Google Throws Microsoft Under Bus, Then Won't Patch Android Flaw

An anonymous reader writes Last month, Google took the bold steps to release the details of a security vulnerability ahead of Microsoft. Microsoft responded and said that there was a patch in works which was set to be released two days after Google went live with the details. Microsoft accuses Google for refusing to wait an extra 48 hours so that the patch would have been released along with the details of the exploit. Now, let's see what is happening on the Google side of software development. Recently, an exploit has been uncovered in the WebView component of Android 4.3 — estimated to cover roughly 60% of Android install base — and Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases. It would appear that over 930 million Android phones in use are out of official Google security patch support.

Makes sense.

Even if they patched it for 4.3, there is approximately zero chance that it would be pushed out as an update by anyone.

Re:Makes sense.

[MachineShedFred]

And somehow this is an acceptable situation?

"Too fucking bad buy a new phone" is not a proper response for a gaping security flaw. I hold Google accountable, as well as the handset manufacturers.

Re:Makes sense.

[Rich0]

I've been wondering when people would start to take notice of this problem with Android. There is no general policy of security backports on it at all. Phones can have security vulnerabilities like anything else - it is just a matter of time before we start seeing exploits.

They're doing a better job with ChromeOS, with a 5 year support pledge. Ironically that still isn't as good as Windows (10yrs from obsolescence vs 5yrs from introduction). If you want to see big companies taking linux seriously vendors need to start matching Windows support timelines. People like to joke about XP, but it was supported just a year ago and what was the latest version of your favorite Linux distro when XP first came out? Being secure without having to do major updates is a big selling point.

Re:Makes sense.

[ichthus]

I totally agree. Google could patch it, but it would then be up to the various manufacturers to push it out (Samsung, et al.) But, despite this, Google should still patch it, for PR's sake.

Re: Makes sense.

[binarylarry]

This is a hit job from a shitty windows enthusiast website (neowin.net).

Do not click any links!

Re:Makes sense.

You forgot the carriers.

They're probably the worst offenders of all, as holding back an update means they can use "comes with the latest OS!!" as a selling point on their merchandise.

Re:Makes sense.

[sshir]

No, you simply didn't get the point. Google can't push the patch to those devices (unless they are from Nexus line). Samsung, LG, etc. must do the pushing. But they wont.

Re:Makes sense.

Google has fixed the vulnerability in later revs.

You sir are a twat - Google doesn't control deployment of fixes or updates, your service / hardware provider does.

If you want Google to control your versioning, then buy a Google product.

Buying an AT&T or Verizon product running Google's Android OS, leaves you at the whims of AT&T and Verizon as to when or even "IF" you get the updates.

The same thing holds true for all products running Android - the company that the products are manufactured for control the delivery channel.

Would it be nice if Google could *FORCE* companies like AT&T, Verizon, T-Mobile and Sprint to upgrade the OS on the devices they sold? Hell yes, but that's not going to happen because then these big asshole companies wouldn't sell as much product if people got the latest features on aging handsets and tablets.

Re:Makes sense.

[gstoddart]

Not being able to patch an older system that could be patched, that makes sense to you?

I'll never understand the logic of Android fanboys. At this point I'll pick iOS and Windows over Android any time.

I'm sorry, but what?

I bought my first gen iPad within a month of launch. In less than 2.5 years it was unsupported on the latest version of iOS.

When I updated my latest gen iPod touch to iOS 8.x, I ran into problems, had a few apps stop working, and generally found myself underwhelmed.

Apple does the exact same shit, and don't pretend they don't.

Basically manufacturers expect us to pay for a new device every year or two, and then quickly decree them to be off support.

So WTF should we pay full price for something they're going to abandon in a relatively short period of time for?

Sorry, but no. If you want to charge me $700 for a device, I expect you to support it longer than two years. Otherwise, I'm not buying your shit any more, because you somehow think of me as a revolving cash supply.

In this regards, I think both Android and iOS are sorely lacking.

So, screw the lot of them. Want these devices to be disposable? Sell them to us at discounted prices instead of your inflated prices. Or if you're going to charge us that much money, support it MUCH longer.

Two years support for a brand new device? Hell no.

Re:Makes sense.

[fustakrakich]

for PR's sake.

They don't need that anymore. And maybe the manufactures prefer that Google doesn't patch it. It relieves them of all liability.

Re:Makes sense.

