Slashdot Mirror
Google Throws Microsoft Under Bus, Then Won't Patch Android Flaw
An anonymous reader writes Last month, Google took the bold steps to release the details of a security vulnerability ahead of Microsoft. Microsoft responded and said that there was a patch in works which was set to be released two days after Google went live with the details. Microsoft accuses Google for refusing to wait an extra 48 hours so that the patch would have been released along with the details of the exploit. Now, let's see what is happening on the Google side of software development. Recently, an exploit has been uncovered in the WebView component of Android 4.3 — estimated to cover roughly 60% of Android install base — and Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases. It would appear that over 930 million Android phones in use are out of official Google security patch support.
The MS of the '90s, harangued endlessly by a shockingly left-wing government (by today's standards), ended up being put in its place not by regulation but by competition. But even back then, as it dominated the desktop and the browser, it showed high respect for client privacy and control. Google's monopolistic behaviour knows no bounds. I'd take MS any day.
In my 30 years in IT, the difference I've found between MS and [insert any other brand] is that nobody loves MS - there is no religion as there has been around Apple, or Linux, or Google. They're practical businesspeople, who sometimes show excessive greed and stupid short-sightedness, but are always judged on their merits - people will abandon them as quick as they'll choose them, if they turn bad. And that's a good thing. It keeps them on their toes. Ballmer was a dick in the works for a while, but he's been kicked out, because everyone said exactly what they thought - there weren't hordes of fanboys(*) telling the world how wonderful the Start Screen is.
(*) Paid exceptions exist, such as Paul Thurrott. But nothing like him exists in the userbase.
We really need an edit option: Sept 2014, not September 2013....
The cesspool just got a check and balance.
You certainly didn't hear it from me. I'm sure I've posted here before that iOS's update policies are far better than Android's. I still prefer Android and I only buy devices that I know I can keep up-to-date myself if necessary, but I won't make excuses for a security policy that would have seemed backwards in 1995.
I write software for Android and what bothers me is that there's always this push for latest and greatest while we still have a significant number of devices getting left out in the cold because they're 2 or more years old. Android is a three legged stool, Google, Device Manufacturers and Carriers and all three have to get their shit together on patch management and routine updates to the devices. All of them share equally in this problem yet they just seem to be aligned to always force you to buy a new device to get what most would be consider reasonable software support. That's bullshit. Sure Google, we get it you want everybody to be on the latest and greatest and yes there are features that can't be supported with every new release however there's that sticky little thing called time to market and while you may come out with a new release, the uptake by your licensed manufacturers isn't that fast. 4.3 didn't become available widely in devices until late 2012 which is just in time for Christmas so that makes 4.3 only 2 years old basically in terms of market exposure. That's young for a smart phone. I also get it if HTC or Samsung or Vendor X out there don't want to support software in order to entice you to buy a new device, but at $600 to $800 for a high end smart phone you're not going to see the majority of your customers buy a new one every year just to keep up with the latest version of Android. That's born out by the 1 Billion devices on 4.3 which is a pretty large market. Oh and to you carriers, your bloatware and other crap isn't helping either. If you're not willing to support it for at least the life expectancy of the device, which can be up to 5 years now, then get it off of there so you can at least improve your release time frequency so that your customers aren't left with insecure devices. Google needs to take the lead here and work with the downstream manufacturers and carriers to fix this shit because it's becoming a nuisance for the development community and for the end users.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Google doesn't make the version of Android that goes out on e.g. Samsung phones. Google can patch 4.3 ll they want, but it's up to Samsung to take the patch, implement it, test it on all their devices, then get blessing from the various carriers to send it out. Given there's still people out there with S3s (and probably S2s) there's no chance they're going to put the effort into it and instead tell people to get the shiny new S5.
Google made the 90 day deadline up, sure. But they are enforcing it, which I think is pretty cool. MS wanted them to wait two days. TWO DAYS. Which says to me they were testing the waters. No way those two days were actually crucial for MS. If you can finish the job in 92 days, you can finish it in 90 days (especially when you have the resources MS has). They were simply finding out if Google would bend their 90 day rule. Next time, it would be a week. The time after, it would be a month. Until they could and would just ignore it. Since Google stuck to their guns, MS has to resort to the tactic of making Google out to be the bad guy. Which, to be fair, they kind of are. MS doesn't like to be bossed around any more than anyone else. But to me, this is the type of pressure which is on the whole beneficial to the users in the long run.
I am not a vegetarian werewolf.
The issue is that the platform doesn't have a common boot, and initialization system... also, said devices are often packaged with only the drivers for that device, specifically compiled for that version of the OS... now that things are maturing, Google should come out with some common driver interfaces so binary drivers can work across platform versions. This would make sense as Google is breaking portions of the OS into upgradable units.
Michael J. Ryan - tracker1.info
In the same way, they could update the WebView as well (hadn't they put it into a read-only file system, digitally signed by the device manufacturer). It's a userspace component with no implications on the phone service or the radio baseband.
In fact, IIRC the WebView can be updated through the market in the newer versions of Android.
And on the other side, Apple back ported a patch for IOS 6 for the iPhone 3GS in January 2014 - after iOS was released. The 3GS was released in June 2009.
According to http://en.wikipedia.org/wiki/A... Android 4.3 is only responsible for 6.5% of devices, with 4.1 and 4.2 combined being responsible for 39.5% and 4.4 for 39.1%.
Of course that's based on a survey of devices that accessed the Google Play store during the first week of this year, so may not be entirely accurate. Still, it seems likely that 4.3 is a bit player, even if new devices are still available with it. I'd love to see Google backporting fixes, but I can understand it being a low priority. Besides which I'm willing to bet that precious few new devices are running *Google* Android, which means not only would Google have to backport the fixes, they'd also need to convince downstream distributors to port the fixes into their cut-rate custom Androd distros - which seems like an uphill battle. And it's not like the various distros couldn't.
Does any of that excuse Google, or the other Android distros? Of course not. But by this point perhaps I'm just so jaded about the customer-abusive behaviors of the various manufacturers that it doesn't surprise me at all. If you have good support, then you have probably already upgraded to 4.4.x. If not - well then you probably had the option to do due-diligence before your purchase and realize you were going to be screwed on updates anyway.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
But they didn't. The summary is wrong (plain lying in the hope nobody checks). Its actually a tiny 6.5%.