Google Throws Microsoft Under Bus, Then Won't Patch Android Flaw 629
An anonymous reader writes Last month, Google took the bold steps to release the details of a security vulnerability ahead of Microsoft. Microsoft responded and said that there was a patch in works which was set to be released two days after Google went live with the details. Microsoft accuses Google for refusing to wait an extra 48 hours so that the patch would have been released along with the details of the exploit. Now, let's see what is happening on the Google side of software development. Recently, an exploit has been uncovered in the WebView component of Android 4.3 — estimated to cover roughly 60% of Android install base — and Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases. It would appear that over 930 million Android phones in use are out of official Google security patch support.
Makes sense. (Score:5, Insightful)
Re:Makes sense. (Score:5, Insightful)
And somehow this is an acceptable situation?
"Too fucking bad buy a new phone" is not a proper response for a gaping security flaw. I hold Google accountable, as well as the handset manufacturers.
Re:Makes sense. (Score:5, Insightful)
I've been wondering when people would start to take notice of this problem with Android. There is no general policy of security backports on it at all. Phones can have security vulnerabilities like anything else - it is just a matter of time before we start seeing exploits.
They're doing a better job with ChromeOS, with a 5 year support pledge. Ironically that still isn't as good as Windows (10yrs from obsolescence vs 5yrs from introduction). If you want to see big companies taking linux seriously vendors need to start matching Windows support timelines. People like to joke about XP, but it was supported just a year ago and what was the latest version of your favorite Linux distro when XP first came out? Being secure without having to do major updates is a big selling point.
Re:Makes sense. (Score:5, Insightful)
I've been wondering when people would start to take notice of this problem with Android.
930 million phones might be enough. Now we just need someone to write a worm that uses this to get noticed by taking
down the cellular network for a few days and then maybe someone will get smart enough to require phone manufacturers
to push updates for a reasonable amount of time (say 5 years after they stop selling the phone).
I've seen phones stop receiving updates before their 2 year contract is even up. This should be breach of contract.
Re: Makes sense. (Score:3)
Re: Makes sense. (Score:4, Insightful)
I had a G1 and that definitely quit receiving updates before the 2year contract ended.
The G1 and ADP stopped receiving updates before they even stopped selling them. They didn't even get Eclair (officially), despite the ADP being the official Google developer phone up until the Nexus One came out. Fortunately none of the Nexus devices suffered that fate, though many were only supported for 1.5 years.
Re:Makes sense. (Score:4, Insightful)
Well, technically, phones never got software updates - updates are a relatively new thing.
And really, the reason Google doesn't push OEMs to force software updates is because of AOSP. Samsung's a big offender, releasing anywhere from 2-3 new smartphones a week in 2014 (seriously, they released over 100 new phones last year), and over 1 tablet a week (yes, over 50 brand new tablets).
Granted, Samsung has more developers than Apple, Google and Microsoft combined, but you can bet terms like this would be the one that just moves OEMs to AOSP and undo all the work Google did. Hell, Samsung has replacement apps for every one of Google's (they're the only OEM to do so), so they're not dependent on Google's apps to sell phones.
And no, it's no surprise Samsung is also the largest Android manufacturer out there with a huge market share.
Re: (Score:3, Insightful)
If you want to see big companies taking linux seriously vendors need to start matching Windows support timelines. People like to joke about XP, but it was supported just a year ago and what was the latest version of your favorite Linux distro when XP first came out? Being secure without having to do major updates is a big selling point.
AFAIK, there's no point in "buying" Linux, however, you may buy a support subscription, which can be renewed indefinitely. Upgrading the system is free.
Re:Makes sense. (Score:4, Insightful)
I've been wondering when people would start to take notice of this problem with Android. There is no general policy of security backports on it at all.
If you want to see big companies taking linux seriously vendors need to start matching Windows support timelines.
Wrong.
Android is not Linux. Android being mismanaged has nothing to do with Linux versions such as Red Hat, Ubuntu, Arch, Debian, etc.
Anyway, no one really cares that much about desktop and server Linux distros having support for that long because it's easy to simply update the OS to a newer version periodically: it doesn't cost anything, and it doesn't usually break anything either (unlike Windows where changing from, say, XP to 7 will break all kinds of things because there's so many fundamental changes in the OS).
Re: (Score:3)
Thing is... Windows XP's lifespan wasn't short. It was unnaturally long for any OS that doesn't run on IBM big iron. It was absurdly long even my Microsoft's own development cycle.
Just look at what came right before XP from Microsoft. In the same 13 years that XP was around; everyone would previously have gone from Windows 3.1, to 95, to 95 OSR2, to 98, to 98 SE, to NT 4, to 2000, to ME, and then to XP. And even that's actually skipping a few versions that were especially craptacular or never really esc
Re:Makes sense. (Score:5, Insightful)
You forgot the carriers.
They're probably the worst offenders of all, as holding back an update means they can use "comes with the latest OS!!" as a selling point on their merchandise.
Re:Makes sense. (Score:4, Informative)
Google can't push out updates to the handsets. The carriers by law mandated that only they can update and test the devices. You as a citizen and owner of the device cannot do this yourself either. But sure Google is at fault.
Re:Makes sense. (Score:5, Interesting)
In the same way, they could update the WebView as well (hadn't they put it into a read-only file system, digitally signed by the device manufacturer). It's a userspace component with no implications on the phone service or the radio baseband.
In fact, IIRC the WebView can be updated through the market in the newer versions of Android.
Re:Makes sense. (Score:5, Insightful)
I believe Google's fix is called "Android 4.4" or "Android 5.x".
That the handset manufacturers can't seem to figure out how to get updates for older devices to newer versions of Android is the core of the problem. I mean, Cyanogenmod generally seems to be able to do it, largely using volunteer labour, so it can't be rocket science (for my handset, vendor support stopped around 4.1... there's a nightly 5.0 now available).
You could argue that Google should set an explicit support cutoff date for patches for older versions, but when the handset makers policy on end of life ranges from "until the average contract runs down" to "until the retail store's return period has passed", I'm not sure there's much point.
Re: (Score:3)
Google wants market share. And they have it.
Re:Makes sense. (Score:5, Insightful)
Re:Makes sense. (Score:4, Insightful)
for PR's sake.
They don't need that anymore. And maybe the manufactures prefer that Google doesn't patch it. It relieves them of all liability.
Re: (Score:3)
Even if they patched it for 4.3, there is approximately zero chance that it would be pushed out as an update by anyone.
Hindsight is 20/20 but they could have copied the idea from Apple where a process would periodically check for vulnerabilities in the background. They could patch the vulnerable component through a google updater on the phone. I don't think most vulnerabilities would require a new ROM for the phone.
No, it doesn't!!! (Score:4, Informative)
Even if they patched it for 4.3, there is approximately zero chance that it would be pushed out as an update by anyone.
The proper solution to this is for Google to be listed as a source for updates, in addition to the OEM and/or carrier. That way, people who are looking for updates can get it.
Not patching Android 4.3 is not a valid reason. Unlike Windows XP which was upgradable to Windows 7 and beyond (even if it required hardware upgrades), that's not so easily done w/ Android hardware. I have an Ellipsis w/ 4.2.2, which I'd love to upgrade to Kitkat or Lollipop, but can't. Nor can I upgrade the internals of that tablet (RAM, storage) so if Google suddenly says that they won't update the OS, I'm screwed. I know there is a big inertia in the market as a result of there being 3 potential sources of software - Google (or Microsoft in case of Windows Phones), the OEM and the carriers. But everybody tossing the ball to each other just leaves a sour experience for customers.
I know no organization wants to maintain 3 or more versions of anything. But that's not a valid reason to expect people to discard phones or tablets bought within the last 3 years. The tablet I'm describing is something I got last May, so I shouldn't have to discard it just b'cos its OS is not being patched and it can't run the latest version that is being patched!
Re: (Score:3, Informative)
This is a hit job from a shitty windows enthusiast website (neowin.net).
Do not click any links!
Re: Makes sense. (Score:5, Funny)
Relax. This is slashdot. Almost nobody reads the source article unless they need to grab a quote in order to prove a point.
Re: Makes sense. (Score:5, Insightful)
Re: Makes sense. (Score:4, Insightful)
Re: Makes sense. (Score:4, Insightful)
But at least there is the *possibility* of getting a patch if Google makes one. Without that, no chance!
That Google would unannouncedly end-of-life (EOL) a product with the majority of its Android market share makes me so mad!!
Re: Makes sense. (Score:4, Interesting)
But they didn't. The summary is wrong (plain lying in the hope nobody checks). Its actually a tiny 6.5%.
Re: (Score:3, Informative)
Check your math. The flaw exists in Android 4.3 and older. 4.4 has 39.1% share, and whatever version number version L is has 0.1%. The remainder is 4.3 and older.
Re: Makes sense. (Score:4, Insightful)
Re: Makes sense. (Score:4, Informative)
Which has very significant changes to how external storage, SMS, and several other features are handled that break a significant number of applications. 4.4 was not a minor release.
Re: Makes sense. (Score:4, Informative)
Google can't patch most Android phones at the OS level., other than Nexus. Putting cyanogen to one side, anything else either needs the phone manufacturer, or the manufacturer & the carrier.
