Slashdot Mirror
Google Throws Microsoft Under Bus, Then Won't Patch Android Flaw
An anonymous reader writes Last month, Google took the bold steps to release the details of a security vulnerability ahead of Microsoft. Microsoft responded and said that there was a patch in works which was set to be released two days after Google went live with the details. Microsoft accuses Google for refusing to wait an extra 48 hours so that the patch would have been released along with the details of the exploit. Now, let's see what is happening on the Google side of software development. Recently, an exploit has been uncovered in the WebView component of Android 4.3 — estimated to cover roughly 60% of Android install base — and Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases. It would appear that over 930 million Android phones in use are out of official Google security patch support.
Even if they patched it for 4.3, there is approximately zero chance that it would be pushed out as an update by anyone.
Or if you do, divert attention by saying Microsoft did it first
I'm still on 2.3. I wouldn't get any update whatsoever.
The phone manufacturer couldn't careless if they tried.
At least now there's a push to not keep using ancient versions.
"I am sorry, that number is no longer in service. Please hang up."
Even if Google were to patch 4.3, it's unlikely that it would ever hit anyone's device as the manufacturers are so shit at pushing out updates. Not that this is a defence for not patching it - Jelly Bean was only released 2.5 years ago.
And it's not just some manufacturers, Google is just as guilty - my [2013] Nexus 7 asked me whether I wanted to upgrade to Lollipop, I was busy at the time, so I hit no. Now I can't get the thing see that there *is* a new version - 5.0.2 was released 3 weeks ago, and it still says "Your system is up to date". Like fuck it is.
1- You can go buy a new Android phone; or
2- You can go fuck yourself.
NT
I don't believe for a moment that MS were working flat-out on the patch for 90 days - it's more likely that they left it until the last minute, and then assumed that Google would make a special exception for them.
Sorry Microsoft, the deadline is the same for everyone.
Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases.
To me, this only really seems like a valid position if vendors allowed people to upgrade at will, but as far as I know, Android users are still held to whichever version their carrier/manufacturer allow. June 2012 is only 2.5 years ago, which means (I'm guessing) that it's possible you purchased a phone less than 2 years ago that had this version of the OS. That means, you could have purchased your phone brand new, it might still be under contract, and it's unsupported.
Now, if you're free to install the latest version on your phone, then it seems much more reasonable.
The MS of the '90s, harangued endlessly by a shockingly left-wing government (by today's standards), ended up being put in its place not by regulation but by competition. But even back then, as it dominated the desktop and the browser, it showed high respect for client privacy and control. Google's monopolistic behaviour knows no bounds. I'd take MS any day.
In my 30 years in IT, the difference I've found between MS and [insert any other brand] is that nobody loves MS - there is no religion as there has been around Apple, or Linux, or Google. They're practical businesspeople, who sometimes show excessive greed and stupid short-sightedness, but are always judged on their merits - people will abandon them as quick as they'll choose them, if they turn bad. And that's a good thing. It keeps them on their toes. Ballmer was a dick in the works for a while, but he's been kicked out, because everyone said exactly what they thought - there weren't hordes of fanboys(*) telling the world how wonderful the Start Screen is.
(*) Paid exceptions exist, such as Paul Thurrott. But nothing like him exists in the userbase.
This should be a lively discussion of my playground is better than your playground. Sigh.
Because it's unsupported as soon as you install it.
WebView is a separate component in Lollipop allowing it to be updated independently of the OS. This is a good thing since WebView is the most exploited android component. I would imagine Google isn't "fixing" the issue because in 4.3 and prior versions of android because you can't fix it in those versions without an OS update. No one is going to push out a 4.3 OS update even if Google provides one.
Get a new phone and live with it being a non-issue going forward.
It's Android's installed base. (to) "install" is not an adjective. Is it that too difficult?
First, I consider myself a fan of the Googlesphere. I love Android, love Chrome, love GMail, enjoy the availability of their online Apps, and so on. (Hate hate hate Google+, though).
