Sunday, February 01, 2015

Google and Gander

Remember the old saying "What's good for the goose is good for the gander." Here's a good example.

Google's Project Zero publicly discloses flaws 90 days after it reports them to vendors. On January 11, 2015, Google disclosed a Windows 8.1 vulnerability. The problem was that Microsoft had committed to Google to fix it on January 13. Even without the fix potential attackers would "need to have valid logon credentials and be able to log on locally to a targeted machine."

At the same time it was discovered that Google was no longer fixing problems in the AOSP Internet browser in Android 4.3 (Jelly Bean) released July 24, 2013. When a security researcher notified Google of problems in the browser in the fall of 2014 he was told "we generally do not develop the patches ourselves but do notify partners of the issue." This affects 60 per cent of Android's active user base.

Don't hold your breath on getting a fix from Verizon or AT&T.

Incidentally, Microsoft supported Windows XP (released in 2001) until 2014.

Shame on you Google.

"And now the rest of the story."

Google is between a rock and a hard place on patching the AOSP browser. Let's say that they did patch it. It then would be up to the various vendors to incorporate that level of Android into their proprietary additions/changes to Android and then push it out the 900 million devices. Realistically the vendors won't do that. They'd much rather sell you a new phone.

On the other hand, it doesn't seem like too much for Google to patch the AOSP code and lay the blame for not updating the devices off on the vendors.

Update: Google blinked.

No comments: