Google Won't Patch Security Hole affecting 1 billion users on Android, despite bashing on Microsoft

[GoodBytes]

Google has pushed under the bus Microsoft for requesting a 2 day delay on revealing to the public a security hole, while the patch is released on Tuesday, the usual time for Microsoft releases patches, saying that the time frame that Google gave to Microsoft is sufficient since the unveil.

However, Google is not better. Unlike Microsoft security hole, Android users have a important security hole, where unlike Microsoft doesn't require the system to be compromised already in some fashion, Google are saying that they wont' fix it.

The security issue has to do with the Preview, part of the core engine of the Chrome web browser on Android, which affects about 1 billion users (by Google own numbers), basically, everyone running Android 4.3 (Jelly Bean).

 

Neowin reports:

The flaw, which exists in WebView (a core component used to render web pages on an Android device) impacts nearly 1 billion users, when using Google's own numbers as a base along with Gartner figures

 

 

Google response to the security issue is:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

 

 

Source: http://www.neowin.net/news/after-throwing-microsoft-under-the-bus-google-wont-patch-flaw-affecting-nearly-1bn-users

[Toddwjp]

well if the fix is in 4.4 its up to the phone carriers to send out updates.

[LemonSpice]

The only issue is that every =manufacturer wants to mod android until it is extremmely crappy cough Touch Wiz Cough

[Suika]

This sounds like a problem with the phone manufacturer's, not Google. Google patched it in 4.4, did they not? So this is the manufacturer's faults, not Google's. They can't (or shouldn't) force them to update to 4.4 or higher.

 

misleading title

[TAK]

.

[AxelRantila]

As much as I like Google in general, this is really strage, especially considering what they did regarding Microsoft recently

[Sauron]

I think they're right though, every manufacturer is in charge of patching their own fork of android on their own devices. Google should only care about nexus devices, but those already have android 5.0.

[AlwaysFSX]

well if the fix is in 4.4 its up to the phone carriers to send out updates.

 

 

Damnit every single tech corporation is a hypocrit

Read the above quote.

[Jade]

well if the fix is in 4.4 its up to the phone carriers to send out updates.

^This. So much this. Google can't force OEMs and carriers to update their devices.

[RH00D]

Yet Jelly Bean is only 2 years old. Really, Google? You provide security support only for 2 years? Meanwhile Microsoft provides XP security support for 13 years and some people were saying its not long enough.

[Suika]

As much as I like Google in general, this is really strage, especially considering what they did regarding Microsoft recently

reread OP

 

Google would easily fix it if it were an issue with Andoird Lollipop 5.0.1 or 5.0.2 considering these are the latest versions of Android that they're still rolling out, hell the issue was patched in 4.4 already. However, Android Jellybean is aged to them and they don't want to support or patch this. It's up to manufacturer's to release the patches or update to Android 4.4 or higher. Google can't force the manufacturer's to release the updates.

[LemonSpice]

Read the above quote.

yes i know

[Laputacake]

As much as I like Google in general, this is really strage, especially considering what they did regarding Microsoft recently

"This sounds like a problem with the phone manufacturer's, not Google. Google patched it in 4.4, did they not? So this is the manufacturer's faults, not Google's. They can't (or shouldn't) force them to update to 4.4 or higher." - Suika

This security hole is for a 2 generation old OS. Google fixed the patch and most of the devices google maintain have the patch. However Manufacters like to take their time making their custom skin for the new OS so it isn't Google, they fixed the patch in 4.4

[LemonSpice]

well if the fix is in 4.4 its up to the phone carriers to send out updates.

MANUFACTURERS the carriers have nothing to do with it

[Trik'Stari]

#Windows8phonemasterrace

 

No one wants to hack me

[mansoor_]

Very misleading title. You have to pay for windows os, nobody pays for using android and the newer versions have already dealt with this flaw. 

[RH00D]

Very misleading title. You have to pay for windows os, nobody pays for using android and the newer versions have already dealt with this flaw. 

 

The cost of OS is built into the cost of the device. The same way you don't "pay for Windows" when you buy pre-built PC from Dell or HP. Same thing goes for Macs as well. Although, with Android you pay for it primarily with your personal information.

[jayctech]

Doesn't sound like Google's fault. They've patched the issue, OEM's are the reason it hasn't been pushed.

Very biased and misleading title.

[Ssoele]

Google has pushed under the bus Microsoft for requesting a 2 day delay on revealing to the public a security hole, while the patch is released on Tuesday, the usual time for Microsoft releases patches, saying that the time frame that Google gave to Microsoft is sufficient since the unveil.

 

Microsoft asked for 2 days, but only is only releasing the patch tomorrow, more than 2 weeks after the Google publication. So even if Google waited 2 days like Microsoft asked, Microsoft still wouldn't have released a patch.

 

Also, as said countless times before, Google has patched it, it's now to the phone manufacturers to roll out this patch.

[RH00D]

Microsoft asked for 2 days, but only is only releasing the patch tomorrow, more than 2 weeks after the Google publication. So even if Google waited 2 days like Microsoft asked, Microsoft still wouldn't have released a patch.

 

Also, as said countless times before, Google has patched it, it's now to the phone manufacturers to roll out this patch.

 

Google has not made a patch for Jelly Bean, only KitKat. Google has not given anything to the OEMs to roll out. That's the entire point of Google's statement:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

[Psykomantis00]

As much as I like Google in general, this is really strage, especially considering what they did regarding Microsoft recently

Lrn2readnewb.

 

 

 

Also this is another reason I like apple more as far as my phone goes. Apple pushes updates when needed. Google cant because of the way android is hacked together by other companies because they want to be special. 

[Ssoele]

Google has not made a patch for Jelly Bean, only KitKat. Google has not given anything to the OEMs to roll out. That's the entire point of Google's statement:

 

They patched it with a new version, then gave that version to the OEMs to roll out.

[RH00D]

They patched it with a new version, then gave that version to the OEMs to roll out.

I understand that. But why can't they make a patch for the old version, Jelly Bean, without having to bundle it into a whole new OS version? Like just make a small ~2 Megabyte patch for Jelly Bean to fix it.

[GoodBytes]

It's funny. If it were Vista let alone Windows 7, people would freak out, and start banning Windows.

But Google? "Ah it's 2 year old.. so what... it's manufacture faults." Google gets free pass, basically.

Hypocrite much?

 

Google should have a structure for deploying updates that is not dependence on carriers like Apple. They are FREAKING Google, you are telling me they can't do this?

You think a skin is THE reason why manufactures blocks it? Or rather they want to push you to buy a new phone rather?

Same for carrier blocking updates

 

Google can make it's own infrastructure. They can go: "If you want the latest Android, because it's not from your manufacture your skin might not be there anymore. Are you sure you want to download?"

[Lynx]

well, the fact is many phone would not get an OS ugrade at all, even the big Names didn't release any update at all except for their highend devices.

tha's why i always encourages my friend to get either Moto G or Windows Phone for budget devices.

 

#WindowsPhoneMasterRace