And saying that - Google needs to come to terms with the fact that they can't get away with the same bullshit update cycle for an OS installed on physical hardware, as they do with Chrome. For a desktop browser, weekly updates with support ending more-or-less after a year counts as an annoyance, but not a deal-killer. For an OS, just "no". My last phone lasted a decade - Support your devices (at least for critical vulnerability patches) for at least that long, or GTFO of the playground.
The original article doesn't give any details as to what this "exploit" is in android. Even if it is a real exploit, no new phones will be made with Android 4.3, and at this point, no manufacturer would push an update to an old device even if Google did fix it. As to Google throwing Microsoft under the bus, that is utter crap. Google privately disclosed a vulnerability to MS, and *TOLD THEM* they had 90 days. After 90 days, Google publicly released the vulnerability. This is standard stuff. Giving a deadline is the only way to keep vulnerabilities out of the NSA toolkit and force MS to actually fix it.
Please keep writing your Neowin articles, as they provide us countless entertainment based on conjecture.
It would seem to me that they have a responsibility to support the versions that are in use by the majority of their customers. This whole idea that 2.5-year-old software is "ancient" is a load of BS. Imagine the outcry if Microsoft quit supporting each version of Windows after such a short time.
Whatever happened to that?
You can still buy fresh-from-the-factory phones that run nothing better than Gingerbread. (2.3) Halting updates on anything but KitKat and above is incredibly blinkered.
That said, Google really needs a better way of deploying updates other than patching the main tree and depending on their device vendors/carriers to eventually issue an update.
I write software for Android and what bothers me is that there's always this push for latest and greatest while we still have a significant number of devices getting left out in the cold because they're 2 or more years old. Android is a three legged stool, Google, Device Manufacturers and Carriers and all three have to get their shit together on patch management and routine updates to the devices. All of them share equally in this problem yet they just seem to be aligned to always force you to buy a new device to get what most would be consider reasonable software support. That's bullshit. Sure Google, we get it you want everybody to be on the latest and greatest and yes there are features that can't be supported with every new release however there's that sticky little thing called time to market and while you may come out with a new release, the uptake by your licensed manufacturers isn't that fast. 4.3 didn't become available widely in devices until late 2012 which is just in time for Christmas so that makes 4.3 only 2 years old basically in terms of market exposure. That's young for a smart phone. I also get it if HTC or Samsung or Vendor X out there don't want to support software in order to entice you to buy a new device, but at $600 to $800 for a high end smart phone you're not going to see the majority of your customers buy a new one every year just to keep up with the latest version of Android. That's born out by the 1 Billion devices on 4.3 which is a pretty large market. Oh and to you carriers, your bloatware and other crap isn't helping either. If you're not willing to support it for at least the life expectancy of the device, which can be up to 5 years now, then get it off of there so you can at least improve your release time frequency so that your customers aren't left with insecure devices. Google needs to take the lead here and work with the downstream manufacturers and carriers to fix this shit because it's becoming a nuisance for the development community and for the end users.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Typlical ad agency - leave out the important, TRUE words.
MS is already known for it's shit OS, this just comes across as a dick move with no real different to microsofts rep.
Most versions of Windows aren't that bad. 8, Vista, and (going way back) 98, were awful. Aside from those, Windows is pretty decent. Certainly doesn't deserve the hate that it gets. And honestly, between Apple's downright sinister levels of anti-competitive behavior and Google's regular shafting of their consumers, Microsoft looks pretty good. I realize their anti-competitive tactics were no better than Apple's at one point, but they seem to have improved. Windows 7 is still a good OS, and I have not owned a Windows phone but they look decent enough.
Actually, this time it's the evil Veri$on and AT$T and $amsung and LG($) and Moto$ola and any other company that you can force a dollar sign into. Those are the companies that are preventing your phone from updating to a newer android version, not Google.
