After throwing Microsoft under the bus, Google won't patch flaw affecting nearly 1bn users


"Last month, Google took the bold steps to release the details of a security vulnerability ahead of Microsoft's Patch Tuesday. Microsoft said that the patch was set to be released two days after Google went live with the details and that they refused to wait an extra 48 hours so that the patch would have been released along with the details of the exploit.

Recently, an exploit has been uncovered in Android 4.3 (Jelly Bean) - which covers roughly 60% of Android's install base, according to the Android Developer dashboard - and Google is saying that they will not patch the flaw."


Let the shit fly between Google and MS

A flaw in web view would be hard to fix as it needs to go through the manufacturer doesnt it?

Most phones are lucky if they get one and a half years support. Without this support Google doesn't have a means to distribute a fix, which I think is the point made in the article (I.e they could fix it but it won't get distributed).

I assume this is the reason the stopped using the web view component and use chrome so they can control these sorts of things.

Maybe they shouldn't be so critical of others if they cannot sort out their own house. Those in glass houses and all that.

Much ado about nothing, As for Android even if Google release a patch the fact is most manufactures wouldn't bother to roll it out.

Agreed. Fragmentation is a real security issue.

copy and paste of what I posted elsewhere.

Google's approach to software development is horrific, they have a rapid development process for everything which is why youtube often breaks etc. Android is probably the most insecure mass adopted OS in existance, and the fragmentation and carrier update system makes it even worse. Also I suspect the carrier software distribution system is deliberate to make people keep buying new phones, making it part of the reson to upgrade is software side. Remember even if google patch it, they would also need to rely on carriers to distribute those patches, android is one big mess for security. The resson why android and chrome are popular is google's deep pockets, android is cheaper than iOS and windows, chrome is distributed with pretty much all freeware and auto installed.

Now the "GooglePlayServices" runs at a low level, but is an app updated from the Play Store - Google can patch most things without having to rely on the handset manufacturer or the network to distribute. Google got burned by the Nexus S on Verizon in the US.

It was Apple who Verizon had to come to cap in hand and ask them to make a CDMA iPhone, because they had customers leaving in droves. That gave Apple the ability to sell a handset to a strong network without the network making any modifications to the software. It was a first - and Android failed in breaking this network strangle hold :-/

That's a pretty dire situation if they cannot fix a problem for 60% of their users. I think in situations like this the dictatorship is the best

Verizon still approves each iOS release before it is made public - Apple didn't do enough there IMO.

Googles official explanation for not patching vulnerability


http://www.engadget.com/2015/01/24/g...-webview-flaw/

Not quite true regarding Verizon. They get a GM to test and they also get a choice to make a carrier update if needed. That is all. They can't tell Apple to stop it or modify it. I remember they did need to work with Verizon to make sure it worked with the network correctly at the very start as there were some issues but that was Apple being OCD (read A*nl) as per normal and it was Apple that spotted the issues, I remember one update being nuked by Apple as it caused a problem with the authentication on the Verizon network, but again it was Apple that noticed..

Not good regarding news with Android. However did anyone expect anything else?

Google just published some Apple bugs and they did not manage to do it on time (understand as Google prescribes), either. Given what a mess Android software development is I'd expect them to be more humble and accommodating towards those who actually are using methods that allow them to fix problems with a reasonable effort, even if not on deadlines Google gives them.

I think Google should admit their way of doing software is shit and try to make adjustments. Open source and everybody tinkering with it now seems suboptimal. And they are still responsible for bringing this on developers and ultimately on users. But they are lying about not being able to do anything, too. If developers can change the code that means there is a code. And they did not find it lying on the street. There must be a central repository(ies) where the fixable code is and from where developers can merge the fixed parts into their own code. Google just can't be arsed.

I agree with the above. Android development is a pain in the arse at the moment with Google just saying everybody should be doing this or that and not really caring about older devices or versions of software. The resulting fragmentation just leads to a testing and support nightmare.

I find their attitude a bit sanctimonious at times.

As I see it the issue is twofold.

Scenario 1 - You are able to upgrade your phone - Webview defect is fixed
Scenario 2 - You are not able to update your phone - that would be the manufacturer rather than Google that would be at fault.

Its clear from Scenario 1, Google has fixed the Webview issue. The problem in scenario 2 affecting people who are unable to upgrade is down to the manufacturer not supporting the device. Of course in the second scenario there is the always option of CM.

Development practices have nothing to do with the problem stated. Most phones are supported from at least 18 months beyond that the manufacturers stop providing updates - annoying but understandable. Google have since re-engineered Android so they can at least distribute system updates via the playstore, but even this approach is not an ideal.

60% of the phones are on this particular OS, they all could be fixed, manufactures apparently support it when it is installed there. MS and, I think, Apple could bypass a usual dance with networks to push a priority update if really necessary, Google could do the same. But they claim the problem are the apps that run the modified code that contain the vulnerability. Here they can do a lot, too. Fix the vulnerability in Google code in the places developers take the source code of the component from and ask them to rebuild their apps to make them safe. I don't see them doing that.

Google could of course roll out KitKat 4.4 or even Lollipop to older devices but that will never happen.

There comes a point where the device chipset is no longer supported with a particular version of android. This is more down to companies like Qualcomm and OEMs rather than Google.

There are no shortage of enthusiasts who get old hardware running modern versions of Android.

As far as Google is concerned, there isn't a problem to fix, and I agree.

The liability is with the manufacturers in this case. Google seems to have long fixed the WebView issue, as users of 4.4 and above don't seem to be affected at all.

Why should Google fix it and make "fragmentation" even worse? The OEMs are just being lazy in this instance.

Google can't throw demands at manufacturers, so their hands are tied. The Nexus line gets its updates near instantaneously and when Google owned Motorola, they also rolled out similarly prompt updates, a trend which seems to be continuing.

Every major manufacturer has a copy of every major version. What they do with it is beyond Google's control once Google release it.

This is not a complicated scenario to understand and I do think certain media failing to highlight this have an axe to grind. Webview was fixed with KitKat, therefore the problem went away.

To blame Google for customers retaining older or indeed obsolete hardware, or manufacturers and carrier's reluctance to push newer versions out to said hardware is hardly fair is it?

The very nature of Android demonstrates that talented developers can put newer software on older devices, but there always comes a time when officially, a line is drawn and support should end.

Don't bother explaing to them, they wont be able to understand as they don't have the basic knowedge to be able to process the data. Sit them down in front of a mirror and they will start miling at the other guy in the room.

Yes and they do it for free. Official support won't be. I didn't say it wasn't possible. In some cases it is. In some cases it isn't. If you have X number of people in your team you need to prioritise between legacy support and working on the new stuff.

Here's another article Google defends policy that leaves most Android devices unpatched which spells out the Google's update strategy: "Google's security team would no longer craft fixes for flaws in WebView for Android 4.3 and older." which influences 60% of Android. Basically any phone on older OS with an app that displays ads is vulnerable. It is possible to bring the fix to older OSes, they just won't do it, because it's a lot of work, apparently. If it were 6% and not 60% it would be understandable, but not like this, IMO. And before somebody says Google can't do anything. They can. Just check out the older OS code from the repository and patch it.

Leaving 60% of users in the lurch is awful! Now what if Google just decided to offer KitKat 4.4 to those who want it? No need to patch code. As for the Carriers ignore them. They wont bother to do updates so take it out of their hands.

Simple really!

You keep on posting this, but it has already been explained on this thread why Google cant do anything on this version.

The codefix already exists, the means to distribute it to the phones doesnt. Google needs the phone manufacturer to send it.