The vast majority of Android phones sold are sold via carriers , at subsidized pricing, and come with a carrier specific build of the phone vendors Android distribution. The phone vendor can't patch these devices on their own, the carrier needs to be involved.
That's why it takes so long for Android patches to actually get onto phones via these channels - Google might fix something, but the rest of the process could take 6-18 months from when Google ships, if it ever happens.
Re: (Score:3)
Well sort of both actually,
The people who made the phone need to make the updates, the carrier needs to push the update out on it's network for the phones.
In super rare cases you can download the update yourself and install it, but most of the time if your carrier doesn't push out the update your stuck.
Cynogen mod and other things like it are more likely to do updates for your device depending on what it is.
http://www.cyanogenmod.org/ [cyanogenmod.org]
Re: Makes sense. (Score:5, Informative)
Ok..so who made the phone? Samsung? LG? HTC? Or were you lucky enough to get a Google Nexus device?
Who sold it to you? Verizon? T-Mobile? AT&T? Sprint?
Oh..did you go to a box retailer to get your phone like RadioShack, BestBuy, or Walmart? Guess what, you still bought your phone from Verizon, T-Mobile, AT&T or Sprint (US centric). The box retailers only get authorization to sell the devices from the Carriers and beyond a "service plan" for replacing the phone when it's broken, have no obligation for OS support. If a box store sells a phone in a manner against the contract agreement the store has with the carrier, even if the end purchaser keeps the phone and maintains good standing on contract he signed in the store, the carrier will bill the store for the full price of the phone that was sold "improperly" and a negation of whatever subsidies the Carrier promised the store for said phone/activation in a procedure called "Charge-backs." I know that at least with Sprint, these Charge-Backs will occur if the end purchaser winds up canceling his contract within 6 months.
The Carriers get and give authorization from/for the device manufacturers to build phones for them (it's a contract negotiation back and forth). Google pushes out an update to the Manufacturers who have to make the drivers for the update to work with their hardware, then the Manufacturers submit the updated OS to the Carrier, and from there it's up to the Carriers to decide (historically: ignore) whether or not the update gets pushed to the end devices.
At least this is how it was until KitKat (4.4). With KitKat Google took back a significant amount of control over how OS updates get pushed out by putting most of the core OS functionality into the GooglePlayServices.apk. Now the only time Google needs to submit an update to a carrier is if there's a major patch issue that needs to be addressed between the operating system and the hardware. All other operating system and security upgrades are pushed through the Play Store from here on, bypassing the Manufacturer and Carrier update process altogether. They did this simply because Fragmentation was becoming such a big problem and Google wanted to get a handle on it. Knowing this...why would Google want to try to push an update out to an OS that they have so little control over compared to the current versions, especially considering that it's more than likely the update wouldn't even be pushed out to the end devices? Fortunately or Unfortunately, the other side of this is that KitKat has become the rut for Google that XP was for Microsoft, and it may be a couple OS versions still before people move from KitKat to the new shiny.
Re:Makes sense. (Score:5, Informative)
Re: (Score:3)
Re: (Score:3)
Something isn't right here. Google can and does patch older versions of Android via the Play store app, which can patch the system. They can and have pushed patches to fix issues in this component before via that mechanism, and the original source (https://community.rapid7.com/community/metasploit/blog/2015/01/11/google-no-longer-provides-patches-for-webview-jelly-bean-and-prior) even mentions this.
What isn't mentioned is the nature of this exploit. Is it actually something that can 0wn your phone via a dri
Re: (Score:3)
Something isn't right here. Google can and does patch older versions of Android via the Play store app, which can patch the system.
That only can patch APIs, not anything in the kernel. The only thing not right here is your Fandroidish "Google can do no wrong".
Re:Makes sense. (Score:4, Insightful)
Re:Makes sense. (Score:4, Interesting)
The issue is that the platform doesn't have a common boot, and initialization system... also, said devices are often packaged with only the drivers for that device, specifically compiled for that version of the OS... now that things are maturing, Google should come out with some common driver interfaces so binary drivers can work across platform versions. This would make sense as Google is breaking portions of the OS into upgradable units.
Re: (Score:3, Insightful)
If my phone is running Android OS, then I should be able to get updates straight from Google.
If that's what you want, then BUY A PHONE FROM GOOGLE.
Otherwise, you're expecting Google to provide the development and support for hardware they didn't sell. Your money goes to company X, but you expect Google to do the work? That's not how any economic system works. You made an exchange of money for goods with company X. Warranty, support, etc is their responsibility. They're the one that you're paying.
Re:Makes sense. (Score:4, Informative)
Guess what?
Same problem.
http://en.wikipedia.org/wiki/G... [wikipedia.org]
"Google has stated that the Galaxy Nexus will not receive Android 4.4 KitKat,[42] even after having 14,000 signatures requesting it."
Re:Makes sense. (Score:5, Informative)
If my phone is running Android OS, then I should be able to get updates straight from Google.
If that's what you want, then BUY A PHONE FROM GOOGLE.
You mean like my Google Galaxy Nexus that is stuck at 4.3 because Google abandoned it after 18 months, and therefore won't be getting this exploit patched?
Re: (Score:3)
...in an outdated unsupported version.
Re:Makes sense. (Score:4, Insightful)
... that still accounts for 60% of Android devices.
Re: (Score:3, Insightful)
Not googles fault that device makers are too damned lazy to compile and deliver updated OS images to it's customers.
When is Microsoft going to patch those flaws in Windows XP!
Re:Makes sense. (Score:5, Insightful)
MS supported bug fixes for XP for TWELVE years. Google has barely supported 18 months. There is absolutely no comparison. Use you're head and stop blindly worshiping Google and hating MS. I know it's hard to not be a complete idiot, but give it your best,.
Re:Makes sense. (Score:5, Insightful)
This sudden attempt by Google supporters to shift the responsibility is the lamest fucking excuse I've ever seen. Microsoft has supported XP FAR longer than Google has supported... well, anything. I also especially like how suddenly it's not Google's fault for NOT thinking ahead and making it possible to deploy security updates to their OS like certain other phone vendors did BEFORE Google made their competing OS.
Seriously, for all the bluster here that "it's not Google's fault!" this is 100% Google's fault. It's their security vulnerability, their inability to update many of the devices easily, and their desire to stop supporting something less than 3 years after it was made, despite it still being fully-functional. Since when has the geek crowd become so pathetic that we've bought into the planned obsolesce phase whole-heartedly, and started making excuses for the biggest tech firms on Earth?
Re: (Score:3)
Except, now Google has run into the same issues Microsoft ran into with Windows, namely now they have to either a) support a million different hardware co
Re: (Score:3)
But you cannot update the OS via the play store - one has to go into settings and go from there. So while they may have a newer version of the OS, fact remains that phones or tablets w/ the previous version cannot be upgraded to the new one, unless one is technical enough to know how to root the device and go from there. It's true that they've supposedly improved things in Lollipop, but for now, people on Honeycomb, Icecream Sandwich or Jellybean are SOL. There should be a way to get it from Google even
Re: Makes sense. (Score:3, Insightful)
It is googles.fault for losing control of their OS to the point that they can't push core OS security patches. Who cares if they have moved to a diff version? When 60% of your user base has the old version and there are known security holes then you should patch them
Re: (Score:3)
When is Microsoft going to patch those flaws in Windows XP!
Hmm, Windows XP is over 13 years old and has been end of support for 5 years, and still released a security patch 7 months ago.
Android 4.3 was released 2 years ago. So the EOS was when? A few months after it was released?
Not that Windows XP and Android are great comparisons, but your jab does not exactly help Google's case. A better example would have been Apple iPhone 1 vs Android 4.3, but even Apple supported the first iPhone for 3 years before ending support.
Re: (Score:3)
Android 4.3 is on 6.5% [android.com] of android devices.
Re: (Score:3)
Google doesn't need to fix it. There's Android developers at Samsung, LG, etc. that can fix it as well. There's no interest at any level to fix an old bug like that.
Re:Makes sense. (Score:5, Insightful)
However, as Manufacturers won't roll a new update off of said backport even if it did exist as they're incentivized to support phones that are under warranty and where possible sell new phones to customers, Carriers would drag their feet on approvals of said updates if they even authorized it at all as they're inclined to both avoid angry support calls from customers about "my phone is different" yet also sell new phones to get people under contract, money disappearing at all levels into the giant black hole of bureaucratic process, what does it really matter? It's a zero sum proposition.
Re: (Score:3, Informative)
There's already a free fix.. Android 4.4.*, 5.0, 5.0.1 ...
Re: (Score:3, Insightful)
Good answer for the (hundreds of?) millions of phones that can't be updated; the genius of putting carriers in control of the OS & updates.
Re: (Score:3)
What percentage of Nexus devices are running 4.3 and can't be upgraded to 4.4 or later to get the fix?
Re:Makes sense. (Score:5, Insightful)
I'm sorry, but what?
I bought my first gen iPad within a month of launch. In less than 2.5 years it was unsupported on the latest version of iOS.
When I updated my latest gen iPod touch to iOS 8.x, I ran into problems, had a few apps stop working, and generally found myself underwhelmed.
Apple does the exact same shit, and don't pretend they don't.