XDInd
Android 4.3 is on 6.5% of devices, not 60%.
I'm sorry, but are people actually under the impression that their phones are secure?
I don't see any connection between these two posts smashed into one story....
Google gave MS the 90 days to fix the problem. MS dragged its feet and did not patch on time. Google reveals that flaw after the 90 days and MS cries foul. So, MS is incompetent, and it is annoyed because Google has pointed that out.
There is a flaw in Android 4.3, which Google refuses to fix. They may be obnoxious, but not incompetent. And they are not blaming anybody.
The big loser in this fracas: MS.
As much as I like to bash carriers, Google, handset makers, etc, much of the crux of this problem is that "progress" in the world of smartphone technology moves at such a rapid clip that by and large many things out there 2+ years old are in many ways obsolete and there's no easy way to go back and fix problems without just replacing devices on the consumer end.
I'm curious if smartphone technological advancements will slow down enough in the foreseeable future where this gets addressed sufficiently and you can expect fixes. By and large the PC world has been like this for a while, although it lacks the structural issues (ie, Google/Handset maker/carrier) that complicate it. Handsets are still advancing from a hardware perspective fairly quickly in terms of new chipsets that even if issue X could get fixed, the hardware itself isn't supported anymore.
This same problem is happening with legacy software all over the place be it from Google, Microsoft, Apple or other vendors. There are billions (YES! 1,000,000,000's) of devices out there that work just fine but can't use the latest operating system from the vendors so they aren't getting patched. This creates BILLIONS of opportunities for hackers, worms, trojans, scammers, etc all because the vendors are greedy and don't want to keep supporting hardware and software that is only a few years old.
They should be offering legacy support out at least a decade. It is very doable with conditional compilations to build the latest operating systems for the older hardware of even 15 years ago. It simply won't have some features like transparent windows and other eye candy. The software should gracefully fall back to fit the hardware. This is doable at the compile time which avoids having overly large software packages.
I wonder if systems like Ubuntu Phone will allow this.
There are 84 companies in the OHA (Open handset alliance). If a company for whatever reason will not update their phones to 4.4.4 (which is the latest point release of version 4 of Android) someone should probably backport the patch to 4.3 version of Android. Android is open source and Google accepts patches.
Google is not the only one making Android and the Google supported phones are free of this vulnerability. I can see Googles position on this (they want the vendors to just update to latest point release), although it seems a bit silly.
And somehow this is an acceptable situation? "Too fucking bad buy a new phone" is not a proper response for a gaping security flaw.
According to some 900+ million people, in fact it is acceptable, since it's what they have done.
It's that plus the advice "just root it and install a new OS update".
This has been Android from Day1. If you ever recommended Android to anyone, this is what you were recommending. If they can't handle the technical side of patching flaws themselves, well then why did you recommend Android if you really believe it's unacceptable to remain vulnerable to security flaws?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It's funny how people are willing to trade hundreds of evil companies (Bell, Verizon, AT&T, MS, Apple...) for one greater evil (Google). For those who do not understand what is happening, Google owns the future of marketing. The places to advertise your product effectively are becoming more and more scarce. TV providers can see their market shrink year after year and this is partially due to PVRs and the availability of content via stream. This is also why sports distribution has become a hot commodity with the NHL contract for Canada going to Rogers for 5.2 billion (12 year contract). Nobody PVRs a hockey or football game but an episode of walking dead or game of throne is fine for watching later.
Google looks good because they give everything for free in exchange for your time (advertising). Anybody that can milk that model is bound to eradicate the competition. After all, who can compete with free. As of today Google owns 88% of the worlds searches with Bing right behind at 4.5% ;)
Don't take me wrong, I love Google's products but I fear them as much as I love them.
Wait! What? You can drink the Kool-Aid? I've just been snorting the packets. Now can we please just steer this thread over to talking about Apple? Thanks.
This is why we say that Google is evil for more than half a decade. They are simply a two-faced shylock.
