Google Throws Microsoft Under Bus, Then Won't Patch Android Flaw

← Back to Stories (view on slashdot.org)

Google Throws Microsoft Under Bus, Then Won't Patch Android Flaw

Posted by timothy on Monday January 12, 2015 @04:30AM from the well-that's-one-way-to-view-it dept.

An anonymous reader writes Last month, Google took the bold steps to release the details of a security vulnerability ahead of Microsoft. Microsoft responded and said that there was a patch in works which was set to be released two days after Google went live with the details. Microsoft accuses Google for refusing to wait an extra 48 hours so that the patch would have been released along with the details of the exploit. Now, let's see what is happening on the Google side of software development. Recently, an exploit has been uncovered in the WebView component of Android 4.3 — estimated to cover roughly 60% of Android install base — and Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases. It would appear that over 930 million Android phones in use are out of official Google security patch support.

48 of 629 comments (clear)

Min score:

Reason:

Sort:

Makes sense. by Anonymous Coward · 2015-01-12 04:35 · Score: 5, Insightful

Even if they patched it for 4.3, there is approximately zero chance that it would be pushed out as an update by anyone.
1. Re:Makes sense. by MachineShedFred · 2015-01-12 04:41 · Score: 5, Insightful
  
  And somehow this is an acceptable situation?
  "Too fucking bad buy a new phone" is not a proper response for a gaping security flaw. I hold Google accountable, as well as the handset manufacturers.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
2. Re:Makes sense. by Rich0 · 2015-01-12 04:45 · Score: 5, Insightful
  
  I've been wondering when people would start to take notice of this problem with Android. There is no general policy of security backports on it at all. Phones can have security vulnerabilities like anything else - it is just a matter of time before we start seeing exploits.
  They're doing a better job with ChromeOS, with a 5 year support pledge. Ironically that still isn't as good as Windows (10yrs from obsolescence vs 5yrs from introduction). If you want to see big companies taking linux seriously vendors need to start matching Windows support timelines. People like to joke about XP, but it was supported just a year ago and what was the latest version of your favorite Linux distro when XP first came out? Being secure without having to do major updates is a big selling point.
3. Re:Makes sense. by ichthus · 2015-01-12 04:45 · Score: 5, Insightful
  
  I totally agree. Google could patch it, but it would then be up to the various manufacturers to push it out (Samsung, et al.) But, despite this, Google should still patch it, for PR's sake.
  
  --
  sig: sauer
4. Re:Makes sense. by Anonymous Coward · 2015-01-12 04:46 · Score: 5, Insightful
  
  You forgot the carriers.
  They're probably the worst offenders of all, as holding back an update means they can use "comes with the latest OS!!" as a selling point on their merchandise.
5. Re:Makes sense. by Anonymous Coward · 2015-01-12 04:47 · Score: 3, Insightful
  
  Google has fixed the vulnerability in later revs.
  You sir are a twat - Google doesn't control deployment of fixes or updates, your service / hardware provider does.
  If you want Google to control your versioning, then buy a Google product.
  Buying an AT&T or Verizon product running Google's Android OS, leaves you at the whims of AT&T and Verizon as to when or even "IF" you get the updates.
  The same thing holds true for all products running Android - the company that the products are manufactured for control the delivery channel.
  Would it be nice if Google could *FORCE* companies like AT&T, Verizon, T-Mobile and Sprint to upgrade the OS on the devices they sold? Hell yes, but that's not going to happen because then these big asshole companies wouldn't sell as much product if people got the latest features on aging handsets and tablets.
6. Re:Makes sense. by gstoddart · 2015-01-12 04:49 · Score: 5, Insightful
  