[spacepimp]

Google can't push out updates to the handsets. The carriers by law mandated that only they can update and test the devices. You as a citizen and owner of the device cannot do this yourself either. But sure Google is at fault.

Re:Makes sense.

[ArcadeMan]

Would it be nice if Google could *FORCE* companies like AT&T, Verizon, T-Mobile and Sprint to upgrade the OS on the devices they sold? Hell yes, but that's not going to happen because then these big asshole companies wouldn't sell as much product if people got the latest features on aging handsets and tablets.

Works for iOS. Carriers cannot prevent the upgrade of devices that can be upgraded.

Re:Makes sense.

[ArcadeMan]

Apple wouldn't stop supporting devices that still count for 60% of their own statistics.

Re:Makes sense.

[Wycliffe]

I've been wondering when people would start to take notice of this problem with Android.

930 million phones might be enough. Now we just need someone to write a worm that uses this to get noticed by taking
down the cellular network for a few days and then maybe someone will get smart enough to require phone manufacturers
to push updates for a reasonable amount of time (say 5 years after they stop selling the phone).
I've seen phones stop receiving updates before their 2 year contract is even up. This should be breach of contract.

Re:Makes sense.

[c]

I hold Google accountable, as well as the handset manufacturers.

I believe Google's fix is called "Android 4.4" or "Android 5.x".

That the handset manufacturers can't seem to figure out how to get updates for older devices to newer versions of Android is the core of the problem. I mean, Cyanogenmod generally seems to be able to do it, largely using volunteer labour, so it can't be rocket science (for my handset, vendor support stopped around 4.1... there's a nightly 5.0 now available).

You could argue that Google should set an explicit support cutoff date for patches for older versions, but when the handset makers policy on end of life ranges from "until the average contract runs down" to "until the retail store's return period has passed", I'm not sure there's much point.

Re:Makes sense.

[MouseR]

My iPhone 4s is (release oct 2011) is still supported.

(Though I replaced it with a newer device, I still use it as an iTouch for various reasons).

Re:Makes sense.

[Enry]

Google doesn't make the version of Android that goes out on e.g. Samsung phones. Google can patch 4.3 ll they want, but it's up to Samsung to take the patch, implement it, test it on all their devices, then get blessing from the various carriers to send it out. Given there's still people out there with S3s (and probably S2s) there's no chance they're going to put the effort into it and instead tell people to get the shiny new S5.

Re:Makes sense.

[macs4all]

iOS isn't really any better when it comes to patching old devices. Once the poor, poor, tech company responsible for deploying the OS in the first place decides to stop supporting it, you're SOL.

Are you stoned, or just stupid?

In stark contrast to the carrier-controlled paridigm of Android software deployment, Apple maintains sole control over the updating and deployment of iOS (and OS X), and although they do eventually draw the line somewhere, it is always at a point that affects single-digit percentages of the User Base, not the majority of Users as is the case here.

Apple would be positively pilloried in these pages if they tried something even remotely as irresponsible and high-handed as Google is doing (or rather not doing) in this case.

Re:Makes sense.

[ArcadeMan]

... that still accounts for 60% of Android devices.

Re:Makes sense.

[tysonedwards]

Technically, Google *did* fix the flaw, in later versions of Android. They just didn't backport said fix to 4.3.

However, as Manufacturers won't roll a new update off of said backport even if it did exist as they're incentivized to support phones that are under warranty and where possible sell new phones to customers, Carriers would drag their feet on approvals of said updates if they even authorized it at all as they're inclined to both avoid angry support calls from customers about "my phone is different" yet also sell new phones to get people under contract, money disappearing at all levels into the giant black hole of bureaucratic process, what does it really matter? It's a zero sum proposition.

Re:Makes sense.

[CastrTroy]

This is why I hate the Android model of updates. I don't have to wait for HP, Dell, Lenovo, and others for my desktop to get updated. There's no reason I should have to wait on Samsung, LG, HTC, or even worse AT&T or Verizon to get an update for my phone. If my phone is running Android OS, then I should be able to get updates straight from Google. I like Android in every other aspect except their update strategy. I am due for a new phone soon, and I really don't want to get screwed over (again) with a phone that doesn't get a single OS update after I buy it. I'm kind of leaning towards Windows Phone at this point. I could consider iOS, but their phones are much too expensive for my tastes.

Re:Makes sense.

