Slashdot Mirror
Google Throws Microsoft Under Bus, Then Won't Patch Android Flaw
An anonymous reader writes Last month, Google took the bold steps to release the details of a security vulnerability ahead of Microsoft. Microsoft responded and said that there was a patch in works which was set to be released two days after Google went live with the details. Microsoft accuses Google for refusing to wait an extra 48 hours so that the patch would have been released along with the details of the exploit. Now, let's see what is happening on the Google side of software development. Recently, an exploit has been uncovered in the WebView component of Android 4.3 — estimated to cover roughly 60% of Android install base — and Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases. It would appear that over 930 million Android phones in use are out of official Google security patch support.
As an unhappy lollipop user on a 2013 nexus 7 all I can say is don't bother. My free ram has dropped from 1gb to 400mb. I can't even keep two tabs of chrome in ram now. I'm seriously considering downgrading unless google gets this release right. Furthermore we are up to version 5 of android and there is still no way to push security updates? That's a pretty serious fail IMO. Google might want to rethink that strategy before it seriously burns them in the long run.
zosxavius photography
This is a hit job from a shitty windows enthusiast website (neowin.net).
Do not click any links!
Mod me down, my New Earth Global Warmingist friends!
No, you simply didn't get the point. Google can't push the patch to those devices (unless they are from Nexus line). Samsung, LG, etc. must do the pushing. But they wont.
Microsoft learned to placate government officials by donating to them. They sought power so they could gin up memes like "anti-competitive behavior" and sic true believers AKA their meme enforcement cogs, until the politicians git paid to get back out of the way.
Now, having placated the US federal government, most state governments, and most individual EU countries, they must now focus on placating the EU parliament AKA European Federal Government, whose politicians now are wondering why they, too, can't get a piece of the pie.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Google can't push out updates to the handsets. The carriers by law mandated that only they can update and test the devices. You as a citizen and owner of the device cannot do this yourself either. But sure Google is at fault.
You can still buy fresh-from-the-factory phones that run nothing better than Gingerbread. (2.3) Halting updates on anything but KitKat and above is incredibly blinkered.
That said, Google really needs a better way of deploying updates other than patching the main tree and depending on their device vendors/carriers to eventually issue an update.
My iPhone 4s is (release oct 2011) is still supported.
(Though I replaced it with a newer device, I still use it as an iTouch for various reasons).
iOS isn't really any better when it comes to patching old devices. Once the poor, poor, tech company responsible for deploying the OS in the first place decides to stop supporting it, you're SOL.
Are you stoned, or just stupid?
In stark contrast to the carrier-controlled paridigm of Android software deployment, Apple maintains sole control over the updating and deployment of iOS (and OS X), and although they do eventually draw the line somewhere, it is always at a point that affects single-digit percentages of the User Base, not the majority of Users as is the case here.
Apple would be positively pilloried in these pages if they tried something even remotely as irresponsible and high-handed as Google is doing (or rather not doing) in this case.
Furthermore we are up to version 5 of android and there is still no way to push security updates? That's a pretty serious fail IMO. Google might want to rethink that strategy before it seriously burns them in the long run.
They have rethought that strategy, and the solution is Google Play Services. All of the critical functionality has been moved there, which they can update via the Google Play store. Most of the individual apps have moved to independently-updatable Google Play apps as well. The WebKit based library discussed here has been replaced by a Chrome-based version, which also receives regular updates.
And yes, all devices Gingerbread (2.3) and above get these updates. The problem is that the WebView is one of the remaining pieces that was still tied directly to the OS in those earlier versions, so it can't be updated directly.
I'm not excusing Google for not fixing it here, but saying that version 5 still has no way to push security updates directly is incorrect.
There's already a free fix.. Android 4.4.*, 5.0, 5.0.1 ...
Michael J. Ryan - tracker1.info
That's what changed in 4.4. In 4.3 it was part of the OS is my understanding and required a new OS install.
Works for iOS. Carriers cannot prevent the upgrade of devices that can be upgraded.
Actually, they can, even when OTA upgrades are delivered via Wifi. But Apple has managed to contractually require them to let Apple control upgrades or they don't get to sell Apple's devices. Google does the same thing with Nexus devices. Google cannot, however, interfere in the relationships between OEMs (e.g. Samsung, LG, HTC, etc.) and carriers.
Google's challenge is that because Android is an open platform our ability to tell manufacturers what to do is sharply limited. Personally, I'd like to see them at least start publicly shaming OEMs who refuse to push important security patches.
What Google is doing is making things more modular and moving more security-sensitive components into services that are delivered through the Play store, so Google can update them when needed without waiting on OEMs.
So, Google should update the older software, and then the users phones still wouldn't get patched because it actually has to be done by the manufacturers, and then approved by the service provider, neither of which want you to still be using your old phone.
As to Apple, well, they just make sure that all your devices have the newest version of iOS, which will always run like crap on the older phones, driving those upgrades to the new phones that come out a month after the upgrade...
Want your older version of iOS patched? Well all you have to do is upgrade to the latest version and kill your phone's performance. Don't want to do that, then Apple will gladly tell you that they don't support the older software anymore.
As I have said in another post to this article, Google could easily change their distribution model for Android to re-capture sole control over its Distribution, like Apple. But they won't; because they simply don't care; nor do they want to be bothered with testing a zillion different platforms.