  Not being able to patch an older system that could be patched, that makes sense to you?
  I'll never understand the logic of Android fanboys. At this point I'll pick iOS and Windows over Android any time.
  I'm sorry, but what?
  I bought my first gen iPad within a month of launch. In less than 2.5 years it was unsupported on the latest version of iOS.
  When I updated my latest gen iPod touch to iOS 8.x, I ran into problems, had a few apps stop working, and generally found myself underwhelmed.
  Apple does the exact same shit, and don't pretend they don't.
  Basically manufacturers expect us to pay for a new device every year or two, and then quickly decree them to be off support.
  So WTF should we pay full price for something they're going to abandon in a relatively short period of time for?
  Sorry, but no. If you want to charge me $700 for a device, I expect you to support it longer than two years. Otherwise, I'm not buying your shit any more, because you somehow think of me as a revolving cash supply.
  In this regards, I think both Android and iOS are sorely lacking.
  So, screw the lot of them. Want these devices to be disposable? Sell them to us at discounted prices instead of your inflated prices. Or if you're going to charge us that much money, support it MUCH longer.
  Two years support for a brand new device? Hell no.
  
  --
  Lost at C:>. Found at C.
7. Re:Makes sense. by bondsbw · 2015-01-12 04:52 · Score: 1, Insightful
  
  I bought a Motorola phone a few months after they were bought by Google. I thought, oh, this means they will get quick updates.
  Wrong.
  Google wants Android to succeed but is unwilling to hold OEMs accountable. It should require all OEMs that use the Android logo to push all new Android updates to devices that are less than 2 years old, within 3 months for standard updates and within 1 month for critical security fixes.
  
  --
  All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
8. Re:Makes sense. by fustakrakich · 2015-01-12 04:58 · Score: 4, Insightful
  
  for PR's sake.
  They don't need that anymore. And maybe the manufactures prefer that Google doesn't patch it. It relieves them of all liability.
  
  --
  “He’s not deformed, he’s just drunk!”
9. Re:Makes sense. by DerekLyons · 2015-01-12 05:04 · Score: 2, Insightful
  
  As the grandparent said... I'll never understand the logic of Android fanboys.
  It doesn't matter that someone else may or may not push the patch - it matters that Google categorically refuses to fix a flaw.
10. Re:Makes sense. by ArcadeMan · 2015-01-12 05:04 · Score: 5, Insightful
  
  Would it be nice if Google could *FORCE* companies like AT&T, Verizon, T-Mobile and Sprint to upgrade the OS on the devices they sold? Hell yes, but that's not going to happen because then these big asshole companies wouldn't sell as much product if people got the latest features on aging handsets and tablets.
  Works for iOS. Carriers cannot prevent the upgrade of devices that can be upgraded.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
11. Re:Makes sense. by ArcadeMan · 2015-01-12 05:05 · Score: 4, Insightful
  
  Apple wouldn't stop supporting devices that still count for 60% of their own statistics.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
12. Re:Makes sense. by Wycliffe · 2015-01-12 05:05 · Score: 5, Insightful
  
  I've been wondering when people would start to take notice of this problem with Android.
  930 million phones might be enough. Now we just need someone to write a worm that uses this to get noticed by taking
  down the cellular network for a few days and then maybe someone will get smart enough to require phone manufacturers
  to push updates for a reasonable amount of time (say 5 years after they stop selling the phone).
  I've seen phones stop receiving updates before their 2 year contract is even up. This should be breach of contract.
13. Re:Makes sense. by c · 2015-01-12 05:07 · Score: 4, Insightful
  
  I hold Google accountable, as well as the handset manufacturers.
  I believe Google's fix is called "Android 4.4" or "Android 5.x".
  That the handset manufacturers can't seem to figure out how to get updates for older devices to newer versions of Android is the core of the problem. I mean, Cyanogenmod generally seems to be able to do it, largely using volunteer labour, so it can't be rocket science (for my handset, vendor support stopped around 4.1... there's a nightly 5.0 now available).
  You could argue that Google should set an explicit support cutoff date for patches for older versions, but when the handset makers policy on end of life ranges from "until the average contract runs down" to "until the retail store's return period has passed", I'm not sure there's much point.
  
  --
  Log in or piss off.
14. Re:Makes sense. by Flavianoep · 2015-01-12 05:07 · Score: 2, Insightful
  
  If you want to see big companies taking linux seriously vendors need to start matching Windows support timelines. People like to joke about XP, but it was supported just a year ago and what was the latest version of your favorite Linux distro when XP first came out? Being secure without having to do major updates is a big selling point.
  AFAIK, there's no point in "buying" Linux, however, you may buy a support subscription, which can be renewed indefinitely. Upgrading the system is free.
  