[c]

In this regards, I think both Android and iOS are sorely lacking.

With Android at least there may be other providers for updates. It still sucks, but I'll take "sucks but possible" over "sucks and go fuck yourself" any day.

Re:Makes sense.

[aztracker1]

The issue is that the platform doesn't have a common boot, and initialization system... also, said devices are often packaged with only the drivers for that device, specifically compiled for that version of the OS... now that things are maturing, Google should come out with some common driver interfaces so binary drivers can work across platform versions. This would make sense as Google is breaking portions of the OS into upgradable units.

Re:Makes sense.

[peppepz]

But Google continuously updates Google Play Services on my phone without me even noticing, let alone the carrier or the device manufacturer approve and test the changes.

In the same way, they could update the WebView as well (hadn't they put it into a read-only file system, digitally signed by the device manufacturer). It's a userspace component with no implications on the phone service or the radio baseband.

In fact, IIRC the WebView can be updated through the market in the newer versions of Android.

Re: Makes sense.

[twitnutttt]

But at least there is the *possibility* of getting a patch if Google makes one. Without that, no chance!
That Google would unannouncedly end-of-life (EOL) a product with the majority of its Android market share makes me so mad!!

Re:Makes sense.

[aristotle-dude]

Google doesn't make the version of Android that goes out on e.g. Samsung phones. Google can patch 4.3 ll they want, but it's up to Samsung to take the patch, implement it, test it on all their devices, then get blessing from the various carriers to send it out. Given there's still people out there with S3s (and probably S2s) there's no chance they're going to put the effort into it and instead tell people to get the shiny new S5.

Should not matter. If they are patching the core, the core should be available for updating by google directly by alerting the user of a needed patch. The customization should not be touching the core of the OS.

Re:Makes sense.

MS supported bug fixes for XP for TWELVE years. Google has barely supported 18 months. There is absolutely no comparison. Use you're head and stop blindly worshiping Google and hating MS. I know it's hard to not be a complete idiot, but give it your best,.

Re:Makes sense.

[Enry]

That's what changed in 4.4. In 4.3 it was part of the OS is my understanding and required a new OS install.

Re: Makes sense.

[c]

This is a hit job from a shitty windows enthusiast website (neowin.net).

Do not click any links!

Relax. This is slashdot. Almost nobody reads the source article unless they need to grab a quote in order to prove a point.

Re:Makes sense.

[tlhIngan]

930 million phones might be enough. Now we just need someone to write a worm that uses this to get noticed by taking
down the cellular network for a few days and then maybe someone will get smart enough to require phone manufacturers
to push updates for a reasonable amount of time (say 5 years after they stop selling the phone).
I've seen phones stop receiving updates before their 2 year contract is even up. This should be breach of contract.

Well, technically, phones never got software updates - updates are a relatively new thing.

And really, the reason Google doesn't push OEMs to force software updates is because of AOSP. Samsung's a big offender, releasing anywhere from 2-3 new smartphones a week in 2014 (seriously, they released over 100 new phones last year), and over 1 tablet a week (yes, over 50 brand new tablets).

Granted, Samsung has more developers than Apple, Google and Microsoft combined, but you can bet terms like this would be the one that just moves OEMs to AOSP and undo all the work Google did. Hell, Samsung has replacement apps for every one of Google's (they're the only OEM to do so), so they're not dependent on Google's apps to sell phones.

And no, it's no surprise Samsung is also the largest Android manufacturer out there with a huge market share.

Re:Makes sense.

This sudden attempt by Google supporters to shift the responsibility is the lamest fucking excuse I've ever seen. Microsoft has supported XP FAR longer than Google has supported... well, anything. I also especially like how suddenly it's not Google's fault for NOT thinking ahead and making it possible to deploy security updates to their OS like certain other phone vendors did BEFORE Google made their competing OS.

Seriously, for all the bluster here that "it's not Google's fault!" this is 100% Google's fault. It's their security vulnerability, their inability to update many of the devices easily, and their desire to stop supporting something less than 3 years after it was made, despite it still being fully-functional. Since when has the geek crowd become so pathetic that we've bought into the planned obsolesce phase whole-heartedly, and started making excuses for the biggest tech firms on Earth?

Re: Makes sense.

It is googles.fault for losing control of their OS to the point that they can't push core OS security patches. Who cares if they have moved to a diff version? When 60% of your user base has the old version and there are known security holes then you should patch them

Re:Makes sense.

