Google shows us how caring about Security Flaws is done right
As you know, Microsoft has a Patch Tuesday where the company is releasing all patches and updates for their Windows operating system, if there is something urgent they are also releasing updates outside of this schedule. You might also know that Google is currently running the ‘Project Zero’ Security Initiative where they draw attention to security flaws and give the responsible company 90 days to fix that otherwise they are publishing the vulnerability so that everyone knows it.
The same thing happened last month when Google published a security whole of Windows 8.1 which Microsoft was about to fix but obviously they were not fast enough. Two days before the monthly Patch Tuesday, Google published the security whole of Windows 8.1 without respecting that Microsoft would have released the update two days later anyway. You can have a detailed look at this story here
Well now as a Google running the ‘Project Zero’ Security Initiative it might not be looking good if this company of all companies is strictly ignoring a security flaw which is currently affecting 1 billion users. Android is one of the most popular smartphone operating systems at this time and most of the devices with this operating system are still running Android 4.3 Jelly Bean, what means about 60% of all Android users are using this Android version.
Recently there has been discovered an exploit concerning exactly this Android version we are currently talking about, that means 60% of all current Android users are using an operating system which has a serious exploit in its WebView component (component to render websites in Android) and that means 1 billion users. Googles answer to this is simple ‘No we won’t patch this’.
Well actually the answer above was greatly reduced, below you can have a look at what Google answered to Tod Beardsley when he asked them about the security flaw concerning 1 billion people world wide:
If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.
Back in August 2013 Google has released Android 4.3 Jelly Bean which was an update for Android 4.2 Jelly Bean, so that means Google is not supporting users of their operating system which they have released one and a half year ago. I can still remember when everyone was mad about Microsoft because devices with Windows Phone 7.8 could not get the Windows Phone 8.0 update, in fact Microsoft continued to release security updates for Windows Phone 7.8 and did not ignore these users. All the more interesting that Google can’t wait two days until Microsoft releases an, at this time unknown by the public, update for a security flaw in Windows 8.1.
Let me know your opinion on this and what you think about the published security flaw from Google in comments below. Thanks for reading.