Basically manufacturers expect us to pay for a new device every year or two, and then quickly decree them to be off support.
So WTF should we pay full price for something they're going to abandon in a relatively short period of time for?
Sorry, but no. If you want to charge me $700 for a device, I expect you to support it longer than two years. Otherwise, I'm not buying your shit any more, because you somehow think of me as a revolving cash supply.
In this regards, I think both Android and iOS are sorely lacking.
So, screw the lot of them. Want these devices to be disposable? Sell them to us at discounted prices instead of your inflated prices. Or if you're going to charge us that much money, support it MUCH longer.
Two years support for a brand new device? Hell no.
Re:Makes sense. (Score:5, Informative)
My iPhone 4s is (release oct 2011) is still supported.
(Though I replaced it with a newer device, I still use it as an iTouch for various reasons).
Re:Makes sense. (Score:4, Insightful)
With Android at least there may be other providers [cyanogenmod.org] for updates. It still sucks, but I'll take "sucks but possible" over "sucks and go fuck yourself" any day.
Re: (Score:3)
I know a few people like you, who always buy the lowest-end junk because "they'll have to upgrade it soon anyway". It's a self-fulfilling prophecy; they constantly curse their lousy crap and spend more throwing it away and replacing it every 18 months than I spend on decent gear that lasts 6-8 years.
But you should never buy first generation bleeding edge stuff either. The iPad 1G sucked, because mobile phone parts were very poor five years ago. It wasn't 'planned obsolescence', Apple didn't go out of their
Re: (Score:3)
And how many first gen iPads would still be in use if they hadn't been updated to the point of obsolescence? Because my first gen iPad gradually became slower and less useful, right up until Apple said "no longer supported".
I'm no longer willing to buy a device from either Apple or Google which is anywhere near bleeding edge or current release, there's nothing in it for me.
If they want to treat their tech as disposable, I'll oblige them -- I'll buy the oldest version of their product, and never apply an up
Re:Makes sense. (Score:4, Interesting)
According to http://en.wikipedia.org/wiki/A... [wikipedia.org] Android 4.3 is only responsible for 6.5% of devices, with 4.1 and 4.2 combined being responsible for 39.5% and 4.4 for 39.1%.
Of course that's based on a survey of devices that accessed the Google Play store during the first week of this year, so may not be entirely accurate. Still, it seems likely that 4.3 is a bit player, even if new devices are still available with it. I'd love to see Google backporting fixes, but I can understand it being a low priority. Besides which I'm willing to bet that precious few new devices are running *Google* Android, which means not only would Google have to backport the fixes, they'd also need to convince downstream distributors to port the fixes into their cut-rate custom Androd distros - which seems like an uphill battle. And it's not like the various distros couldn't.
Does any of that excuse Google, or the other Android distros? Of course not. But by this point perhaps I'm just so jaded about the customer-abusive behaviors of the various manufacturers that it doesn't surprise me at all. If you have good support, then you have probably already upgraded to 4.4.x. If not - well then you probably had the option to do due-diligence before your purchase and realize you were going to be screwed on updates anyway.
Re: (Score:3)
If it has a lifespan of 2 years? No, as a matter of fact. If the hardware failed after two years, I'd find a new vendor. If the software is obsolete after 2 years by design, I'm simply not playing.
My, TV, my DVD player, my amplifier, my car stereo, my GPS nav unit, my watch, my microwave, my stove ... all of these things I realistically expect to last at least 4-5 years. There is almost no digital device I will accept a 2 year life for unle
Re: Makes sense. (Score:3)
Re:Makes sense. (Score:5, Insightful)
Apple wouldn't stop supporting devices that still count for 60% of their own statistics.
Re:Makes sense. (Score:4, Informative)
iOS isn't really any better when it comes to patching old devices. Once the poor, poor, tech company responsible for deploying the OS in the first place decides to stop supporting it, you're SOL.
Are you stoned, or just stupid?
In stark contrast to the carrier-controlled paridigm of Android software deployment, Apple maintains sole control over the updating and deployment of iOS (and OS X), and although they do eventually draw the line somewhere, it is always at a point that affects single-digit percentages of the User Base, not the majority of Users as is the case here.
Apple would be positively pilloried in these pages if they tried something even remotely as irresponsible and high-handed as Google is doing (or rather not doing) in this case.
Re: (Score:3, Informative)
So, Google should update the older software, and then the users phones still wouldn't get patched because it actually has to be done by the manufacturers, and then approved by the service provider, neither of which want you to still be using your old phone.
As to Apple, well, they just make sure that all your devices have the newest version of iOS, which will always run like crap on the older phones, driving those upgrades to the new phones that come out a month after the upgrade...
