DS Forums

 
 

After throwing Microsoft under the bus, Google won't patch flaw affecting ~1bn users


Reply
Thread Tools Search this Thread
Old 13-01-2015, 11:22
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 25,199

After throwing Microsoft under the bus, Google won't patch flaw affecting nearly 1bn users


"Last month, Google took the bold steps to release the details of a security vulnerability ahead of Microsoft's Patch Tuesday. Microsoft said that the patch was set to be released two days after Google went live with the details and that they refused to wait an extra 48 hours so that the patch would have been released along with the details of the exploit.

Recently, an exploit has been uncovered in Android 4.3 (Jelly Bean) - which covers roughly 60% of Android's install base, according to the Android Developer dashboard - and Google is saying that they will not patch the flaw."


Let the shit fly between Google and MS
IvanIV is offline   Reply With Quote
Please sign in or register to remove this advertisement.
Old 13-01-2015, 19:39
rosetech
Forum Member
 
Join Date: Oct 2008
Posts: 1,058
A flaw in web view would be hard to fix as it needs to go through the manufacturer doesnt it?

Most phones are lucky if they get one and a half years support. Without this support Google doesn't have a means to distribute a fix, which I think is the point made in the article (I.e they could fix it but it won't get distributed).

I assume this is the reason the stopped using the web view component and use chrome so they can control these sorts of things.
rosetech is offline   Reply With Quote
Old 13-01-2015, 19:56
kidspud
Forum Member
 
Join Date: May 2010
Posts: 11,501
Maybe they shouldn't be so critical of others if they cannot sort out their own house. Those in glass houses and all that.
kidspud is offline   Reply With Quote
Old 13-01-2015, 19:58
Everything Goes
Forum Member
 
Join Date: Mar 2002
Location: In the future....
Posts: 11,259
Much ado about nothing, As for Android even if Google release a patch the fact is most manufactures wouldn't bother to roll it out.
Everything Goes is offline   Reply With Quote
Old 13-01-2015, 20:00
kidspud
Forum Member
 
Join Date: May 2010
Posts: 11,501
Much ado about nothing, As for Android even if Google release a patch the fact is most manufactures wouldn't bother to roll it out.
Agreed. Fragmentation is a real security issue.
kidspud is offline   Reply With Quote
Old 13-01-2015, 20:45
Chrysalis
Forum Member
 
Join Date: Sep 2003
Location: Leics
Posts: 581
copy and paste of what I posted elsewhere.

Google's approach to software development is horrific, they have a rapid development process for everything which is why youtube often breaks etc. Android is probably the most insecure mass adopted OS in existance, and the fragmentation and carrier update system makes it even worse. Also I suspect the carrier software distribution system is deliberate to make people keep buying new phones, making it part of the reson to upgrade is software side. Remember even if google patch it, they would also need to rely on carriers to distribute those patches, android is one big mess for security. The resson why android and chrome are popular is google's deep pockets, android is cheaper than iOS and windows, chrome is distributed with pretty much all freeware and auto installed.
Chrysalis is offline   Reply With Quote
Old 13-01-2015, 22:55
jchamier
Forum Member
 
Join Date: Mar 2000
Location: This forum
Posts: 3,392
Now the "GooglePlayServices" runs at a low level, but is an app updated from the Play Store - Google can patch most things without having to rely on the handset manufacturer or the network to distribute. Google got burned by the Nexus S on Verizon in the US.

It was Apple who Verizon had to come to cap in hand and ask them to make a CDMA iPhone, because they had customers leaving in droves. That gave Apple the ability to sell a handset to a strong network without the network making any modifications to the software. It was a first - and Android failed in breaking this network strangle hold :-/
jchamier is offline   Reply With Quote
Old 15-01-2015, 11:15
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 25,199
That's a pretty dire situation if they cannot fix a problem for 60% of their users. I think in situations like this the dictatorship is the best
IvanIV is offline   Reply With Quote
Old 15-01-2015, 12:45
Daveoc64
Forum Member
 
Join Date: Sep 2003
Location: Bristol (BBC1 West)
Posts: 15,143
It was Apple who Verizon had to come to cap in hand and ask them to make a CDMA iPhone, because they had customers leaving in droves. That gave Apple the ability to sell a handset to a strong network without the network making any modifications to the software. It was a first - and Android failed in breaking this network strangle hold :-/
Verizon still approves each iOS release before it is made public - Apple didn't do enough there IMO.
Daveoc64 is offline Follow this poster on Twitter   Reply With Quote
Old 25-01-2015, 00:45
Everything Goes
Forum Member
 
Join Date: Mar 2002
Location: In the future....
Posts: 11,259
Googles official explanation for not patching vulnerability

Googles Adrian Ludwig explains, it's no longer viable to "safely" patch vulnerable, pre-Android 4.4 versions of WebView (a framework that lets apps show websites without a separate browser) to prevent remote attacks. The sheer amount of necessary code changes would create legions of problems, he claims, especially since developers are introducing "thousands" of tweaks to the open source software every month.

Ludwig suggests a few things you can do to avoid or mitigate problems, though. For a start, he recommends surfing with browsers that don't use WebView but still get updates, like Chrome (which works on devices using Android 4.0) and Firefox (which runs on ancient Android 2.3 hardware). Hackers can't abuse the vulnerable software if you're not using it, after all. The Googler also tells app creators to either use their own web rendering tech or limit WebView to pages they can trust, like encrypted sites.
http://www.engadget.com/2015/01/24/g...-webview-flaw/
Everything Goes is offline   Reply With Quote
Old 25-01-2015, 03:26
The Lord Lucan
Forum Member
 
Join Date: Apr 2005
Location: Scotland
Posts: 4,967
Not quite true regarding Verizon. They get a GM to test and they also get a choice to make a carrier update if needed. That is all. They can't tell Apple to stop it or modify it. I remember they did need to work with Verizon to make sure it worked with the network correctly at the very start as there were some issues but that was Apple being OCD (read A*nl) as per normal and it was Apple that spotted the issues, I remember one update being nuked by Apple as it caused a problem with the authentication on the Verizon network, but again it was Apple that noticed..

Not good regarding news with Android. However did anyone expect anything else?
The Lord Lucan is online now   Reply With Quote
Old 25-01-2015, 08:17
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 25,199
Googles official explanation for not patching vulnerability



http://www.engadget.com/2015/01/24/g...-webview-flaw/
Google just published some Apple bugs and they did not manage to do it on time (understand as Google prescribes), either. Given what a mess Android software development is I'd expect them to be more humble and accommodating towards those who actually are using methods that allow them to fix problems with a reasonable effort, even if not on deadlines Google gives them.

I think Google should admit their way of doing software is shit and try to make adjustments. Open source and everybody tinkering with it now seems suboptimal. And they are still responsible for bringing this on developers and ultimately on users. But they are lying about not being able to do anything, too. If developers can change the code that means there is a code. And they did not find it lying on the street. There must be a central repository(ies) where the fixable code is and from where developers can merge the fixed parts into their own code. Google just can't be arsed.
IvanIV is offline   Reply With Quote
Old 25-01-2015, 08:32
Mustabuster
Forum Member
 
Join Date: Nov 2011
Location: Woking, Surrey.
Posts: 3,588
I agree with the above. Android development is a pain in the arse at the moment with Google just saying everybody should be doing this or that and not really caring about older devices or versions of software. The resulting fragmentation just leads to a testing and support nightmare.

I find their attitude a bit sanctimonious at times.
Mustabuster is offline   Reply With Quote
Old 25-01-2015, 13:59
rosetech
Forum Member
 
Join Date: Oct 2008
Posts: 1,058
As I see it the issue is twofold.

Scenario 1 - You are able to upgrade your phone - Webview defect is fixed
Scenario 2 - You are not able to update your phone - that would be the manufacturer rather than Google that would be at fault.

Its clear from Scenario 1, Google has fixed the Webview issue. The problem in scenario 2 affecting people who are unable to upgrade is down to the manufacturer not supporting the device. Of course in the second scenario there is the always option of CM.

Development practices have nothing to do with the problem stated. Most phones are supported from at least 18 months beyond that the manufacturers stop providing updates - annoying but understandable. Google have since re-engineered Android so they can at least distribute system updates via the playstore, but even this approach is not an ideal.
rosetech is offline   Reply With Quote
Old 25-01-2015, 14:16
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 25,199
60% of the phones are on this particular OS, they all could be fixed, manufactures apparently support it when it is installed there. MS and, I think, Apple could bypass a usual dance with networks to push a priority update if really necessary, Google could do the same. But they claim the problem are the apps that run the modified code that contain the vulnerability. Here they can do a lot, too. Fix the vulnerability in Google code in the places developers take the source code of the component from and ask them to rebuild their apps to make them safe. I don't see them doing that.
IvanIV is offline   Reply With Quote
Old 25-01-2015, 14:45
Everything Goes
Forum Member
 
Join Date: Mar 2002
Location: In the future....
Posts: 11,259
Google could of course roll out KitKat 4.4 or even Lollipop to older devices but that will never happen.
Everything Goes is offline   Reply With Quote
Old 25-01-2015, 17:08
Mustabuster
Forum Member
 
Join Date: Nov 2011
Location: Woking, Surrey.
Posts: 3,588
Google could of course roll out KitKat 4.4 or even Lollipop to older devices but that will never happen.
There comes a point where the device chipset is no longer supported with a particular version of android. This is more down to companies like Qualcomm and OEMs rather than Google.
Mustabuster is offline   Reply With Quote
Old 25-01-2015, 22:30
Everything Goes
Forum Member
 
Join Date: Mar 2002
Location: In the future....
Posts: 11,259
There comes a point where the device chipset is no longer supported with a particular version of android. This is more down to companies like Qualcomm and OEMs rather than Google.
There are no shortage of enthusiasts who get old hardware running modern versions of Android.
Everything Goes is offline   Reply With Quote
Old 25-01-2015, 23:08
Zack06
Forum Member
 
Join Date: Aug 2009
Posts: 27,438
As far as Google is concerned, there isn't a problem to fix, and I agree.