  --
  Linux is for people who don't mind RTFM.
15. Re:Makes sense. by ArcadeMan · 2015-01-12 05:09 · Score: 3, Insightful
  
  ... that still accounts for 60% of Android devices.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
16. Re:Makes sense. by tysonedwards · 2015-01-12 05:17 · Score: 4, Insightful
  
  Technically, Google *did* fix the flaw, in later versions of Android. They just didn't backport said fix to 4.3.
  
  However, as Manufacturers won't roll a new update off of said backport even if it did exist as they're incentivized to support phones that are under warranty and where possible sell new phones to customers, Carriers would drag their feet on approvals of said updates if they even authorized it at all as they're inclined to both avoid angry support calls from customers about "my phone is different" yet also sell new phones to get people under contract, money disappearing at all levels into the giant black hole of bureaucratic process, what does it really matter? It's a zero sum proposition.
  
  --
  Thirty four characters live here.
17. Re:Makes sense. by CastrTroy · 2015-01-12 05:18 · Score: 3, Insightful
  
  This is why I hate the Android model of updates. I don't have to wait for HP, Dell, Lenovo, and others for my desktop to get updated. There's no reason I should have to wait on Samsung, LG, HTC, or even worse AT&T or Verizon to get an update for my phone. If my phone is running Android OS, then I should be able to get updates straight from Google. I like Android in every other aspect except their update strategy. I am due for a new phone soon, and I really don't want to get screwed over (again) with a phone that doesn't get a single OS update after I buy it. I'm kind of leaning towards Windows Phone at this point. I could consider iOS, but their phones are much too expensive for my tastes.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
18. Re:Makes sense. by c · 2015-01-12 05:20 · Score: 3, Insightful
  
  In this regards, I think both Android and iOS are sorely lacking.
  With Android at least there may be other providers for updates. It still sucks, but I'll take "sucks but possible" over "sucks and go fuck yourself" any day.
  
  --
  Log in or piss off.
19. Re:Makes sense. by MachineShedFred · 2015-01-12 05:22 · Score: 1, Insightful
  
  Cite the fucking law, if it's so mandated by law.
  Because if you're right, then Apple has a few hundred million counts of breaking that law.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
20. Re:Makes sense. by Lumpy · 2015-01-12 05:31 · Score: 2, Insightful
  
  Not googles fault that device makers are too damned lazy to compile and deliver updated OS images to it's customers.
  When is Microsoft going to patch those flaws in Windows XP!
  
  --
  Do not look at laser with remaining good eye.
21. Re: Makes sense. by twitnutttt · 2015-01-12 05:40 · Score: 4, Insightful
  
  But at least there is the *possibility* of getting a patch if Google makes one. Without that, no chance!
  That Google would unannouncedly end-of-life (EOL) a product with the majority of its Android market share makes me so mad!!
22. Re:Makes sense. by aristotle-dude · 2015-01-12 05:41 · Score: 3, Insightful
  
  Google doesn't make the version of Android that goes out on e.g. Samsung phones. Google can patch 4.3 ll they want, but it's up to Samsung to take the patch, implement it, test it on all their devices, then get blessing from the various carriers to send it out. Given there's still people out there with S3s (and probably S2s) there's no chance they're going to put the effort into it and instead tell people to get the shiny new S5.
  Should not matter. If they are patching the core, the core should be available for updating by google directly by alerting the user of a needed patch. The customization should not be touching the core of the OS.
  