Want your older version of iOS patched? Well all you have to do is upgrade to the latest version and kill your phone's performance. Don't want to do that, then Apple will gladly tell you that they don't support the older software anymore.
As I have said in another post to this article, Google could easily change their distribution model for Android to re-capture sole control over its Distribution, like Apple. But they won't; because they simply don't care; nor do they want to be bothered with testing a zillion different platforms.
And contrary to your tired, Fandroid meme, Apple does not "push" iOS updates to anyone; let alone do so for the purpose of "obsoleting" older models. First off, at this point, regardless of the hardware or softwar
Re: (Score:3, Insightful)
Google has fixed the vulnerability in later revs.
You sir are a twat - Google doesn't control deployment of fixes or updates, your service / hardware provider does.
If you want Google to control your versioning, then buy a Google product.
Buying an AT&T or Verizon product running Google's Android OS, leaves you at the whims of AT&T and Verizon as to when or even "IF" you get the updates.
The same thing holds true for all products running Android - the company that the products are manufactured for contr
Re:Makes sense. (Score:5, Insightful)
Works for iOS. Carriers cannot prevent the upgrade of devices that can be upgraded.
Re:Makes sense. (Score:4, Interesting)
Google doesn't make the version of Android that goes out on e.g. Samsung phones. Google can patch 4.3 ll they want, but it's up to Samsung to take the patch, implement it, test it on all their devices, then get blessing from the various carriers to send it out. Given there's still people out there with S3s (and probably S2s) there's no chance they're going to put the effort into it and instead tell people to get the shiny new S5.
Re:Makes sense. (Score:4, Insightful)
Google doesn't make the version of Android that goes out on e.g. Samsung phones. Google can patch 4.3 ll they want, but it's up to Samsung to take the patch, implement it, test it on all their devices, then get blessing from the various carriers to send it out. Given there's still people out there with S3s (and probably S2s) there's no chance they're going to put the effort into it and instead tell people to get the shiny new S5.
Should not matter. If they are patching the core, the core should be available for updating by google directly by alerting the user of a needed patch. The customization should not be touching the core of the OS.
Re:Makes sense. (Score:5, Informative)
That's what changed in 4.4. In 4.3 it was part of the OS is my understanding and required a new OS install.
Re:Makes sense. (Score:4, Insightful)
Re: (Score:3)
I agree this article is mostly foolishness, but underneath this is a substantial issue with Android. It would be much easier for a provider to push a security patch if it were backported from the latest-greatest release to some of the still-active prior releases. Even then there would be a substantial time delay. The manufacturers do some initial porting of newer Android releases to their hardware, and then the providers take that software and customize it further. Most of what the providers add is best des
Re: (Score:3, Funny)
Please keep writing your Neowin articles, as they provide us countless entertainment based on conjecture.
Re: (Score:3)
It's funny how people are willing to trade hundreds of evil companies (Bell, Verizon, AT&T, MS, Apple...) for one greater evil (Google). For those who do not understand what is happening, Google owns the future of marketing. The places to advertise your product effectively are becoming more and more scarce. TV providers can see their market shrink year after year and this is partially due to PVRs and the availability of content via stream. This is also why sports distribution has become a hot commodity
Re: (Score:3)
I think my Android phone is running 2.2? Whatever the first version that you could get on non-Google hardware was. What is this "patching" of which you speak?
Don't be Evil (Score:5, Funny)
Or if you do, divert attention by saying Microsoft did it first
Re: (Score:3)
The hardware provider should push Android 5.0, not update legacy releases.
Doesn't really matter if they do patch it (Score:4, Insightful)
Even if Google were to patch 4.3, it's unlikely that it would ever hit anyone's device as the manufacturers are so shit at pushing out updates. Not that this is a defence for not patching it - Jelly Bean was only released 2.5 years ago.
And it's not just some manufacturers, Google is just as guilty - my [2013] Nexus 7 asked me whether I wanted to upgrade to Lollipop, I was busy at the time, so I hit no. Now I can't get the thing see that there *is* a new version - 5.0.2 was released 3 weeks ago, and it still says "Your system is up to date". Like fuck it is.
Re:Doesn't really matter if they do patch it (Score:5, Informative)
As an unhappy lollipop user on a 2013 nexus 7 all I can say is don't bother. My free ram has dropped from 1gb to 400mb. I can't even keep two tabs of chrome in ram now. I'm seriously considering downgrading unless google gets this release right. Furthermore we are up to version 5 of android and there is still no way to push security updates? That's a pretty serious fail IMO. Google might want to rethink that strategy before it seriously burns them in the long run.
