Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Android Bug Google Microsoft Windows

Google Throws Microsoft Under Bus, Then Won't Patch Android Flaw 629

An anonymous reader writes Last month, Google took the bold steps to release the details of a security vulnerability ahead of Microsoft. Microsoft responded and said that there was a patch in works which was set to be released two days after Google went live with the details. Microsoft accuses Google for refusing to wait an extra 48 hours so that the patch would have been released along with the details of the exploit. Now, let's see what is happening on the Google side of software development. Recently, an exploit has been uncovered in the WebView component of Android 4.3 — estimated to cover roughly 60% of Android install base — and Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases. It would appear that over 930 million Android phones in use are out of official Google security patch support.
This discussion has been archived. No new comments can be posted.

Google Throws Microsoft Under Bus, Then Won't Patch Android Flaw

Comments Filter:
  • Makes sense. (Score:5, Insightful)

    by Anonymous Coward on Monday January 12, 2015 @11:35AM (#48793639)
    Even if they patched it for 4.3, there is approximately zero chance that it would be pushed out as an update by anyone.
    • Re:Makes sense. (Score:5, Insightful)

      by MachineShedFred ( 621896 ) on Monday January 12, 2015 @11:41AM (#48793697) Journal

      And somehow this is an acceptable situation?

      "Too fucking bad buy a new phone" is not a proper response for a gaping security flaw. I hold Google accountable, as well as the handset manufacturers.

      • Re:Makes sense. (Score:5, Insightful)

        by Rich0 ( 548339 ) on Monday January 12, 2015 @11:45AM (#48793733) Homepage

        I've been wondering when people would start to take notice of this problem with Android. There is no general policy of security backports on it at all. Phones can have security vulnerabilities like anything else - it is just a matter of time before we start seeing exploits.

        They're doing a better job with ChromeOS, with a 5 year support pledge. Ironically that still isn't as good as Windows (10yrs from obsolescence vs 5yrs from introduction). If you want to see big companies taking linux seriously vendors need to start matching Windows support timelines. People like to joke about XP, but it was supported just a year ago and what was the latest version of your favorite Linux distro when XP first came out? Being secure without having to do major updates is a big selling point.

        • Re:Makes sense. (Score:5, Insightful)

          by Wycliffe ( 116160 ) on Monday January 12, 2015 @12:05PM (#48793959) Homepage

          I've been wondering when people would start to take notice of this problem with Android.

          930 million phones might be enough. Now we just need someone to write a worm that uses this to get noticed by taking
          down the cellular network for a few days and then maybe someone will get smart enough to require phone manufacturers
          to push updates for a reasonable amount of time (say 5 years after they stop selling the phone).
          I've seen phones stop receiving updates before their 2 year contract is even up. This should be breach of contract.

          • I had a G1 and that definitely quit receiving updates before the 2year contract ended. You'd think Google would try to forward the best image for their debut android device. I've got a friend who has a hard-on for android so he's always stuck with them despite his experiences on updates are similar. His argument is that he can root it which is correct but you should not need to root the thing just to get updates and the vast majority of people can't or won't do that.
            • Re: Makes sense. (Score:4, Insightful)

              by Rich0 ( 548339 ) on Monday January 12, 2015 @01:38PM (#48795207) Homepage

              I had a G1 and that definitely quit receiving updates before the 2year contract ended.

              The G1 and ADP stopped receiving updates before they even stopped selling them. They didn't even get Eclair (officially), despite the ADP being the official Google developer phone up until the Nexus One came out. Fortunately none of the Nexus devices suffered that fate, though many were only supported for 1.5 years.

          • Re:Makes sense. (Score:4, Insightful)

            by tlhIngan ( 30335 ) <slashdotNO@SPAMworf.net> on Monday January 12, 2015 @12:59PM (#48794667)

            930 million phones might be enough. Now we just need someone to write a worm that uses this to get noticed by taking
            down the cellular network for a few days and then maybe someone will get smart enough to require phone manufacturers
            to push updates for a reasonable amount of time (say 5 years after they stop selling the phone).
            I've seen phones stop receiving updates before their 2 year contract is even up. This should be breach of contract.