If you're pissed off at Google for not fixing defects in older versions of Android, you can always switch to an iPhone or a Microsoft Windows phone. Why are you folks always whining about corporate decisions that make financial sense? Unless, of course, you're willing to something and make those "financial decisions" hurt the corporation involved.
Don't like how Google won't fix bugs? Don't buy an Android next time.
Unless you also want to say that the free market doesn't fix everything. There's a reason for various regulations concerning warranty and support regulations. Especially for vital telecom infrastructure.
That is all.
You wouldn't have this problem if you were a MyCleanPC.com user.
Even if they patched it for 4.3, there is approximately zero chance that it would be pushed out as an update by anyone.
The proper solution to this is for Google to be listed as a source for updates, in addition to the OEM and/or carrier. That way, people who are looking for updates can get it.
Not patching Android 4.3 is not a valid reason. Unlike Windows XP which was upgradable to Windows 7 and beyond (even if it required hardware upgrades), that's not so easily done w/ Android hardware. I have an Ellipsis w/ 4.2.2, which I'd love to upgrade to Kitkat or Lollipop, but can't. Nor can I upgrade the internals of that tablet (RAM, storage) so if Google suddenly says that they won't update the OS, I'm screwed. I know there is a big inertia in the market as a result of there being 3 potential sources of software - Google (or Microsoft in case of Windows Phones), the OEM and the carriers. But everybody tossing the ball to each other just leaves a sour experience for customers.
I know no organization wants to maintain 3 or more versions of anything. But that's not a valid reason to expect people to discard phones or tablets bought within the last 3 years. The tablet I'm describing is something I got last May, so I shouldn't have to discard it just b'cos its OS is not being patched and it can't run the latest version that is being patched!
Google Throws Microsoft Under Bus
My first thought wasn't "they're not nice people," but "finally" -- I was wondering how long it would be before a tech company could be large and influential enough, and behave in a way that would give Microsoft a taste of their own medicine. Too bad it's something of a hit piece.
As far as cellphones go, ain't Motorola a part of Google? Since you can't spell Motorola w/ an 'S', you could try and insert the Indian rupee sign in place of the R, except that Motorola exited the Indian market some 5 years ago
As an Apple user who roots for the underdog, I'm switching to Microsoft Bing!
That's b'cos Apple is the only maker of iOS toys, and given its demand in the market, not having iPhone in its phone lineup actually hurts carriers. See T-Mobile. That's why carriers feel compelled to offer iPhones, and Apple is free to configure them any way it wants. As a result, I don't see the Verizon splash screen when I start my iPhone, the way I do when I start either my Lumia or my tablet
How are we supposed to root our devices if all the security holes get patched?
4.3 came out in July 2013, so a year-and-a-half ago (It would be even younger if I counted when companies actually pushed it out to people's phones) 2.5 years is not great by any means, but it's a full year more than people affected by this.
You're right, they did. I don't know if it includes older devices and such though.
XDInd
What would Slashdot be saying if MS discontinued Windows 8 patches because 8.1 is now out? A reasonable support lifecycle is something that isn't too much to expect out of modern OS. It should be defined at OS inception.
Everyone brings this line of reasoning out, and yes it makes some sense. But the thing is, Google knew full well from the get-go this would be the situation with Android, and they did absolutely nothing to prevent it.
In other word, "I bet Samsung will do a great job keeping their low-and-mid-range Android phones up-to-date" said no one ever at Google.
I'm still waiting for my Windows XP fix.
While none of the post-paid providers sell 2.3 any more, plenty of pre-paid providers still do. Boost, Straight Talk, TracFone, Page Plus, etc. If you are a pre-paid operator, many of your customers don't have good enough credit for payment plan on a nice phone, don't have enough money to buy a nice phone out-right, and said customers aren't forced to stay with your company long enough for you to risk much of a subsidy in the monthly fees. That leaves you being forced to sell the cheapest phones you can for the customers that want them.