  --
  Jesus was a compassionate social conservative who called individuals to sin no more.
23. Re:Makes sense. by Anonymous Coward · 2015-01-12 05:43 · Score: 5, Insightful
  
  MS supported bug fixes for XP for TWELVE years. Google has barely supported 18 months. There is absolutely no comparison. Use you're head and stop blindly worshiping Google and hating MS. I know it's hard to not be a complete idiot, but give it your best,.
24. Re:Makes sense. by tlhIngan · 2015-01-12 05:59 · Score: 3, Insightful
  
  930 million phones might be enough. Now we just need someone to write a worm that uses this to get noticed by taking
  down the cellular network for a few days and then maybe someone will get smart enough to require phone manufacturers
  to push updates for a reasonable amount of time (say 5 years after they stop selling the phone).
  I've seen phones stop receiving updates before their 2 year contract is even up. This should be breach of contract.
  Well, technically, phones never got software updates - updates are a relatively new thing.
  And really, the reason Google doesn't push OEMs to force software updates is because of AOSP. Samsung's a big offender, releasing anywhere from 2-3 new smartphones a week in 2014 (seriously, they released over 100 new phones last year), and over 1 tablet a week (yes, over 50 brand new tablets).
  Granted, Samsung has more developers than Apple, Google and Microsoft combined, but you can bet terms like this would be the one that just moves OEMs to AOSP and undo all the work Google did. Hell, Samsung has replacement apps for every one of Google's (they're the only OEM to do so), so they're not dependent on Google's apps to sell phones.
  And no, it's no surprise Samsung is also the largest Android manufacturer out there with a huge market share.
25. Re:Makes sense. by Anonymous Coward · 2015-01-12 06:00 · Score: 5, Insightful
  
  This sudden attempt by Google supporters to shift the responsibility is the lamest fucking excuse I've ever seen. Microsoft has supported XP FAR longer than Google has supported... well, anything. I also especially like how suddenly it's not Google's fault for NOT thinking ahead and making it possible to deploy security updates to their OS like certain other phone vendors did BEFORE Google made their competing OS.
  Seriously, for all the bluster here that "it's not Google's fault!" this is 100% Google's fault. It's their security vulnerability, their inability to update many of the devices easily, and their desire to stop supporting something less than 3 years after it was made, despite it still being fully-functional. Since when has the geek crowd become so pathetic that we've bought into the planned obsolesce phase whole-heartedly, and started making excuses for the biggest tech firms on Earth?
26. Re:Makes sense. by MSG · 2015-01-12 06:02 · Score: 2, Insightful
  
  If my phone is running Android OS, then I should be able to get updates straight from Google.
  If that's what you want, then BUY A PHONE FROM GOOGLE.
  Otherwise, you're expecting Google to provide the development and support for hardware they didn't sell. Your money goes to company X, but you expect Google to do the work? That's not how any economic system works. You made an exchange of money for goods with company X. Warranty, support, etc is their responsibility. They're the one that you're paying.
27. Re: Makes sense. by Anonymous Coward · 2015-01-12 06:05 · Score: 3, Insightful
  
  It is googles.fault for losing control of their OS to the point that they can't push core OS security patches. Who cares if they have moved to a diff version? When 60% of your user base has the old version and there are known security holes then you should patch them
28. Re:Makes sense. by NatasRevol · 2015-01-12 06:13 · Score: 1, Insightful
  
  Google has fixed the vulnerability in later revs.
  But not the 900,000,000+ phones running it.
  
  --
  There are two types of people in the world: Those who crave closure
29. Re:Makes sense. by NatasRevol · 2015-01-12 06:25 · Score: 2, Insightful
  
  Good answer for the (hundreds of?) millions of phones that can't be updated; the genius of putting carriers in control of the OS & updates.
  
  --
  There are two types of people in the world: Those who crave closure
30. Re: Makes sense. by Rich0 · 2015-01-12 06:38 · Score: 3, Insightful
  
  I had a G1 and that definitely quit receiving updates before the 2year contract ended.
  The G1 and ADP stopped receiving updates before they even stopped selling them. They didn't even get Eclair (officially), despite the ADP being the official Google developer phone up until the Nexus One came out. Fortunately none of the Nexus devices suffered that fate, though many were only supported for 1.5 years.
31. Re: Makes sense. by danbob999 · 2015-01-12 06:39 · Score: 4, Insightful
  
  The patch exists. It's called Android 4.4.
32. Re:Makes sense. by unixisc · 2015-01-12 06:56 · Score: 3, Insightful
  