[macs4all]

So, Google should update the older software, and then the users phones still wouldn't get patched because it actually has to be done by the manufacturers, and then approved by the service provider, neither of which want you to still be using your old phone.

As to Apple, well, they just make sure that all your devices have the newest version of iOS, which will always run like crap on the older phones, driving those upgrades to the new phones that come out a month after the upgrade...

Want your older version of iOS patched? Well all you have to do is upgrade to the latest version and kill your phone's performance. Don't want to do that, then Apple will gladly tell you that they don't support the older software anymore.

As I have said in another post to this article, Google could easily change their distribution model for Android to re-capture sole control over its Distribution, like Apple. But they won't; because they simply don't care; nor do they want to be bothered with testing a zillion different platforms.

And contrary to your tired, Fandroid meme, Apple does not "push" iOS updates to anyone; let alone do so for the purpose of "obsoleting" older models. First off, at this point, regardless of the hardware or software platform, anyone with a piece of equipment that is one the bottom-end of the "Upgrade-able" list who then jumps on an OS Update the very first day, sort of deserves what they get; and second, Apple occasionally releases an OS update that inadvertently degrades the performance of older hardware; but they also have a good track record, like with the recent iOS 8.1.1 update, of releasing further patches specifically designed to address those performance issues.

So no, the two situations are in no way equivalent..

Re:Makes sense.

[Immerman]

According to http://en.wikipedia.org/wiki/A... Android 4.3 is only responsible for 6.5% of devices, with 4.1 and 4.2 combined being responsible for 39.5% and 4.4 for 39.1%.

Of course that's based on a survey of devices that accessed the Google Play store during the first week of this year, so may not be entirely accurate. Still, it seems likely that 4.3 is a bit player, even if new devices are still available with it. I'd love to see Google backporting fixes, but I can understand it being a low priority. Besides which I'm willing to bet that precious few new devices are running *Google* Android, which means not only would Google have to backport the fixes, they'd also need to convince downstream distributors to port the fixes into their cut-rate custom Androd distros - which seems like an uphill battle. And it's not like the various distros couldn't.

Does any of that excuse Google, or the other Android distros? Of course not. But by this point perhaps I'm just so jaded about the customer-abusive behaviors of the various manufacturers that it doesn't surprise me at all. If you have good support, then you have probably already upgraded to 4.4.x. If not - well then you probably had the option to do due-diligence before your purchase and realize you were going to be screwed on updates anyway.

Re: Makes sense.

But they didn't. The summary is wrong (plain lying in the hope nobody checks). Its actually a tiny 6.5%.

Re:Makes sense.

[NatasRevol]

Guess what?

Same problem.

http://en.wikipedia.org/wiki/G...

"Google has stated that the Galaxy Nexus will not receive Android 4.4 KitKat,[42] even after having 14,000 signatures requesting it."

Re:Makes sense.

[EvilSS]

If my phone is running Android OS, then I should be able to get updates straight from Google.

If that's what you want, then BUY A PHONE FROM GOOGLE.

You mean like my Google Galaxy Nexus that is stuck at 4.3 because Google abandoned it after 18 months, and therefore won't be getting this exploit patched?

Re: Makes sense.

[Rich0]

I had a G1 and that definitely quit receiving updates before the 2year contract ended.

The G1 and ADP stopped receiving updates before they even stopped selling them. They didn't even get Eclair (officially), despite the ADP being the official Google developer phone up until the Nexus One came out. Fortunately none of the Nexus devices suffered that fate, though many were only supported for 1.5 years.

Re: Makes sense.

[danbob999]

The patch exists. It's called Android 4.4.

Re:Makes sense.

[unixisc]

I thought that that changed in 5.0 - Lollipop - the thing people were creaming here on /. a few days ago

Re: Makes sense.

[AuMatar]

Which has very significant changes to how external storage, SMS, and several other features are handled that break a significant number of applications. 4.4 was not a minor release.

Re: Makes sense.

[Solandri]

That was my impression too just from reading the summary title. Google only "threw Microsoft under the bus" if Microsoft was standing in the middle of the street, Google told them for 3 months that they were standing in the middle of the street and they should get back on the sidewalk, then on the 91st day they told the public that hey this guy is standing in the middle of the street please try to drive around him, then a bus came and hit him and you somehow consider it to be Google's fault.