We are talking $30-40, out the door, here... If you are spending that little on a phone, you have to trim cost anywhere you can, which means the thing won't even run stuff much more recent, even if the carrier wanted to put forth the effort to do so. (Which, given their generally low margins, they won't even think of doing.)
Yes, for not much more money, you can get a MUCH nicer phone ($65 will get you a Moto G on Boost, for instance), but at the very bottom end, every dollar counts when specing out phones.
(Personally, I use a Boost Moto G flashed to PagePlus/VzW... an excellent example as to why the phones can't be subsidized much. Sprint/Boost totally has taken it in the shorts here, as outside of the phone itself (which is still subsidized somewhat), they've haven't gotten a dime from me, as they inexplicably didn't request Moto lock the bootloader, making it fairly trivial to convert it over to working with Verizon.)
nut such a smart decision to buy, after all.
get a dumb (aka 'feature') phone, problem solved....
Yes, I went with Google Nexus phone - Galaxy Nexus to be specific. Updates stopped at 4.3. Why?
There will be one final CM11 milestone release before they switch to CM12. How do we confirm the final will have this patch?
...as much as the next guy. But honestly, are there still nerds in 2015 who don't understand how the Android model works? Think of Android as "Linux". Each manufacturer has their own distro of Android, and then there's the "reference" distro, made by Google, that is on Nexus devices called "Stock Android". All the distros are based on the "Stock Android" distro, and the manufacturers customize and add on from there.
So, blaming Google for a flaw in a previous version of Android is like blaming "Linux" for a security flaw in a previous version of Ubuntu. See how much sense that makes? All Ubuntu has to do is use a more recent kernel/library/whatever that doesn't contain the flaw and release an update or new version. The same thing goes for Android, all the handset manufacturers have to do is release an update that contains the fix, and their problems are solved. A current build of "Stock Android" already contains the fix, your manufacturer's outdated distro, however, doesn't.
There are plenty of things we can legitimately blame on Google, but blaming the flaws of handset manufacturers and cellular carriers on Google doesn't help anything. Put pressure on your carriers and manufacturers to stop dragging their feet and support their products beyond the next fiscal quarter or two!
It's only a 32 bit bus.
Have gnu, will travel.
One main reason to buy Apple instead of Android phones.
Your cell provider or oem just decided not to give it to you.
The windows vulnerability was on the current version 8.1 that is actively supported. The bug found on android is in a no longer supported version. This is not the same thing.
This is why I hate the Android model of updates. I don't have to wait for HP, Dell, Lenovo, and others for my desktop to get updated. There's no reason I should have to wait on Samsung, LG, HTC, or even worse AT&T or Verizon to get an update for my phone. If my phone is running Android OS, then I should be able to get updates straight from Google. I like Android in every other aspect except their update strategy. I am due for a new phone soon, and I really don't want to get screwed over (again) with a phone that doesn't get a single OS update after I buy it. I'm kind of leaning towards Windows Phone at this point. I could consider iOS, but their phones are much too expensive for my tastes.
As far as the OS goes, Windows Phone is great (don't let the controversies about Windows 8.x mislead you). With the traditional GSM guys (AT&T, T-Mobile), you'd get the latest OS in 8.1. With Verizon, you won't, but the way around it is to sign up for MSDN and then download the upgrade. In terms of UI, it is fantastic.
However, you might as well be aware of the pitfalls as well. Windows Phone gets the same sort of love from devs that OS/2 got in its day, or any other third party OS tends to get. A telltale sign of this is the apps: whenever you go around, you'll see all sorts of products and services advertize their apps for either just iOS or a combination of iOS and Android. Very rarely do you see apps advertized for Windows Phone as well. And sometimes, when you do find a Windows phone app by searching their store, it tends to be a web wrapper around their official website. I miss certain apps, like Vonage, which is there on both Android and iOS.