            Well, technically, phones never got software updates - updates are a relatively new thing.

            And really, the reason Google doesn't push OEMs to force software updates is because of AOSP. Samsung's a big offender, releasing anywhere from 2-3 new smartphones a week in 2014 (seriously, they released over 100 new phones last year), and over 1 tablet a week (yes, over 50 brand new tablets).

            Granted, Samsung has more developers than Apple, Google and Microsoft combined, but you can bet terms like this would be the one that just moves OEMs to AOSP and undo all the work Google did. Hell, Samsung has replacement apps for every one of Google's (they're the only OEM to do so), so they're not dependent on Google's apps to sell phones.

            And no, it's no surprise Samsung is also the largest Android manufacturer out there with a huge market share.

        • Re: (Score:3, Insightful)

          by Flavianoep ( 1404029 )

          If you want to see big companies taking linux seriously vendors need to start matching Windows support timelines. People like to joke about XP, but it was supported just a year ago and what was the latest version of your favorite Linux distro when XP first came out? Being secure without having to do major updates is a big selling point.

          AFAIK, there's no point in "buying" Linux, however, you may buy a support subscription, which can be renewed indefinitely. Upgrading the system is free.

        • Re:Makes sense. (Score:4, Insightful)

          by Grishnakh ( 216268 ) on Monday January 12, 2015 @10:41PM (#48799733)

          I've been wondering when people would start to take notice of this problem with Android. There is no general policy of security backports on it at all.

          If you want to see big companies taking linux seriously vendors need to start matching Windows support timelines.

          Wrong.

          Android is not Linux. Android being mismanaged has nothing to do with Linux versions such as Red Hat, Ubuntu, Arch, Debian, etc.

          Anyway, no one really cares that much about desktop and server Linux distros having support for that long because it's easy to simply update the OS to a newer version periodically: it doesn't cost anything, and it doesn't usually break anything either (unlike Windows where changing from, say, XP to 7 will break all kinds of things because there's so many fundamental changes in the OS).

      • Re:Makes sense. (Score:5, Insightful)

        by Anonymous Coward on Monday January 12, 2015 @11:46AM (#48793753)

        You forgot the carriers.

        They're probably the worst offenders of all, as holding back an update means they can use "comes with the latest OS!!" as a selling point on their merchandise.

      • Re:Makes sense. (Score:4, Informative)

        by spacepimp ( 664856 ) on Monday January 12, 2015 @12:01PM (#48793903)

        Google can't push out updates to the handsets. The carriers by law mandated that only they can update and test the devices. You as a citizen and owner of the device cannot do this yourself either. But sure Google is at fault.

        • Re:Makes sense. (Score:5, Interesting)

          by peppepz ( 1311345 ) on Monday January 12, 2015 @12:29PM (#48794311)
          But Google continuously updates Google Play Services on my phone without me even noticing, let alone the carrier or the device manufacturer approve and test the changes.

          In the same way, they could update the WebView as well (hadn't they put it into a read-only file system, digitally signed by the device manufacturer). It's a userspace component with no implications on the phone service or the radio baseband.

          In fact, IIRC the WebView can be updated through the market in the newer versions of Android.

      • Re:Makes sense. (Score:5, Insightful)

        by c ( 8461 ) <beauregardcp@gmail.com> on Monday January 12, 2015 @12:07PM (#48793977)

        I hold Google accountable, as well as the handset manufacturers.

        I believe Google's fix is called "Android 4.4" or "Android 5.x".

        That the handset manufacturers can't seem to figure out how to get updates for older devices to newer versions of Android is the core of the problem. I mean, Cyanogenmod generally seems to be able to do it, largely using volunteer labour, so it can't be rocket science (for my handset, vendor support stopped around 4.1... there's a nightly 5.0 now available).

        You could argue that Google should set an explicit support cutoff date for patches for older versions, but when the handset makers policy on end of life ranges from "until the average contract runs down" to "until the retail store's return period has passed", I'm not sure there's much point.