Re:Doesn't really matter if they do patch it (Score:5, Informative)
Furthermore we are up to version 5 of android and there is still no way to push security updates? That's a pretty serious fail IMO. Google might want to rethink that strategy before it seriously burns them in the long run.
They have rethought that strategy, and the solution is Google Play Services [arstechnica.com]. All of the critical functionality has been moved there, which they can update via the Google Play store. Most of the individual apps have moved to independently-updatable Google Play apps as well. The WebKit based library discussed here has been replaced by a Chrome-based version, which also receives regular updates.
And yes, all devices Gingerbread (2.3) and above get these updates. The problem is that the WebView is one of the remaining pieces that was still tied directly to the OS in those earlier versions, so it can't be updated directly.
I'm not excusing Google for not fixing it here, but saying that version 5 still has no way to push security updates directly is incorrect.
Re: (Score:3)
Wait. It sounds likes you're saying that on older versions of Android, the Browser Rendering Engine is part of the OS?
This sounds familiar. I think a very large software company has made a claim like this before... it was somewhere around 15 to 20 years ago...
Re: (Score:3)
And then when google moves more stuff from the base system to play services, everyone is crying bloody murder for taking stuff away from AOSP and not open sourcing anything.
There is no winning, is there
Well, nothing prevents Google from open-sourcing that stuff all the same, or splitting Google Play Services into a component that actually pertains to Google Play and another to core OS functionality and open-sourcing the latter.
Google's official support policy (Score:5, Insightful)
1- You can go buy a new Android phone; or
2- You can go fuck yourself.
They gave MS 90 days (Score:5, Insightful)
I don't believe for a moment that MS were working flat-out on the patch for 90 days - it's more likely that they left it until the last minute, and then assumed that Google would make a special exception for them.
Sorry Microsoft, the deadline is the same for everyone.
Google doesn't support old versions? (Score:4, Insightful)
Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases.
To me, this only really seems like a valid position if vendors allowed people to upgrade at will, but as far as I know, Android users are still held to whichever version their carrier/manufacturer allow. June 2012 is only 2.5 years ago, which means (I'm guessing) that it's possible you purchased a phone less than 2 years ago that had this version of the OS. That means, you could have purchased your phone brand new, it might still be under contract, and it's unsupported.
Now, if you're free to install the latest version on your phone, then it seems much more reasonable.
Re: (Score:3)
Exactly. Google seems to act like their Android ecosystem vs. iOS ecosystem is analogous to the PC vs. Mac world of the 90s/00s. To some point it is, however, with PCs, the customer actually OWNED their device. They could install, repair, reinstall, update, whatever they would like, Now with carriers dictating what you are "allowed" to do with your hardware that entire philosophy is broken. For example, I had a Sony Xperia phone. Sony actually did provide updates to the Android version that could be install
Android is not Chrome. (Score:5, Insightful)
And saying that - Google needs to come to terms with the fact that they can't get away with the same bullshit update cycle for an OS installed on physical hardware, as they do with Chrome. For a desktop browser, weekly updates with support ending more-or-less after a year counts as an annoyance, but not a deal-killer. For an OS, just "no". My last phone lasted a decade - Support your devices (at least for critical vulnerability patches) for at least that long, or GTFO of the playground.
Re: (Score:3)
Key difference, though, Facebook doesn't nag me to join every time I check my email or calendar or pull something off my Drive. No doubt, they would if they offered any other services I had an interest in using without using FB itself; but since they don't, that doesn't really apply.
The truth of the matter (Score:5, Insightful)
Re:The truth of the matter (Score:5, Interesting)
Google made the 90 day deadline up, sure. But they are enforcing it, which I think is pretty cool. MS wanted them to wait two days. TWO DAYS. Which says to me they were testing the waters. No way those two days were actually crucial for MS. If you can finish the job in 92 days, you can finish it in 90 days (especially when you have the resources MS has). They were simply finding out if Google would bend their 90 day rule. Next time, it would be a week. The time after, it would be a month. Until they could and would just ignore it. Since Google stuck to their guns, MS has to resort to the tactic of making Google out to be the bad guy. Which, to be fair, they kind of are. MS doesn't like to be bossed around any more than anyone else. But to me, this is the type of pressure which is on the whole beneficial to the users in the long run.
930 MILLION devices vulnerable (Score:5, Insightful)
It would seem to me that they have a responsibility to support the versions that are in use by the majority of their customers. This whole idea that 2.5-year-old software is "ancient" is a load of BS. Imagine the outcry if Microsoft quit supporting each version of Windows after such a short time.
Re: (Score:3)
For cell phones that have an average life of 2-3 years?
You can still buy new phones with 2.3 (Score:3, Informative)
You can still buy fresh-from-the-factory phones that run nothing better than Gingerbread. (2.3) Halting updates on anything but KitKat and above is incredibly blinkered.