I have a Windows Phone, and it's fantastic for certain things. For instance, it lets social networking contacts be an automatic source in your phone lists, which really helps populate your phone book if you contact people you have on there. Also, in addition to MS Office, it has things like ADP, Concur, Skype, which are pretty useful for official work. So it's good for basic work related things - there are even things like time and units conversions calculators, area codes and zip codes lookups and so on. But yeah, the most popular of games may not be there, and quite a number of apps may be either missing, or just there in the form of web wrappers.
If that's not a problem, then Windows Phone can definitely be a good, if not great, experience
Not googles fault that device makers are too damned lazy to compile and deliver updated OS images to it's customers.
No, manufacturers have no update that they could distribute. You can't blame them for not distributing something that does not exist. Nor can you expect them to update to a newer OS. There will be compatibility problems for some customers so such an update must be optional not a necessary security patch.
When google releases updated source code then and only then does it become the manufacturer's problem.
As it is manufacturers have the perfect excuse for not updating customers, there is no update from google. The fact that manufacturers have not released updates in the past does not excuse google and allow google to adopt their policy of abandonment.
Google doesn't support phones they support android. This is fixed in the latest version of android.
Which would have compatibility and performance problems for some 4.3 based phones.
Basically you are wrong in your premise that google supports android. In fact they only partially support android. To fully support it there needs to be more reasonable timeframes for patching older OS versions. Especially for security related patches. Even Apple will occasionally release critical security patches for iOS versions that are officially no longer supported.
I read that Lollipop will include webview as part of the Google Play Services framework, which is Google's cloud-based framework that they have been moving more and more Android services to.
Unlike app store updates and normal Android system updates, Google Play Services works as a silent push update, so phone providers and manufacturers cannot block the update. I'd hazard a guess and say this may have something to do it.
Source: http://developer.telerik.com/f...
At least Apple gives a pretty decent support life of most of products.
Apple has also released some critical security fixes for obsolete no-longer-supported versions of iOS, so their concept of "no longer supported" has exceptions. Not all obsolete versions, but those that represent the final version that a particular line of hardware can upgrade to.
Not so good now...
Yes they do.
They have full access to 4.4 and higher. Are you telling me that handset makers have incompetent programmers that cant find those?
No they didn't, this slashdot 'report' looks like nothing but a cynical attempt to impart positive spin to Microsofts' failure to address the patch. Since when did slashdot become a PR arm of the Microsoft organization?
"Firstly, just to make this absolutely clear, the ahcache.sys/NtApphelpCacheControl issue was reported to Microsoft on September 30. You can see this in the "Reported" label on the left hand panel of this bug. This initial report also included the 90-day disclosure deadline statement that you can see above, which in this instance has passed." ref
Vendor-Microsoft
Product-Windows-Kernel Severity-High Finder-forshaw
Reported-2014-Sep-30
CCProjectZeroMembers
Deadline-90
MSRC-20544
PublicOn-2014-Dec-29
Deadline-Exceeded
Yes they do. They have full access to 4.4 and higher. Are you telling me that handset makers have incompetent programmers that cant find those?
Re-read. You missed: "... Nor can you expect them to update to a newer OS. There will be compatibility problems for some customers so such an update must be optional not a necessary security patch ..."
Fact is, at least in the U.S. -- the whole cellular market is designed around a 2 year device rotation as "standard".
This is due to the popularity of the 2 year contract that includes a heavily subsidized handset at signing or renewal time.
The industry figures that unless you're one of the less desirable customers who gets a pay as you go phone due to problems passing a credit check, you're going to keep paying $60-100 per month or so for the length of time you want to use a phone, and you're going to expect a shiny new model every couple of years as part of that arrangement.
I do think this might SLOWLY be changing a bit, largely thanks to T-Mobile trying to act as the rebellious upstart of the industry and encouraging people to rethink traditional contracts. (Additionally, the companies like "Net 10" who act as wholesalers of minutes of service and kilobytes of data from the major carriers help fuel interest in buying higher-end handsets straight out and using them without contracts.)
