Slashdot Mirror
Google Throws Microsoft Under Bus, Then Won't Patch Android Flaw
An anonymous reader writes Last month, Google took the bold steps to release the details of a security vulnerability ahead of Microsoft. Microsoft responded and said that there was a patch in works which was set to be released two days after Google went live with the details. Microsoft accuses Google for refusing to wait an extra 48 hours so that the patch would have been released along with the details of the exploit. Now, let's see what is happening on the Google side of software development. Recently, an exploit has been uncovered in the WebView component of Android 4.3 — estimated to cover roughly 60% of Android install base — and Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases. It would appear that over 930 million Android phones in use are out of official Google security patch support.
As an unhappy lollipop user on a 2013 nexus 7 all I can say is don't bother. My free ram has dropped from 1gb to 400mb. I can't even keep two tabs of chrome in ram now. I'm seriously considering downgrading unless google gets this release right. Furthermore we are up to version 5 of android and there is still no way to push security updates? That's a pretty serious fail IMO. Google might want to rethink that strategy before it seriously burns them in the long run.
zosxavius photography
No, you simply didn't get the point. Google can't push the patch to those devices (unless they are from Nexus line). Samsung, LG, etc. must do the pushing. But they wont.
Microsoft learned to placate government officials by donating to them. They sought power so they could gin up memes like "anti-competitive behavior" and sic true believers AKA their meme enforcement cogs, until the politicians git paid to get back out of the way.
Now, having placated the US federal government, most state governments, and most individual EU countries, they must now focus on placating the EU parliament AKA European Federal Government, whose politicians now are wondering why they, too, can't get a piece of the pie.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
My iPhone 4s is (release oct 2011) is still supported.
(Though I replaced it with a newer device, I still use it as an iTouch for various reasons).
iOS isn't really any better when it comes to patching old devices. Once the poor, poor, tech company responsible for deploying the OS in the first place decides to stop supporting it, you're SOL.
Are you stoned, or just stupid?
In stark contrast to the carrier-controlled paridigm of Android software deployment, Apple maintains sole control over the updating and deployment of iOS (and OS X), and although they do eventually draw the line somewhere, it is always at a point that affects single-digit percentages of the User Base, not the majority of Users as is the case here.
Apple would be positively pilloried in these pages if they tried something even remotely as irresponsible and high-handed as Google is doing (or rather not doing) in this case.
Furthermore we are up to version 5 of android and there is still no way to push security updates? That's a pretty serious fail IMO. Google might want to rethink that strategy before it seriously burns them in the long run.
They have rethought that strategy, and the solution is Google Play Services. All of the critical functionality has been moved there, which they can update via the Google Play store. Most of the individual apps have moved to independently-updatable Google Play apps as well. The WebKit based library discussed here has been replaced by a Chrome-based version, which also receives regular updates.
And yes, all devices Gingerbread (2.3) and above get these updates. The problem is that the WebView is one of the remaining pieces that was still tied directly to the OS in those earlier versions, so it can't be updated directly.
I'm not excusing Google for not fixing it here, but saying that version 5 still has no way to push security updates directly is incorrect.
That's what changed in 4.4. In 4.3 it was part of the OS is my understanding and required a new OS install.
If my phone is running Android OS, then I should be able to get updates straight from Google.
If that's what you want, then BUY A PHONE FROM GOOGLE.
You mean like my Google Galaxy Nexus that is stuck at 4.3 because Google abandoned it after 18 months, and therefore won't be getting this exploit patched?
I browse on +1 so AC's need not respond, I won't see it.
Google can't patch most Android phones at the OS level., other than Nexus. Putting cyanogen to one side, anything else either needs the phone manufacturer, or the manufacturer & the carrier.
The vast majority of Android phones sold are sold via carriers , at subsidized pricing, and come with a carrier specific build of the phone vendors Android distribution. The phone vendor can't patch these devices on their own, the carrier needs to be involved.
That's why it takes so long for Android patches to actually get onto phones via these channels - Google might fix something, but the rest of the process could take 6-18 months from when Google ships, if it ever happens.
Ok..so who made the phone? Samsung? LG? HTC? Or were you lucky enough to get a Google Nexus device?
Who sold it to you? Verizon? T-Mobile? AT&T? Sprint?
Oh..did you go to a box retailer to get your phone like RadioShack, BestBuy, or Walmart? Guess what, you still bought your phone from Verizon, T-Mobile, AT&T or Sprint (US centric). The box retailers only get authorization to sell the devices from the Carriers and beyond a "service plan" for replacing the phone when it's broken, have no obligation for OS support. If a box store sells a phone in a manner against the contract agreement the store has with the carrier, even if the end purchaser keeps the phone and maintains good standing on contract he signed in the store, the carrier will bill the store for the full price of the phone that was sold "improperly" and a negation of whatever subsidies the Carrier promised the store for said phone/activation in a procedure called "Charge-backs." I know that at least with Sprint, these Charge-Backs will occur if the end purchaser winds up canceling his contract within 6 months.
The Carriers get and give authorization from/for the device manufacturers to build phones for them (it's a contract negotiation back and forth). Google pushes out an update to the Manufacturers who have to make the drivers for the update to work with their hardware, then the Manufacturers submit the updated OS to the Carrier, and from there it's up to the Carriers to decide (historically: ignore) whether or not the update gets pushed to the end devices.
At least this is how it was until KitKat (4.4). With KitKat Google took back a significant amount of control over how OS updates get pushed out by putting most of the core OS functionality into the GooglePlayServices.apk. Now the only time Google needs to submit an update to a carrier is if there's a major patch issue that needs to be addressed between the operating system and the hardware. All other operating system and security upgrades are pushed through the Play Store from here on, bypassing the Manufacturer and Carrier update process altogether. They did this simply because Fragmentation was becoming such a big problem and Google wanted to get a handle on it. Knowing this...why would Google want to try to push an update out to an OS that they have so little control over compared to the current versions, especially considering that it's more than likely the update wouldn't even be pushed out to the end devices? Fortunately or Unfortunately, the other side of this is that KitKat has become the rut for Google that XP was for Microsoft, and it may be a couple OS versions still before people move from KitKat to the new shiny.