nontrivial transforms necessary for certain updates).

So, they're doing the common "commercial open source" thing where the software (the application, the kernel patcher) is open source, but it's also tied to a service (the actual kernel patches) which is not so (free for Jaunty, but if you want a different kernel you'll have to pay Ksplice for support). So the Terms of Service applies to the service, which is really quite sensible.

If you read the CVE advisory carefully, the vulnerability is a faulty access policy for allowing extension installation by web-based JavaScript.

Yes, the technique is old, in that it's been around since iframes and CSS have been around, but we haven't really seen it in malware websites; most attackers use less sophisticated but still effective methods.