That said, Google really needs a better way of deploying updates other than patching the main tree and depending on their device vendors/carriers to eventually issue an update.
Android support is a long term Clusterfuck (Score:4, Interesting)
I write software for Android and what bothers me is that there's always this push for latest and greatest while we still have a significant number of devices getting left out in the cold because they're 2 or more years old. Android is a three legged stool, Google, Device Manufacturers and Carriers and all three have to get their shit together on patch management and routine updates to the devices. All of them share equally in this problem yet they just seem to be aligned to always force you to buy a new device to get what most would be consider reasonable software support. That's bullshit. Sure Google, we get it you want everybody to be on the latest and greatest and yes there are features that can't be supported with every new release however there's that sticky little thing called time to market and while you may come out with a new release, the uptake by your licensed manufacturers isn't that fast. 4.3 didn't become available widely in devices until late 2012 which is just in time for Christmas so that makes 4.3 only 2 years old basically in terms of market exposure. That's young for a smart phone. I also get it if HTC or Samsung or Vendor X out there don't want to support software in order to entice you to buy a new device, but at $600 to $800 for a high end smart phone you're not going to see the majority of your customers buy a new one every year just to keep up with the latest version of Android. That's born out by the 1 Billion devices on 4.3 which is a pretty large market. Oh and to you carriers, your bloatware and other crap isn't helping either. If you're not willing to support it for at least the life expectancy of the device, which can be up to 5 years now, then get it off of there so you can at least improve your release time frequency so that your customers aren't left with insecure devices. Google needs to take the lead here and work with the downstream manufacturers and carriers to fix this shit because it's becoming a nuisance for the development community and for the end users.
False sense of security (Score:5, Insightful)
I'm sorry, but are people actually under the impression that their phones are secure?
Problem with Apple, Microsoft, Google, etc... (Score:3)
This same problem is happening with legacy software all over the place be it from Google, Microsoft, Apple or other vendors. There are billions (YES! 1,000,000,000's) of devices out there that work just fine but can't use the latest operating system from the vendors so they aren't getting patched. This creates BILLIONS of opportunities for hackers, worms, trojans, scammers, etc all because the vendors are greedy and don't want to keep supporting hardware and software that is only a few years old.
They should be offering legacy support out at least a decade. It is very doable with conditional compilations to build the latest operating systems for the older hardware of even 15 years ago. It simply won't have some features like transparent windows and other eye candy. The software should gracefully fall back to fit the hardware. This is doable at the compile time which avoids having overly large software packages.
Well, let the free market work! (Score:3)
If you're pissed off at Google for not fixing defects in older versions of Android, you can always switch to an iPhone or a Microsoft Windows phone. Why are you folks always whining about corporate decisions that make financial sense? Unless, of course, you're willing to something and make those "financial decisions" hurt the corporation involved.
Don't like how Google won't fix bugs? Don't buy an Android next time.
Unless you also want to say that the free market doesn't fix everything. There's a reason for various regulations concerning warranty and support regulations. Especially for vital telecom infrastructure.
I love a good Google hate thread... (Score:4, Insightful)
...as much as the next guy. But honestly, are there still nerds in 2015 who don't understand how the Android model works? Think of Android as "Linux". Each manufacturer has their own distro of Android, and then there's the "reference" distro, made by Google, that is on Nexus devices called "Stock Android". All the distros are based on the "Stock Android" distro, and the manufacturers customize and add on from there.
So, blaming Google for a flaw in a previous version of Android is like blaming "Linux" for a security flaw in a previous version of Ubuntu. See how much sense that makes? All Ubuntu has to do is use a more recent kernel/library/whatever that doesn't contain the flaw and release an update or new version. The same thing goes for Android, all the handset manufacturers have to do is release an update that contains the fix, and their problems are solved. A current build of "Stock Android" already contains the fix, your manufacturer's outdated distro, however, doesn't.
There are plenty of things we can legitimately blame on Google, but blaming the flaws of handset manufacturers and cellular carriers on Google doesn't help anything. Put pressure on your carriers and manufacturers to stop dragging their feet and support their products beyond the next fiscal quarter or two!
Re:Microsoft over Google any day. (Score:5, Informative)
Microsoft learned to placate government officials by donating to them. They sought power so they could gin up memes like "anti-competitive behavior" and sic true believers AKA their meme enforcement cogs, until the politicians git paid to get back out of the way.
Now, having placated the US federal government, most state governments, and most individual EU countries, they must now focus on placating the EU parliament AKA European Federal Government, whose politicians now are wondering why they, too, can't get a piece of the pie.