    • Re:Makes sense. (Score:5, Insightful)

      by ichthus ( 72442 ) on Monday January 12, 2015 @11:45AM (#48793737) Homepage
      I totally agree. Google could patch it, but it would then be up to the various manufacturers to push it out (Samsung, et al.) But, despite this, Google should still patch it, for PR's sake.
    • Even if they patched it for 4.3, there is approximately zero chance that it would be pushed out as an update by anyone.

      Hindsight is 20/20 but they could have copied the idea from Apple where a process would periodically check for vulnerabilities in the background. They could patch the vulnerable component through a google updater on the phone. I don't think most vulnerabilities would require a new ROM for the phone.

    • No, it doesn't!!! (Score:4, Informative)

      by unixisc ( 2429386 ) on Monday January 12, 2015 @01:40PM (#48795241)

      Even if they patched it for 4.3, there is approximately zero chance that it would be pushed out as an update by anyone.

      The proper solution to this is for Google to be listed as a source for updates, in addition to the OEM and/or carrier. That way, people who are looking for updates can get it.

      Not patching Android 4.3 is not a valid reason. Unlike Windows XP which was upgradable to Windows 7 and beyond (even if it required hardware upgrades), that's not so easily done w/ Android hardware. I have an Ellipsis w/ 4.2.2, which I'd love to upgrade to Kitkat or Lollipop, but can't. Nor can I upgrade the internals of that tablet (RAM, storage) so if Google suddenly says that they won't update the OS, I'm screwed. I know there is a big inertia in the market as a result of there being 3 potential sources of software - Google (or Microsoft in case of Windows Phones), the OEM and the carriers. But everybody tossing the ball to each other just leaves a sour experience for customers.

      I know no organization wants to maintain 3 or more versions of anything. But that's not a valid reason to expect people to discard phones or tablets bought within the last 3 years. The tablet I'm describing is something I got last May, so I shouldn't have to discard it just b'cos its OS is not being patched and it can't run the latest version that is being patched!

  • by Anonymous Coward on Monday January 12, 2015 @11:37AM (#48793651)

    Or if you do, divert attention by saying Microsoft did it first

  • by oobayly ( 1056050 ) on Monday January 12, 2015 @11:40AM (#48793679)

    Even if Google were to patch 4.3, it's unlikely that it would ever hit anyone's device as the manufacturers are so shit at pushing out updates. Not that this is a defence for not patching it - Jelly Bean was only released 2.5 years ago.

    And it's not just some manufacturers, Google is just as guilty - my [2013] Nexus 7 asked me whether I wanted to upgrade to Lollipop, I was busy at the time, so I hit no. Now I can't get the thing see that there *is* a new version - 5.0.2 was released 3 weeks ago, and it still says "Your system is up to date". Like fuck it is.

    • As an unhappy lollipop user on a 2013 nexus 7 all I can say is don't bother. My free ram has dropped from 1gb to 400mb. I can't even keep two tabs of chrome in ram now. I'm seriously considering downgrading unless google gets this release right. Furthermore we are up to version 5 of android and there is still no way to push security updates? That's a pretty serious fail IMO. Google might want to rethink that strategy before it seriously burns them in the long run.

      • by tobiasly ( 524456 ) on Monday January 12, 2015 @12:09PM (#48794015) Homepage

        Furthermore we are up to version 5 of android and there is still no way to push security updates? That's a pretty serious fail IMO. Google might want to rethink that strategy before it seriously burns them in the long run.

        They have rethought that strategy, and the solution is Google Play Services [arstechnica.com]. All of the critical functionality has been moved there, which they can update via the Google Play store. Most of the individual apps have moved to independently-updatable Google Play apps as well. The WebKit based library discussed here has been replaced by a Chrome-based version, which also receives regular updates.

        And yes, all devices Gingerbread (2.3) and above get these updates. The problem is that the WebView is one of the remaining pieces that was still tied directly to the OS in those earlier versions, so it can't be updated directly.

        I'm not excusing Google for not fixing it here, but saying that version 5 still has no way to push security updates directly is incorrect.