But no - there really is the expectation that a couple of years of support is all that's necessary on a cellphone. And tablets are sort of falling into that same category by default - simply because they run the same OS's as the cellphones do.
and this is why FOSS is dumb.
also do you really have to force OEM to push software updates? Nope, just write the code. They don't mind updates that cover their devices.
Microsoft won't patch Windows 95/98/2000/XP/Server 2003/etc flaws anymore. So what's the big deal with Google moving forward from an old product.
I read this thread and being new to having a smartphone that I can't root since I bought it for my business and need it to charge credit cards and started panicking.
So I read thru all the op and then found in the s4 what version I was running, and I am at 4.4.4 so I'm good to go.
For people not good to go - take the articles, and start calling and screaming at the providers that have you under contract and make them ship you a new phone. That was my plan if I wasn't covered.
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
Android, a bastardized Java running on top of a bastardized Linux. Gee..What could be wrong with that?
No you're missreading the stats. Android 4.3 has a 6.5% marketshare. The problem affects all versions of Webview and was fixed in KitKat and above.
Android >4.4 has a 39% market share.
This bug affects all other devices which accounts for 61% of the marketshare according to the developer dashboard.
By definition, a tech company has its primary money making scheme the selling of technology. Though perhaps some people consider selling advertisement space a technology.
I think it's great for those who like to dig in to the source and DIY. But now this DIY model has been applied to millions of networked devices, from phones to routers to even TV's that now also are or are becoming networked.
If network facing consumer gear had os/services/apps made with safe language that was then transformed into unsafe language and where necessary (like during boot probably) tweaked, good part of the vulnerabilities would go away. Much of the injection vulnerabilities would go away if the safe languages came high end IDE's and templates for creating network protocols, command line parsing apps and such. These templates would contain best practises so that people wouldn't reinvent the wheel in a way that would again allow for injection attacks.
Even better would be if the compiled output of the languages used would be easy to transform back to readable code. This way when the device receives automated updates, you can do a diff between the decompiled outputs of the binary pre/post-patch. This way the more paranoid people can have some peace of mind while keeping automated updates.
Barring nexus(and play store) phones/tablets most likely those devices aren't going to ever get any patches let alone OS updates anyways. Google only does that for their own(and play store) devices.
There are probably still even older vulnerabilities in those phones as well that HAVE been patched. Complain to the OEMs/carriers for not supporting their products.
Since I don't care for 3rd party firmware, I've taken to restricting my phone choices to preferably a nexus or what's available in the play store, as in addition to updates, I don't do multi-year contracts. This might have to change those as I found the n6 to of negative value for it's $250 jack in price over the n5, which I found to be a marginal value in the increased price v. n4(n5 specs improved enough, but build quality declined enough to offset most of the spec gains with the winning push being a nexus device).
The only reason that phones are expensive are such that carrier can "subsidize" the price(they're not really, they're getting it back from you via your contract and early termination clauses builtin) and make it appear as though you are getting a deal(when you're not). Most phones are worth half or less what they're MSRPed at in a realistically priced world. (Along with the lack of value in n6, lack of 64b(yeah they're not ready yet, but I did previously promise myself not to buy it if it were just another 32b SoC), and huge price increase I'm passing on the n6. Almost went for OPO but they dicked around too long, so I haven't cared about it since about June...)
Google supports ChromeOS for five years from start-of-sale, even though it's a similar situation to Android (they don't get paid):
https://www.google.com/chrome/devices/eol.html
I would prefer they do Cisco-style end-of-sale date, end-of-life announcement date, end-of-software-support deadlines, but what they do for ChromeOS is already better than what Apple does for Mac OS and iOS. It's not as good as Microsoft, but I don't think Windows XP's long support life will be repeated.
It's also important to consider how much churn comes with the security updates. With ChromeOS there is almost none. With Android, Mac OS, iOS, many things break. With Windows XP service packs I guess it's somewhere in the middle.