The liability is with the manufacturers in this case. Google seems to have long fixed the WebView issue, as users of 4.4 and above don't seem to be affected at all.

Why should Google fix it and make "fragmentation" even worse? The OEMs are just being lazy in this instance.

Google can't throw demands at manufacturers, so their hands are tied. The Nexus line gets its updates near instantaneously and when Google owned Motorola, they also rolled out similarly prompt updates, a trend which seems to be continuing.
Zack06 is offline   Reply With Quote
Old 26-01-2015, 11:41
Dai13371
Forum Member
 
Join Date: May 2007
Location: Ammanford, South Wales
Posts: 7,911
Every major manufacturer has a copy of every major version. What they do with it is beyond Google's control once Google release it.

This is not a complicated scenario to understand and I do think certain media failing to highlight this have an axe to grind. Webview was fixed with KitKat, therefore the problem went away.

To blame Google for customers retaining older or indeed obsolete hardware, or manufacturers and carrier's reluctance to push newer versions out to said hardware is hardly fair is it?

The very nature of Android demonstrates that talented developers can put newer software on older devices, but there always comes a time when officially, a line is drawn and support should end.
Dai13371 is offline   Reply With Quote
Old 26-01-2015, 12:44
finbaar
Forum Member
 
Join Date: Nov 2009
Posts: 3,921
Every major manufacturer has a copy of every major version. What they do with it is beyond Google's control once Google release it.

This is not a complicated scenario to understand and I do think certain media failing to highlight this have an axe to grind. Webview was fixed with KitKat, therefore the problem went away.

To blame Google for customers retaining older or indeed obsolete hardware, or manufacturers and carrier's reluctance to push newer versions out to said hardware is hardly fair is it?

The very nature of Android demonstrates that talented developers can put newer software on older devices, but there always comes a time when officially, a line is drawn and support should end.
Don't bother explaing to them, they wont be able to understand as they don't have the basic knowedge to be able to process the data. Sit them down in front of a mirror and they will start miling at the other guy in the room.
finbaar is offline   Reply With Quote
Old 26-01-2015, 12:56
Mustabuster
Forum Member
 
Join Date: Nov 2011
Location: Woking, Surrey.
Posts: 3,588
There are no shortage of enthusiasts who get old hardware running modern versions of Android.
Yes and they do it for free. Official support won't be. I didn't say it wasn't possible. In some cases it is. In some cases it isn't. If you have X number of people in your team you need to prioritise between legacy support and working on the new stuff.
Mustabuster is offline   Reply With Quote
Old 27-01-2015, 11:29
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 25,199
Here's another article Google defends policy that leaves most Android devices unpatched which spells out the Google's update strategy: "Google's security team would no longer craft fixes for flaws in WebView for Android 4.3 and older." which influences 60% of Android. Basically any phone on older OS with an app that displays ads is vulnerable. It is possible to bring the fix to older OSes, they just won't do it, because it's a lot of work, apparently. If it were 6% and not 60% it would be understandable, but not like this, IMO. And before somebody says Google can't do anything. They can. Just check out the older OS code from the repository and patch it.
IvanIV is offline   Reply With Quote
Old 27-01-2015, 16:12
Everything Goes
Forum Member
 
Join Date: Mar 2002
Location: In the future....
Posts: 11,259
Here's another article Google defends policy that leaves most Android devices unpatched which spells out the Google's update strategy: "Google's security team would no longer craft fixes for flaws in WebView for Android 4.3 and older." which influences 60% of Android. Basically any phone on older OS with an app that displays ads is vulnerable. It is possible to bring the fix to older OSes, they just won't do it, because it's a lot of work, apparently. If it were 6% and not 60% it would be understandable, but not like this, IMO. And before somebody says Google can't do anything. They can. Just check out the older OS code from the repository and patch it.
Leaving 60% of users in the lurch is awful! Now what if Google just decided to offer KitKat 4.4 to those who want it? No need to patch code. As for the Carriers ignore them. They wont bother to do updates so take it out of their hands.

Simple really!
Everything Goes is offline   Reply With Quote
Old 27-01-2015, 17:05
rosetech
Forum Member
 
Join Date: Oct 2008
Posts: 1,058
Here's another article Google defends policy that leaves most Android devices unpatched which spells out the Google's update strategy: "Google's security team would no longer craft fixes for flaws in WebView for Android 4.3 and older." which influences 60% of Android. Basically any phone on older OS with an app that displays ads is vulnerable. It is possible to bring the fix to older OSes, they just won't do it, because it's a lot of work, apparently. If it were 6% and not 60% it would be understandable, but not like this, IMO. And before somebody says Google can't do anything. They can. Just check out the older OS code from the repository and patch it.
You keep on posting this, but it has already been explained on this thread why Google cant do anything on this version.

The codefix already exists, the means to distribute it to the phones doesnt. Google needs the phone manufacturer to send it.
rosetech is offline   Reply With Quote
 
Reply




 
Forum Jump


All times are GMT. The time now is 11:10.