        • by bmajik ( 96670 )

          The problem is that the WebView is one of the remaining pieces that was still tied directly to the OS in those earlier versions, so it can't be updated directly

          Wait. It sounds likes you're saying that on older versions of Android, the Browser Rendering Engine is part of the OS?

          This sounds familiar. I think a very large software company has made a claim like this before... it was somewhere around 15 to 20 years ago...

  • by Anonymous Coward on Monday January 12, 2015 @11:40AM (#48793685)

    1- You can go buy a new Android phone; or
    2- You can go fuck yourself.

  • by Anonymous Coward on Monday January 12, 2015 @11:42AM (#48793709)

    I don't believe for a moment that MS were working flat-out on the patch for 90 days - it's more likely that they left it until the last minute, and then assumed that Google would make a special exception for them.

    Sorry Microsoft, the deadline is the same for everyone.

  • by nine-times ( 778537 ) <nine.times@gmail.com> on Monday January 12, 2015 @11:43AM (#48793715) Homepage

    Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases.

    To me, this only really seems like a valid position if vendors allowed people to upgrade at will, but as far as I know, Android users are still held to whichever version their carrier/manufacturer allow. June 2012 is only 2.5 years ago, which means (I'm guessing) that it's possible you purchased a phone less than 2 years ago that had this version of the OS. That means, you could have purchased your phone brand new, it might still be under contract, and it's unsupported.

    Now, if you're free to install the latest version on your phone, then it seems much more reasonable.

    • Exactly. Google seems to act like their Android ecosystem vs. iOS ecosystem is analogous to the PC vs. Mac world of the 90s/00s. To some point it is, however, with PCs, the customer actually OWNED their device. They could install, repair, reinstall, update, whatever they would like, Now with carriers dictating what you are "allowed" to do with your hardware that entire philosophy is broken. For example, I had a Sony Xperia phone. Sony actually did provide updates to the Android version that could be install

  • by pla ( 258480 ) on Monday January 12, 2015 @11:52AM (#48793819) Journal
    First, I consider myself a fan of the Googlesphere. I love Android, love Chrome, love GMail, enjoy the availability of their online Apps, and so on. (Hate hate hate Google+, though).

    And saying that - Google needs to come to terms with the fact that they can't get away with the same bullshit update cycle for an OS installed on physical hardware, as they do with Chrome. For a desktop browser, weekly updates with support ending more-or-less after a year counts as an annoyance, but not a deal-killer. For an OS, just "no". My last phone lasted a decade - Support your devices (at least for critical vulnerability patches) for at least that long, or GTFO of the playground.
  • by Jonathan P. Bennett ( 2872425 ) on Monday January 12, 2015 @11:54AM (#48793837)
    The original article doesn't give any details as to what this "exploit" is in android. Even if it is a real exploit, no new phones will be made with Android 4.3, and at this point, no manufacturer would push an update to an old device even if Google did fix it. As to Google throwing Microsoft under the bus, that is utter crap. Google privately disclosed a vulnerability to MS, and *TOLD THEM* they had 90 days. After 90 days, Google publicly released the vulnerability. This is standard stuff. Giving a deadline is the only way to keep vulnerabilities out of the NSA toolkit and force MS to actually fix it.
  • by scottbomb ( 1290580 ) on Monday January 12, 2015 @11:58AM (#48793871) Journal

    It would seem to me that they have a responsibility to support the versions that are in use by the majority of their customers. This whole idea that 2.5-year-old software is "ancient" is a load of BS. Imagine the outcry if Microsoft quit supporting each version of Windows after such a short time.

  • by sirwired ( 27582 ) on Monday January 12, 2015 @12:05PM (#48793963)

    You can still buy fresh-from-the-factory phones that run nothing better than Gingerbread. (2.3) Halting updates on anything but KitKat and above is incredibly blinkered.

    That said, Google really needs a better way of deploying updates other than patching the main tree and depending on their device vendors/carriers to eventually issue an update.

