Google Throws Microsoft Under Bus, Then Won't Patch Android Flaw

An anonymous reader writes Last month, Google took the bold steps to release the details of a security vulnerability ahead of Microsoft. Microsoft responded and said that there was a patch in works which was set to be released two days after Google went live with the details. Microsoft accuses Google for refusing to wait an extra 48 hours so that the patch would have been released along with the details of the exploit. Now, let's see what is happening on the Google side of software development. Recently, an exploit has been uncovered in the WebView component of Android 4.3 — estimated to cover roughly 60% of Android install base — and Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases. It would appear that over 930 million Android phones in use are out of official Google security patch support.

Makes sense.

Even if they patched it for 4.3, there is approximately zero chance that it would be pushed out as an update by anyone.

Re:Makes sense.

[MachineShedFred]

And somehow this is an acceptable situation?

"Too fucking bad buy a new phone" is not a proper response for a gaping security flaw. I hold Google accountable, as well as the handset manufacturers.

Re:Makes sense.

[Rich0]

I've been wondering when people would start to take notice of this problem with Android. There is no general policy of security backports on it at all. Phones can have security vulnerabilities like anything else - it is just a matter of time before we start seeing exploits.

They're doing a better job with ChromeOS, with a 5 year support pledge. Ironically that still isn't as good as Windows (10yrs from obsolescence vs 5yrs from introduction). If you want to see big companies taking linux seriously vendors need to start matching Windows support timelines. People like to joke about XP, but it was supported just a year ago and what was the latest version of your favorite Linux distro when XP first came out? Being secure without having to do major updates is a big selling point.

Re:Makes sense.

[ichthus]

I totally agree. Google could patch it, but it would then be up to the various manufacturers to push it out (Samsung, et al.) But, despite this, Google should still patch it, for PR's sake.

Re:Makes sense.

You forgot the carriers.

They're probably the worst offenders of all, as holding back an update means they can use "comes with the latest OS!!" as a selling point on their merchandise.

Re:Makes sense.

[sshir]

No, you simply didn't get the point. Google can't push the patch to those devices (unless they are from Nexus line). Samsung, LG, etc. must do the pushing. But they wont.

Re:Makes sense.

[gstoddart]

Not being able to patch an older system that could be patched, that makes sense to you?

I'll never understand the logic of Android fanboys. At this point I'll pick iOS and Windows over Android any time.

I'm sorry, but what?

I bought my first gen iPad within a month of launch. In less than 2.5 years it was unsupported on the latest version of iOS.

When I updated my latest gen iPod touch to iOS 8.x, I ran into problems, had a few apps stop working, and generally found myself underwhelmed.

Apple does the exact same shit, and don't pretend they don't.

Basically manufacturers expect us to pay for a new device every year or two, and then quickly decree them to be off support.

So WTF should we pay full price for something they're going to abandon in a relatively short period of time for?

Sorry, but no. If you want to charge me $700 for a device, I expect you to support it longer than two years. Otherwise, I'm not buying your shit any more, because you somehow think of me as a revolving cash supply.

In this regards, I think both Android and iOS are sorely lacking.

So, screw the lot of them. Want these devices to be disposable? Sell them to us at discounted prices instead of your inflated prices. Or if you're going to charge us that much money, support it MUCH longer.

Two years support for a brand new device? Hell no.

Re:Makes sense.

[fustakrakich]

for PR's sake.

They don't need that anymore. And maybe the manufactures prefer that Google doesn't patch it. It relieves them of all liability.

Re:Makes sense.

[ArcadeMan]

Would it be nice if Google could *FORCE* companies like AT&T, Verizon, T-Mobile and Sprint to upgrade the OS on the devices they sold? Hell yes, but that's not going to happen because then these big asshole companies wouldn't sell as much product if people got the latest features on aging handsets and tablets.

Works for iOS. Carriers cannot prevent the upgrade of devices that can be upgraded.

Re:Makes sense.

[ArcadeMan]

Apple wouldn't stop supporting devices that still count for 60% of their own statistics.

Re:Makes sense.

[Wycliffe]

I've been wondering when people would start to take notice of this problem with Android.