Re: Makes sense.

Google can't patch most Android phones at the OS level., other than Nexus. Putting cyanogen to one side, anything else either needs the phone manufacturer, or the manufacturer & the carrier.

The vast majority of Android phones sold are sold via carriers , at subsidized pricing, and come with a carrier specific build of the phone vendors Android distribution. The phone vendor can't patch these devices on their own, the carrier needs to be involved.

That's why it takes so long for Android patches to actually get onto phones via these channels - Google might fix something, but the rest of the process could take 6-18 months from when Google ships, if it ever happens.

Re: Makes sense.

[RavenLrD20k]

Ok..so who made the phone? Samsung? LG? HTC? Or were you lucky enough to get a Google Nexus device?

Who sold it to you? Verizon? T-Mobile? AT&T? Sprint?

Oh..did you go to a box retailer to get your phone like RadioShack, BestBuy, or Walmart? Guess what, you still bought your phone from Verizon, T-Mobile, AT&T or Sprint (US centric). The box retailers only get authorization to sell the devices from the Carriers and beyond a "service plan" for replacing the phone when it's broken, have no obligation for OS support. If a box store sells a phone in a manner against the contract agreement the store has with the carrier, even if the end purchaser keeps the phone and maintains good standing on contract he signed in the store, the carrier will bill the store for the full price of the phone that was sold "improperly" and a negation of whatever subsidies the Carrier promised the store for said phone/activation in a procedure called "Charge-backs." I know that at least with Sprint, these Charge-Backs will occur if the end purchaser winds up canceling his contract within 6 months.

The Carriers get and give authorization from/for the device manufacturers to build phones for them (it's a contract negotiation back and forth). Google pushes out an update to the Manufacturers who have to make the drivers for the update to work with their hardware, then the Manufacturers submit the updated OS to the Carrier, and from there it's up to the Carriers to decide (historically: ignore) whether or not the update gets pushed to the end devices.

At least this is how it was until KitKat (4.4). With KitKat Google took back a significant amount of control over how OS updates get pushed out by putting most of the core OS functionality into the GooglePlayServices.apk. Now the only time Google needs to submit an update to a carrier is if there's a major patch issue that needs to be addressed between the operating system and the hardware. All other operating system and security upgrades are pushed through the Play Store from here on, bypassing the Manufacturer and Carrier update process altogether. They did this simply because Fragmentation was becoming such a big problem and Google wanted to get a handle on it. Knowing this...why would Google want to try to push an update out to an OS that they have so little control over compared to the current versions, especially considering that it's more than likely the update wouldn't even be pushed out to the end devices? Fortunately or Unfortunately, the other side of this is that KitKat has become the rut for Google that XP was for Microsoft, and it may be a couple OS versions still before people move from KitKat to the new shiny.

Re: Makes sense.

[unixisc]

That's b'cos the architecture of the 2 are completely different. Windows Phone 7.x is based on Windows CE, while 8.x is based on Windows NT. So one can't expect to upgrade from a Windows Phone 7 to a Windows Phone 8 on the same phone.

Re:Makes sense.

[Grishnakh]

I've been wondering when people would start to take notice of this problem with Android. There is no general policy of security backports on it at all.

If you want to see big companies taking linux seriously vendors need to start matching Windows support timelines.

Wrong.

Android is not Linux. Android being mismanaged has nothing to do with Linux versions such as Red Hat, Ubuntu, Arch, Debian, etc.

Anyway, no one really cares that much about desktop and server Linux distros having support for that long because it's easy to simply update the OS to a newer version periodically: it doesn't cost anything, and it doesn't usually break anything either (unlike Windows where changing from, say, XP to 7 will break all kinds of things because there's so many fundamental changes in the OS).

Don't be Evil

Or if you do, divert attention by saying Microsoft did it first

Doesn't really matter if they do patch it

[oobayly]

Even if Google were to patch 4.3, it's unlikely that it would ever hit anyone's device as the manufacturers are so shit at pushing out updates. Not that this is a defence for not patching it - Jelly Bean was only released 2.5 years ago.

And it's not just some manufacturers, Google is just as guilty - my [2013] Nexus 7 asked me whether I wanted to upgrade to Lollipop, I was busy at the time, so I hit no. Now I can't get the thing see that there *is* a new version - 5.0.2 was released 3 weeks ago, and it still says "Your system is up to date". Like fuck it is.