Planned obsolescence is different from FORCED obsolescence and it P****s me off!
Witness: lots of shiny devices, good for only one product cycle, but they cost as much as
food for a year, and there is no way to determine if this product cycle will be for one year,
or 6 months, or a week. I know there are relative standard release dates that flupped dup
fanboys and fangirls can memorize and count on, but there is no reliance on them -- just
try to hold Giggle or MicroSlop to your best idea of when they should release their junk that
you are still paying off and now it is no longer supported:> Say What? it's almost enough
to make me want to pay for ApplepukeOS...yes, please lock me out of my own device, but
compensate by making it thinner! Needs to be thinner, because, uh, I can't imagine why.
If I put that thin piece of techno-doodoo into my pocket I'm at risk of sitting on it and giving
employment to Chinlee sweatshop follken for one more product cycle -- how ever long that
may be.
Ok, you can probably tell that my sitter downer is pretty chapped: yep, I bought an ASUS
TF700T and a keyboard early last year. ASUS decided its processor is too wimpy to
support any longer (they've stopped with 4.2, though the newer code in 4.3 takes fewer
cycles to operate just as insecurely making ASUS' poor processor argument specious
by definition. Remember when the TF700T was top of the line, state of the art, representing
the best that ASUS could do -- for at least one portion of a Product Cycle? Can you trust
ASUS ever to do any better? Wouldn't Sony be a better choice? Or maybe hacking up
your own Linux kernel from some compromised code found somewhereontheweb.ro??)
Hey, I said it was pretty chapped. I don't have the luxury of upgrading my iPhluke 4.0
(not 4s.)
Ok, my rants are always full of obvious holes and misconceptions: please correct me in
5...4...3...2...oh, good thing I'm a touch typist cause my 3 week old Dell U2414M is already
dieing. Must be the end of the product cycle, its obsolescence is being forced, it's out of my
hands........./..
I can't really understand the reluctance of people to rooting and or installing a custom ROM.
For one thing, it often (such as on the Nexus 7) involves wiping the device and unlocking the bootloader. People want to be sure that all their data will make it through the process, and an ADB backup reportedly doesn't cover contacts or other "content providers". For another, people don't want to install a custom ROM for the first 12 months while the thing is still under a warranty that installing a custom ROM voids.
Manufacturers [are] incentivized to support phones that are under warranty
Some manufacturers sell the previous-generation flagship phone as their midrange phone and the phone two generations old as an entry-level phone for people new to smartphones, such as children on a family plan or switchers from dumbphones.
Why should google bother.
Samsung, AT&T and many others will not patch the locked devices they sold
even if Google issued a patch none of these would update their devices.
Perhaps just perhaps this will generate a liability that in turn will
get these yeahoos to get their act together.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
This is exactly why i switched to WP, after my Android phone released in 2012 wouldn't get update past 2.3. That means that i couldn't use Chrome or some new apps. Even though enthusiasts dragged it till 4.3, user-maintained version was way too far from stable and polished. Now, after a year with Lumia, i can say i won't buy any Android products unless something changes in that department.
Do no evil.
Hypocrites.
That and the recent NPAPI removal that stuffed quite a few businesses that were unwise enough to rely on it, and I am glad I am de-googling.
jolla.com
"Windows XP's lifespan wasn't short."
Software doesn't have a "lifespan". It works the same as it always did, with the same hardware.
Businesses doing the same work every day don't need new hardware or software if the equipment they have now is serving them well.
It wasn't until Service Pack 2 was released on August 10, 2004 that many of the very serious problems in Windows XP were fixed. Windows XP with Service Pack 2 might be considered to be a different version of the Windows XP operating system, it was so different from the initial Windows XP version. See the Microsoft article, List of fixes included in Windows XP Service Pack 2. There were 828 fixes.
See the article, Microsoft Windows XP "end of life": Conflict of interest.