930 million phones might be enough. Now we just need someone to write a worm that uses this to get noticed by taking
down the cellular network for a few days and then maybe someone will get smart enough to require phone manufacturers
to push updates for a reasonable amount of time (say 5 years after they stop selling the phone).
I've seen phones stop receiving updates before their 2 year contract is even up. This should be breach of contract.

Re:Makes sense.

[c]

I hold Google accountable, as well as the handset manufacturers.

I believe Google's fix is called "Android 4.4" or "Android 5.x".

That the handset manufacturers can't seem to figure out how to get updates for older devices to newer versions of Android is the core of the problem. I mean, Cyanogenmod generally seems to be able to do it, largely using volunteer labour, so it can't be rocket science (for my handset, vendor support stopped around 4.1... there's a nightly 5.0 now available).

You could argue that Google should set an explicit support cutoff date for patches for older versions, but when the handset makers policy on end of life ranges from "until the average contract runs down" to "until the retail store's return period has passed", I'm not sure there's much point.

Re:Makes sense.

[MouseR]

My iPhone 4s is (release oct 2011) is still supported.

(Though I replaced it with a newer device, I still use it as an iTouch for various reasons).

Re:Makes sense.

[macs4all]

iOS isn't really any better when it comes to patching old devices. Once the poor, poor, tech company responsible for deploying the OS in the first place decides to stop supporting it, you're SOL.

Are you stoned, or just stupid?

In stark contrast to the carrier-controlled paridigm of Android software deployment, Apple maintains sole control over the updating and deployment of iOS (and OS X), and although they do eventually draw the line somewhere, it is always at a point that affects single-digit percentages of the User Base, not the majority of Users as is the case here.

Apple would be positively pilloried in these pages if they tried something even remotely as irresponsible and high-handed as Google is doing (or rather not doing) in this case.

Re:Makes sense.

[tysonedwards]

Technically, Google *did* fix the flaw, in later versions of Android. They just didn't backport said fix to 4.3.

However, as Manufacturers won't roll a new update off of said backport even if it did exist as they're incentivized to support phones that are under warranty and where possible sell new phones to customers, Carriers would drag their feet on approvals of said updates if they even authorized it at all as they're inclined to both avoid angry support calls from customers about "my phone is different" yet also sell new phones to get people under contract, money disappearing at all levels into the giant black hole of bureaucratic process, what does it really matter? It's a zero sum proposition.

Re:Makes sense.

[peppepz]

But Google continuously updates Google Play Services on my phone without me even noticing, let alone the carrier or the device manufacturer approve and test the changes.

In the same way, they could update the WebView as well (hadn't they put it into a read-only file system, digitally signed by the device manufacturer). It's a userspace component with no implications on the phone service or the radio baseband.

In fact, IIRC the WebView can be updated through the market in the newer versions of Android.

Re: Makes sense.

[twitnutttt]

But at least there is the *possibility* of getting a patch if Google makes one. Without that, no chance!
That Google would unannouncedly end-of-life (EOL) a product with the majority of its Android market share makes me so mad!!

Re:Makes sense.

MS supported bug fixes for XP for TWELVE years. Google has barely supported 18 months. There is absolutely no comparison. Use you're head and stop blindly worshiping Google and hating MS. I know it's hard to not be a complete idiot, but give it your best,.

Re:Makes sense.

[Enry]

That's what changed in 4.4. In 4.3 it was part of the OS is my understanding and required a new OS install.

Re: Makes sense.

[c]

This is a hit job from a shitty windows enthusiast website (neowin.net).

Do not click any links!

Relax. This is slashdot. Almost nobody reads the source article unless they need to grab a quote in order to prove a point.

Re:Makes sense.

This sudden attempt by Google supporters to shift the responsibility is the lamest fucking excuse I've ever seen. Microsoft has supported XP FAR longer than Google has supported... well, anything. I also especially like how suddenly it's not Google's fault for NOT thinking ahead and making it possible to deploy security updates to their OS like certain other phone vendors did BEFORE Google made their competing OS.

Seriously, for all the bluster here that "it's not Google's fault!" this is 100% Google's fault. It's their security vulnerability, their inability to update many of the devices easily, and their desire to stop supporting something less than 3 years after it was made, despite it still being fully-functional. Since when has the geek crowd become so pathetic that we've bought into the planned obsolesce phase whole-heartedly, and started making excuses for the biggest tech firms on Earth?