  • by Virtucon ( 127420 ) on Monday January 12, 2015 @12:06PM (#48793975)

    I write software for Android and what bothers me is that there's always this push for latest and greatest while we still have a significant number of devices getting left out in the cold because they're 2 or more years old. Android is a three legged stool, Google, Device Manufacturers and Carriers and all three have to get their shit together on patch management and routine updates to the devices. All of them share equally in this problem yet they just seem to be aligned to always force you to buy a new device to get what most would be consider reasonable software support. That's bullshit. Sure Google, we get it you want everybody to be on the latest and greatest and yes there are features that can't be supported with every new release however there's that sticky little thing called time to market and while you may come out with a new release, the uptake by your licensed manufacturers isn't that fast. 4.3 didn't become available widely in devices until late 2012 which is just in time for Christmas so that makes 4.3 only 2 years old basically in terms of market exposure. That's young for a smart phone. I also get it if HTC or Samsung or Vendor X out there don't want to support software in order to entice you to buy a new device, but at $600 to $800 for a high end smart phone you're not going to see the majority of your customers buy a new one every year just to keep up with the latest version of Android. That's born out by the 1 Billion devices on 4.3 which is a pretty large market. Oh and to you carriers, your bloatware and other crap isn't helping either. If you're not willing to support it for at least the life expectancy of the device, which can be up to 5 years now, then get it off of there so you can at least improve your release time frequency so that your customers aren't left with insecure devices. Google needs to take the lead here and work with the downstream manufacturers and carriers to fix this shit because it's becoming a nuisance for the development community and for the end users.

  • by Dishwasha ( 125561 ) on Monday January 12, 2015 @12:19PM (#48794151)

    I'm sorry, but are people actually under the impression that their phones are secure?

  • by pubwvj ( 1045960 ) on Monday January 12, 2015 @12:30PM (#48794323)

    This same problem is happening with legacy software all over the place be it from Google, Microsoft, Apple or other vendors. There are billions (YES! 1,000,000,000's) of devices out there that work just fine but can't use the latest operating system from the vendors so they aren't getting patched. This creates BILLIONS of opportunities for hackers, worms, trojans, scammers, etc all because the vendors are greedy and don't want to keep supporting hardware and software that is only a few years old.

    They should be offering legacy support out at least a decade. It is very doable with conditional compilations to build the latest operating systems for the older hardware of even 15 years ago. It simply won't have some features like transparent windows and other eye candy. The software should gracefully fall back to fit the hardware. This is doable at the compile time which avoids having overly large software packages.

  • by frank_adrian314159 ( 469671 ) on Monday January 12, 2015 @01:09PM (#48794797) Homepage

    If you're pissed off at Google for not fixing defects in older versions of Android, you can always switch to an iPhone or a Microsoft Windows phone. Why are you folks always whining about corporate decisions that make financial sense? Unless, of course, you're willing to something and make those "financial decisions" hurt the corporation involved.

    Don't like how Google won't fix bugs? Don't buy an Android next time.

    Unless you also want to say that the free market doesn't fix everything. There's a reason for various regulations concerning warranty and support regulations. Especially for vital telecom infrastructure.

  • by clonehappy ( 655530 ) on Monday January 12, 2015 @03:14PM (#48796337)

    ...as much as the next guy. But honestly, are there still nerds in 2015 who don't understand how the Android model works? Think of Android as "Linux". Each manufacturer has their own distro of Android, and then there's the "reference" distro, made by Google, that is on Nexus devices called "Stock Android". All the distros are based on the "Stock Android" distro, and the manufacturers customize and add on from there.

    So, blaming Google for a flaw in a previous version of Android is like blaming "Linux" for a security flaw in a previous version of Ubuntu. See how much sense that makes? All Ubuntu has to do is use a more recent kernel/library/whatever that doesn't contain the flaw and release an update or new version. The same thing goes for Android, all the handset manufacturers have to do is release an update that contains the fix, and their problems are solved. A current build of "Stock Android" already contains the fix, your manufacturer's outdated distro, however, doesn't.

    There are plenty of things we can legitimately blame on Google, but blaming the flaws of handset manufacturers and cellular carriers on Google doesn't help anything. Put pressure on your carriers and manufacturers to stop dragging their feet and support their products beyond the next fiscal quarter or two!

Algebraic symbols are used when you do not know what you are talking about. -- Philippe Schnoebelen

Working...