  I thought that that changed in 5.0 - Lollipop - the thing people were creaming here on /. a few days ago
33. Re: Makes sense. by Solandri · 2015-01-12 08:13 · Score: 4, Insightful
  
  That was my impression too just from reading the summary title. Google only "threw Microsoft under the bus" if Microsoft was standing in the middle of the street, Google told them for 3 months that they were standing in the middle of the street and they should get back on the sidewalk, then on the 91st day they told the public that hey this guy is standing in the middle of the street please try to drive around him, then a bus came and hit him and you somehow consider it to be Google's fault.
34. Re:Makes sense. by hairyfeet · 2015-01-12 10:01 · Score: 1, Insightful
  
  MSFT gave XP users 7 years to migrate to the next version, 5 years past the last sold copies. Meanwhile Google pulls support while the majority is still on the unsupported version and in fact the majority of units being sold in retail are still using the vulnerable build!
  C'mon fanboys, have some fucking balls will ya? Quit being hypocrites, if this were ANYBODY else, would you put up with this shit? If Apple found an exploit in iPhone 5 and told the users "fuck you, buy iPhone 6" would you say that is fair? We are talking about devices that can cost half a fricking grand and which are barely two years old people!
  If you want to claim that mobile beats the desktop? Then putting up with this Mickey Mouse horseshit has GOT to stop, this is the kind of shit the desktop saw in the 1980s, with everything proprietary, nothing supported, and the answer always being "buy a new one"!
  So stop being fucking fanboys and DEMAND BETTER!! If Google puts out a patch and the carriers don't push it? Fine we can jump the carrier's asses but as of right now the FAULT IS WITH GOOGLE, it is THEY who are fucking the users, NOT the carriers! So no excuses, no fanboy bullshit, hold Google to the same standards and nail their asses to the damned wall!
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
35. Re: Makes sense. by unixisc · 2015-01-12 11:58 · Score: 3, Insightful
  
  That's b'cos the architecture of the 2 are completely different. Windows Phone 7.x is based on Windows CE, while 8.x is based on Windows NT. So one can't expect to upgrade from a Windows Phone 7 to a Windows Phone 8 on the same phone.
36. Re:Makes sense. by Grishnakh · 2015-01-12 15:41 · Score: 3, Insightful
  
  I've been wondering when people would start to take notice of this problem with Android. There is no general policy of security backports on it at all.
  If you want to see big companies taking linux seriously vendors need to start matching Windows support timelines.
  Wrong.
  Android is not Linux. Android being mismanaged has nothing to do with Linux versions such as Red Hat, Ubuntu, Arch, Debian, etc.
  Anyway, no one really cares that much about desktop and server Linux distros having support for that long because it's easy to simply update the OS to a newer version periodically: it doesn't cost anything, and it doesn't usually break anything either (unlike Windows where changing from, say, XP to 7 will break all kinds of things because there's so many fundamental changes in the OS).
Google is doing the right thing by mlkj · 2015-01-12 04:39 · Score: 1, Insightful

I'm still on 2.3. I wouldn't get any update whatsoever.
The phone manufacturer couldn't careless if they tried.
At least now there's a push to not keep using ancient versions.
1. Re:Google is doing the right thing by Anonymous Coward · 2015-01-12 04:45 · Score: 0, Insightful
  
  couldn't careless
  You don't make the usual "could care less" mistake but then you mess it up by writing "careless" instead of "care less".
  Not sure if trolling or just stupid.
Doesn't really matter if they do patch it by oobayly · 2015-01-12 04:40 · Score: 3, Insightful

Even if Google were to patch 4.3, it's unlikely that it would ever hit anyone's device as the manufacturers are so shit at pushing out updates. Not that this is a defence for not patching it - Jelly Bean was only released 2.5 years ago.
And it's not just some manufacturers, Google is just as guilty - my [2013] Nexus 7 asked me whether I wanted to upgrade to Lollipop, I was busy at the time, so I hit no. Now I can't get the thing see that there *is* a new version - 5.0.2 was released 3 weeks ago, and it still says "Your system is up to date". Like fuck it is.
Google's official support policy by Anonymous Coward · 2015-01-12 04:40 · Score: 5, Insightful