Re: Makes sense.

But they didn't. The summary is wrong (plain lying in the hope nobody checks). Its actually a tiny 6.5%.

Re:Makes sense.

[EvilSS]

If my phone is running Android OS, then I should be able to get updates straight from Google.

If that's what you want, then BUY A PHONE FROM GOOGLE.

You mean like my Google Galaxy Nexus that is stuck at 4.3 because Google abandoned it after 18 months, and therefore won't be getting this exploit patched?

Re: Makes sense.

[danbob999]

The patch exists. It's called Android 4.4.

Re: Makes sense.

[Solandri]

That was my impression too just from reading the summary title. Google only "threw Microsoft under the bus" if Microsoft was standing in the middle of the street, Google told them for 3 months that they were standing in the middle of the street and they should get back on the sidewalk, then on the 91st day they told the public that hey this guy is standing in the middle of the street please try to drive around him, then a bus came and hit him and you somehow consider it to be Google's fault.

Re: Makes sense.

Google can't patch most Android phones at the OS level., other than Nexus. Putting cyanogen to one side, anything else either needs the phone manufacturer, or the manufacturer & the carrier.

The vast majority of Android phones sold are sold via carriers , at subsidized pricing, and come with a carrier specific build of the phone vendors Android distribution. The phone vendor can't patch these devices on their own, the carrier needs to be involved.

That's why it takes so long for Android patches to actually get onto phones via these channels - Google might fix something, but the rest of the process could take 6-18 months from when Google ships, if it ever happens.

Re: Makes sense.

[RavenLrD20k]

Ok..so who made the phone? Samsung? LG? HTC? Or were you lucky enough to get a Google Nexus device?

Who sold it to you? Verizon? T-Mobile? AT&T? Sprint?

Oh..did you go to a box retailer to get your phone like RadioShack, BestBuy, or Walmart? Guess what, you still bought your phone from Verizon, T-Mobile, AT&T or Sprint (US centric). The box retailers only get authorization to sell the devices from the Carriers and beyond a "service plan" for replacing the phone when it's broken, have no obligation for OS support. If a box store sells a phone in a manner against the contract agreement the store has with the carrier, even if the end purchaser keeps the phone and maintains good standing on contract he signed in the store, the carrier will bill the store for the full price of the phone that was sold "improperly" and a negation of whatever subsidies the Carrier promised the store for said phone/activation in a procedure called "Charge-backs." I know that at least with Sprint, these Charge-Backs will occur if the end purchaser winds up canceling his contract within 6 months.

The Carriers get and give authorization from/for the device manufacturers to build phones for them (it's a contract negotiation back and forth). Google pushes out an update to the Manufacturers who have to make the drivers for the update to work with their hardware, then the Manufacturers submit the updated OS to the Carrier, and from there it's up to the Carriers to decide (historically: ignore) whether or not the update gets pushed to the end devices.

At least this is how it was until KitKat (4.4). With KitKat Google took back a significant amount of control over how OS updates get pushed out by putting most of the core OS functionality into the GooglePlayServices.apk. Now the only time Google needs to submit an update to a carrier is if there's a major patch issue that needs to be addressed between the operating system and the hardware. All other operating system and security upgrades are pushed through the Play Store from here on, bypassing the Manufacturer and Carrier update process altogether. They did this simply because Fragmentation was becoming such a big problem and Google wanted to get a handle on it. Knowing this...why would Google want to try to push an update out to an OS that they have so little control over compared to the current versions, especially considering that it's more than likely the update wouldn't even be pushed out to the end devices? Fortunately or Unfortunately, the other side of this is that KitKat has become the rut for Google that XP was for Microsoft, and it may be a couple OS versions still before people move from KitKat to the new shiny.

Don't be Evil

Or if you do, divert attention by saying Microsoft did it first

Google's official support policy

1- You can go buy a new Android phone; or
2- You can go fuck yourself.

They gave MS 90 days

I don't believe for a moment that MS were working flat-out on the patch for 90 days - it's more likely that they left it until the last minute, and then assumed that Google would make a special exception for them.