And contrary to your tired, Fandroid meme, Apple does not "push" iOS updates to anyone; let alone do so for the purpose of "obsoleting" older models. First off, at this point, regardless of the hardware or software platform, anyone with a piece of equipment that is one the bottom-end of the "Upgrade-able" list who then jumps on an OS Update the very first day, sort of deserves what they get; and second, Apple occasionally releases an OS update that inadvertently degrades the performance of older hardware; but they also have a good track record, like with the recent iOS 8.1.1 update, of releasing further patches specifically designed to address those performance issues.
So no, the two situations are in no way equivalent..
Cool. Buy a Google Nexus. The price point is outstanding, and I have been on the Nexus line since the first Nexus phone. The only thing that seems to kill them is my wife or I killing them with water.
The only reason I don't have a 6 is that my 5 refuses to die.
Guess what?
Same problem.
http://en.wikipedia.org/wiki/G...
"Google has stated that the Galaxy Nexus will not receive Android 4.4 KitKat,[42] even after having 14,000 signatures requesting it."
There are two types of people in the world: Those who crave closure
If my phone is running Android OS, then I should be able to get updates straight from Google.
If that's what you want, then BUY A PHONE FROM GOOGLE.
You mean like my Google Galaxy Nexus that is stuck at 4.3 because Google abandoned it after 18 months, and therefore won't be getting this exploit patched?
I browse on +1 so AC's need not respond, I won't see it.
Even if they patched it for 4.3, there is approximately zero chance that it would be pushed out as an update by anyone.
The proper solution to this is for Google to be listed as a source for updates, in addition to the OEM and/or carrier. That way, people who are looking for updates can get it.
Not patching Android 4.3 is not a valid reason. Unlike Windows XP which was upgradable to Windows 7 and beyond (even if it required hardware upgrades), that's not so easily done w/ Android hardware. I have an Ellipsis w/ 4.2.2, which I'd love to upgrade to Kitkat or Lollipop, but can't. Nor can I upgrade the internals of that tablet (RAM, storage) so if Google suddenly says that they won't update the OS, I'm screwed. I know there is a big inertia in the market as a result of there being 3 potential sources of software - Google (or Microsoft in case of Windows Phones), the OEM and the carriers. But everybody tossing the ball to each other just leaves a sour experience for customers.
I know no organization wants to maintain 3 or more versions of anything. But that's not a valid reason to expect people to discard phones or tablets bought within the last 3 years. The tablet I'm describing is something I got last May, so I shouldn't have to discard it just b'cos its OS is not being patched and it can't run the latest version that is being patched!
Which has very significant changes to how external storage, SMS, and several other features are handled that break a significant number of applications. 4.4 was not a minor release.
I still have more fans than freaks. WTF is wrong with you people?
Google can't patch most Android phones at the OS level., other than Nexus. Putting cyanogen to one side, anything else either needs the phone manufacturer, or the manufacturer & the carrier.
The vast majority of Android phones sold are sold via carriers , at subsidized pricing, and come with a carrier specific build of the phone vendors Android distribution. The phone vendor can't patch these devices on their own, the carrier needs to be involved.
That's why it takes so long for Android patches to actually get onto phones via these channels - Google might fix something, but the rest of the process could take 6-18 months from when Google ships, if it ever happens.
Ok..so who made the phone? Samsung? LG? HTC? Or were you lucky enough to get a Google Nexus device?
Who sold it to you? Verizon? T-Mobile? AT&T? Sprint?
Oh..did you go to a box retailer to get your phone like RadioShack, BestBuy, or Walmart? Guess what, you still bought your phone from Verizon, T-Mobile, AT&T or Sprint (US centric). The box retailers only get authorization to sell the devices from the Carriers and beyond a "service plan" for replacing the phone when it's broken, have no obligation for OS support. If a box store sells a phone in a manner against the contract agreement the store has with the carrier, even if the end purchaser keeps the phone and maintains good standing on contract he signed in the store, the carrier will bill the store for the full price of the phone that was sold "improperly" and a negation of whatever subsidies the Carrier promised the store for said phone/activation in a procedure called "Charge-backs." I know that at least with Sprint, these Charge-Backs will occur if the end purchaser winds up canceling his contract within 6 months.
The Carriers get and give authorization from/for the device manufacturers to build phones for them (it's a contract negotiation back and forth). Google pushes out an update to the Manufacturers who have to make the drivers for the update to work with their hardware, then the Manufacturers submit the updated OS to the Carrier, and from there it's up to the Carriers to decide (historically: ignore) whether or not the update gets pushed to the end devices.
At least this is how it was until KitKat (4.4). With KitKat Google took back a significant amount of control over how OS updates get pushed out by putting most of the core OS functionality into the GooglePlayServices.apk. Now the only time Google needs to submit an update to a carrier is if there's a major patch issue that needs to be addressed between the operating system and the hardware. All other operating system and security upgrades are pushed through the Play Store from here on, bypassing the Manufacturer and Carrier update process altogether. They did this simply because Fragmentation was becoming such a big problem and Google wanted to get a handle on it. Knowing this...why would Google want to try to push an update out to an OS that they have so little control over compared to the current versions, especially considering that it's more than likely the update wouldn't even be pushed out to the end devices? Fortunately or Unfortunately, the other side of this is that KitKat has become the rut for Google that XP was for Microsoft, and it may be a couple OS versions still before people move from KitKat to the new shiny.
Check your math. The flaw exists in Android 4.3 and older. 4.4 has 39.1% share, and whatever version number version L is has 0.1%. The remainder is 4.3 and older.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black