1- You can go buy a new Android phone; or
2- You can go fuck yourself.
They gave MS 90 days by Anonymous Coward · 2015-01-12 04:42 · Score: 5, Insightful

I don't believe for a moment that MS were working flat-out on the patch for 90 days - it's more likely that they left it until the last minute, and then assumed that Google would make a special exception for them.
Sorry Microsoft, the deadline is the same for everyone.
Google doesn't support old versions? by nine-times · 2015-01-12 04:43 · Score: 3, Insightful

Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases.
To me, this only really seems like a valid position if vendors allowed people to upgrade at will, but as far as I know, Android users are still held to whichever version their carrier/manufacturer allow. June 2012 is only 2.5 years ago, which means (I'm guessing) that it's possible you purchased a phone less than 2 years ago that had this version of the OS. That means, you could have purchased your phone brand new, it might still be under contract, and it's unsupported.
Now, if you're free to install the latest version on your phone, then it seems much more reasonable.
Android is not Chrome. by pla · 2015-01-12 04:52 · Score: 5, Insightful

First, I consider myself a fan of the Googlesphere. I love Android, love Chrome, love GMail, enjoy the availability of their online Apps, and so on. (Hate hate hate Google+, though).

And saying that - Google needs to come to terms with the fact that they can't get away with the same bullshit update cycle for an OS installed on physical hardware, as they do with Chrome. For a desktop browser, weekly updates with support ending more-or-less after a year counts as an annoyance, but not a deal-killer. For an OS, just "no". My last phone lasted a decade - Support your devices (at least for critical vulnerability patches) for at least that long, or GTFO of the playground.
The truth of the matter by JonathanP.Bennett · 2015-01-12 04:54 · Score: 5, Insightful

The original article doesn't give any details as to what this "exploit" is in android. Even if it is a real exploit, no new phones will be made with Android 4.3, and at this point, no manufacturer would push an update to an old device even if Google did fix it. As to Google throwing Microsoft under the bus, that is utter crap. Google privately disclosed a vulnerability to MS, and *TOLD THEM* they had 90 days. After 90 days, Google publicly released the vulnerability. This is standard stuff. Giving a deadline is the only way to keep vulnerabilities out of the NSA toolkit and force MS to actually fix it.
930 MILLION devices vulnerable by scottbomb · 2015-01-12 04:58 · Score: 4, Insightful

It would seem to me that they have a responsibility to support the versions that are in use by the majority of their customers. This whole idea that 2.5-year-old software is "ancient" is a load of BS. Imagine the outcry if Microsoft quit supporting each version of Windows after such a short time.
False sense of security by Dishwasha · 2015-01-12 05:19 · Score: 4, Insightful

I'm sorry, but are people actually under the impression that their phones are secure?
I love a good Google hate thread... by clonehappy · 2015-01-12 08:14 · Score: 3, Insightful

...as much as the next guy. But honestly, are there still nerds in 2015 who don't understand how the Android model works? Think of Android as "Linux". Each manufacturer has their own distro of Android, and then there's the "reference" distro, made by Google, that is on Nexus devices called "Stock Android". All the distros are based on the "Stock Android" distro, and the manufacturers customize and add on from there.
So, blaming Google for a flaw in a previous version of Android is like blaming "Linux" for a security flaw in a previous version of Ubuntu. See how much sense that makes? All Ubuntu has to do is use a more recent kernel/library/whatever that doesn't contain the flaw and release an update or new version. The same thing goes for Android, all the handset manufacturers have to do is release an update that contains the fix, and their problems are solved. A current build of "Stock Android" already contains the fix, your manufacturer's outdated distro, however, doesn't.
There are plenty of things we can legitimately blame on Google, but blaming the flaws of handset manufacturers and cellular carriers on Google doesn't help anything. Put pressure on your carriers and manufacturers to stop dragging their feet and support their products beyond the next fiscal quarter or two!