Sorry Microsoft, the deadline is the same for everyone.

Re:Doesn't really matter if they do patch it

[ZosX]

As an unhappy lollipop user on a 2013 nexus 7 all I can say is don't bother. My free ram has dropped from 1gb to 400mb. I can't even keep two tabs of chrome in ram now. I'm seriously considering downgrading unless google gets this release right. Furthermore we are up to version 5 of android and there is still no way to push security updates? That's a pretty serious fail IMO. Google might want to rethink that strategy before it seriously burns them in the long run.

Android is not Chrome.

[pla]

First, I consider myself a fan of the Googlesphere. I love Android, love Chrome, love GMail, enjoy the availability of their online Apps, and so on. (Hate hate hate Google+, though).

And saying that - Google needs to come to terms with the fact that they can't get away with the same bullshit update cycle for an OS installed on physical hardware, as they do with Chrome. For a desktop browser, weekly updates with support ending more-or-less after a year counts as an annoyance, but not a deal-killer. For an OS, just "no". My last phone lasted a decade - Support your devices (at least for critical vulnerability patches) for at least that long, or GTFO of the playground.

The truth of the matter

[JonathanP.Bennett]

The original article doesn't give any details as to what this "exploit" is in android. Even if it is a real exploit, no new phones will be made with Android 4.3, and at this point, no manufacturer would push an update to an old device even if Google did fix it. As to Google throwing Microsoft under the bus, that is utter crap. Google privately disclosed a vulnerability to MS, and *TOLD THEM* they had 90 days. After 90 days, Google publicly released the vulnerability. This is standard stuff. Giving a deadline is the only way to keep vulnerabilities out of the NSA toolkit and force MS to actually fix it.

Re:The truth of the matter

[Angua]

Google made the 90 day deadline up, sure. But they are enforcing it, which I think is pretty cool. MS wanted them to wait two days. TWO DAYS. Which says to me they were testing the waters. No way those two days were actually crucial for MS. If you can finish the job in 92 days, you can finish it in 90 days (especially when you have the resources MS has). They were simply finding out if Google would bend their 90 day rule. Next time, it would be a week. The time after, it would be a month. Until they could and would just ignore it. Since Google stuck to their guns, MS has to resort to the tactic of making Google out to be the bad guy. Which, to be fair, they kind of are. MS doesn't like to be bossed around any more than anyone else. But to me, this is the type of pressure which is on the whole beneficial to the users in the long run.

Re:Microsoft over Google any day.

[Impy+the+Impiuos+Imp]

Microsoft learned to placate government officials by donating to them. They sought power so they could gin up memes like "anti-competitive behavior" and sic true believers AKA their meme enforcement cogs, until the politicians git paid to get back out of the way.

Now, having placated the US federal government, most state governments, and most individual EU countries, they must now focus on placating the EU parliament AKA European Federal Government, whose politicians now are wondering why they, too, can't get a piece of the pie.

930 MILLION devices vulnerable

[scottbomb]

It would seem to me that they have a responsibility to support the versions that are in use by the majority of their customers. This whole idea that 2.5-year-old software is "ancient" is a load of BS. Imagine the outcry if Microsoft quit supporting each version of Windows after such a short time.

Re:Doesn't really matter if they do patch it

[tobiasly]

Furthermore we are up to version 5 of android and there is still no way to push security updates? That's a pretty serious fail IMO. Google might want to rethink that strategy before it seriously burns them in the long run.

They have rethought that strategy, and the solution is Google Play Services. All of the critical functionality has been moved there, which they can update via the Google Play store. Most of the individual apps have moved to independently-updatable Google Play apps as well. The WebKit based library discussed here has been replaced by a Chrome-based version, which also receives regular updates.

And yes, all devices Gingerbread (2.3) and above get these updates. The problem is that the WebView is one of the remaining pieces that was still tied directly to the OS in those earlier versions, so it can't be updated directly.

I'm not excusing Google for not fixing it here, but saying that version 5 still has no way to push security updates directly is incorrect.

False sense of security

[Dishwasha]

I'm sorry, but are people actually under the impression that their phones are secure?