Re:Doesn't really matter if they do patch it

[ZosX]

As an unhappy lollipop user on a 2013 nexus 7 all I can say is don't bother. My free ram has dropped from 1gb to 400mb. I can't even keep two tabs of chrome in ram now. I'm seriously considering downgrading unless google gets this release right. Furthermore we are up to version 5 of android and there is still no way to push security updates? That's a pretty serious fail IMO. Google might want to rethink that strategy before it seriously burns them in the long run.

Re:Doesn't really matter if they do patch it

[tobiasly]

Furthermore we are up to version 5 of android and there is still no way to push security updates? That's a pretty serious fail IMO. Google might want to rethink that strategy before it seriously burns them in the long run.

They have rethought that strategy, and the solution is Google Play Services. All of the critical functionality has been moved there, which they can update via the Google Play store. Most of the individual apps have moved to independently-updatable Google Play apps as well. The WebKit based library discussed here has been replaced by a Chrome-based version, which also receives regular updates.

And yes, all devices Gingerbread (2.3) and above get these updates. The problem is that the WebView is one of the remaining pieces that was still tied directly to the OS in those earlier versions, so it can't be updated directly.

I'm not excusing Google for not fixing it here, but saying that version 5 still has no way to push security updates directly is incorrect.

Google's official support policy

1- You can go buy a new Android phone; or
2- You can go fuck yourself.

They gave MS 90 days

I don't believe for a moment that MS were working flat-out on the patch for 90 days - it's more likely that they left it until the last minute, and then assumed that Google would make a special exception for them.

Sorry Microsoft, the deadline is the same for everyone.

Google doesn't support old versions?

[nine-times]

Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases.

To me, this only really seems like a valid position if vendors allowed people to upgrade at will, but as far as I know, Android users are still held to whichever version their carrier/manufacturer allow. June 2012 is only 2.5 years ago, which means (I'm guessing) that it's possible you purchased a phone less than 2 years ago that had this version of the OS. That means, you could have purchased your phone brand new, it might still be under contract, and it's unsupported.

Now, if you're free to install the latest version on your phone, then it seems much more reasonable.

Android is not Chrome.

[pla]

First, I consider myself a fan of the Googlesphere. I love Android, love Chrome, love GMail, enjoy the availability of their online Apps, and so on. (Hate hate hate Google+, though).

And saying that - Google needs to come to terms with the fact that they can't get away with the same bullshit update cycle for an OS installed on physical hardware, as they do with Chrome. For a desktop browser, weekly updates with support ending more-or-less after a year counts as an annoyance, but not a deal-killer. For an OS, just "no". My last phone lasted a decade - Support your devices (at least for critical vulnerability patches) for at least that long, or GTFO of the playground.

The truth of the matter

[JonathanP.Bennett]

The original article doesn't give any details as to what this "exploit" is in android. Even if it is a real exploit, no new phones will be made with Android 4.3, and at this point, no manufacturer would push an update to an old device even if Google did fix it. As to Google throwing Microsoft under the bus, that is utter crap. Google privately disclosed a vulnerability to MS, and *TOLD THEM* they had 90 days. After 90 days, Google publicly released the vulnerability. This is standard stuff. Giving a deadline is the only way to keep vulnerabilities out of the NSA toolkit and force MS to actually fix it.

Re:The truth of the matter

[Angua]

Google made the 90 day deadline up, sure. But they are enforcing it, which I think is pretty cool. MS wanted them to wait two days. TWO DAYS. Which says to me they were testing the waters. No way those two days were actually crucial for MS. If you can finish the job in 92 days, you can finish it in 90 days (especially when you have the resources MS has). They were simply finding out if Google would bend their 90 day rule. Next time, it would be a week. The time after, it would be a month. Until they could and would just ignore it. Since Google stuck to their guns, MS has to resort to the tactic of making Google out to be the bad guy. Which, to be fair, they kind of are. MS doesn't like to be bossed around any more than anyone else. But to me, this is the type of pressure which is on the whole beneficial to the users in the long run.

Re:Microsoft over Google any day.

[Impy+the+Impiuos+Imp]

Microsoft learned to placate government officials by donating to them. They sought power so they could gin up memes like "anti-competitive behavior" and sic true believers AKA their meme enforcement cogs, until the politicians git paid to get back out of the way.

Now, having placated the US federal government, most state governments, and most individual EU countries, they must now focus on placating the EU parliament AKA European Federal Government, whose politicians now are wondering why they, too, can't get a piece of the pie.

930 MILLION devices vulnerable

[scottbomb]

It would seem to me that they have a responsibility to support the versions that are in use by the majority of their customers. This whole idea that 2.5-year-old software is "ancient" is a load of BS. Imagine the outcry if Microsoft quit supporting each version of Windows after such a short time.

Android support is a long term Clusterfuck

[Virtucon]

I write software for Android and what bothers me is that there's always this push for latest and greatest while we still have a significant number of devices getting left out in the cold because they're 2 or more years old. Android is a three legged stool, Google, Device Manufacturers and Carriers and all three have to get their shit together on patch management and routine updates to the devices. All of them share equally in this problem yet they just seem to be aligned to always force you to buy a new device to get what most would be consider reasonable software support. That's bullshit. Sure Google, we get it you want everybody to be on the latest and greatest and yes there are features that can't be supported with every new release however there's that sticky little thing called time to market and while you may come out with a new release, the uptake by your licensed manufacturers isn't that fast. 4.3 didn't become available widely in devices until late 2012 which is just in time for Christmas so that makes 4.3 only 2 years old basically in terms of market exposure. That's young for a smart phone. I also get it if HTC or Samsung or Vendor X out there don't want to support software in order to entice you to buy a new device, but at $600 to $800 for a high end smart phone you're not going to see the majority of your customers buy a new one every year just to keep up with the latest version of Android. That's born out by the 1 Billion devices on 4.3 which is a pretty large market. Oh and to you carriers, your bloatware and other crap isn't helping either. If you're not willing to support it for at least the life expectancy of the device, which can be up to 5 years now, then get it off of there so you can at least improve your release time frequency so that your customers aren't left with insecure devices. Google needs to take the lead here and work with the downstream manufacturers and carriers to fix this shit because it's becoming a nuisance for the development community and for the end users.

False sense of security

[Dishwasha]

I'm sorry, but are people actually under the impression that their phones are secure?

No, it doesn't!!!

[unixisc]

Even if they patched it for 4.3, there is approximately zero chance that it would be pushed out as an update by anyone.

The proper solution to this is for Google to be listed as a source for updates, in addition to the OEM and/or carrier. That way, people who are looking for updates can get it.

Not patching Android 4.3 is not a valid reason. Unlike Windows XP which was upgradable to Windows 7 and beyond (even if it required hardware upgrades), that's not so easily done w/ Android hardware. I have an Ellipsis w/ 4.2.2, which I'd love to upgrade to Kitkat or Lollipop, but can't. Nor can I upgrade the internals of that tablet (RAM, storage) so if Google suddenly says that they won't update the OS, I'm screwed. I know there is a big inertia in the market as a result of there being 3 potential sources of software - Google (or Microsoft in case of Windows Phones), the OEM and the carriers. But everybody tossing the ball to each other just leaves a sour experience for customers.

I know no organization wants to maintain 3 or more versions of anything. But that's not a valid reason to expect people to discard phones or tablets bought within the last 3 years. The tablet I'm describing is something I got last May, so I shouldn't have to discard it just b'cos its OS is not being patched and it can't run the latest version that is being patched!

I love a good Google hate thread...

[clonehappy]

...as much as the next guy. But honestly, are there still nerds in 2015 who don't understand how the Android model works? Think of Android as "Linux". Each manufacturer has their own distro of Android, and then there's the "reference" distro, made by Google, that is on Nexus devices called "Stock Android". All the distros are based on the "Stock Android" distro, and the manufacturers customize and add on from there.

So, blaming Google for a flaw in a previous version of Android is like blaming "Linux" for a security flaw in a previous version of Ubuntu. See how much sense that makes? All Ubuntu has to do is use a more recent kernel/library/whatever that doesn't contain the flaw and release an update or new version. The same thing goes for Android, all the handset manufacturers have to do is release an update that contains the fix, and their problems are solved. A current build of "Stock Android" already contains the fix, your manufacturer's outdated distro, however, doesn't.

There are plenty of things we can legitimately blame on Google, but blaming the flaws of handset manufacturers and cellular carriers on Google doesn't help anything. Put pressure on your carriers and manufacturers to stop dragging their feet and support their products beyond the next fiscal quarter or two!