Microsoft hits back after Google publicises Windows bug

[GuidoLS]

Meanwhile, Google is ignoring security flaws in Jelly Bean (Android 4.3)...

http://blogs.wsj.com/digits/2015/01/12/google-not-fixing-some-old-android-bugs/

Considering that Jelly Bean *still* powers roughly 2/3rds of all Android devices worldwide, you'd think they would take care of their business before calling out someone else - especially when they'd already been in contact with Microsoft, and had been given a repair date. So no, Google wasn't being honest, nor good guys. They were being hypocrites of the worst kind.

Surely it is up to the phone manufacturers to update to KitKat? Google's own Nexus devices are, to the best of my knowledge, all up-to-date.

Not all devices can be upgraded. And it's not all phones. It's just a fact of life in the Android world, and it seems to be by design. And 18 months is not an old product. I've got tablets that are restricted to Gingerbread - they literally will not upgrade to Ice Cream Sandwich - an OS that's barely 10 months newer. I'm not going to pretend like they're high dollar tablets, but you'd think that an item less than a year old could be upgraded to the next new thing...

[this_is_gav]

Without knowing the technical ins and outs, I'm inclined to side with Microsoft. I don't know how complex this patch needs to be, as patches can well fix what's needed while breaking many other things, so this may be this patch has been in development since soon after it was discovered. It's not like Microsoft don't have a regular patching programme.

It does smack of politics first and foremost and is rather poor form from Google. Politics are fine (they are competing businesses after all), but when the consumer is needlessly put at risk it crosses a line.

And don't get me wrong, I'm firmly a Google supporter and am heavily invested in many of their products, both at home and work.

[scaryjim]

... I'm inclined to side with Microsoft. I don't know how complex this patch needs to be ...

This, tbh. The software I've worked on is WAY WAY simpler than a complete OS, and I still wouldn't be happy promising a 90 day turnaround on a serious bug fix. Sure, it *might* be a bug that could be fixed within a 90 day window, but I'd rather have a flaw patched right than patched quick. The project zero team have, with full knowledge, chosen to expose all Windows 8.1 users to a serious security threat. That's petulant at best, and downright malicious at worst.

[crossy]

Not all devices can be upgraded. And it's not all phones. It's just a fact of life in the Android world, and it seems to be by design. And 18 months is not an old product. I've got tablets that are restricted to Gingerbread - they literally will not upgrade to Ice Cream Sandwich - an OS that's barely 10 months newer. I'm not going to pretend like they're high dollar tablets, but you'd think that an item less than a year old could be upgraded to the next new thing...

Totally agree. There's too much needless forced-upgrade going on. For example I've got the "2012" Note 10.1 which is JB'd, yet the almost identical "2014" Note 10.1 gets KitKat. Then there was Sony's "the Xperia X10 will not get ICS" which then did get it because of public pressure. And, like I said in my earlier post, the tinkerers on xda-devs seem to be able to upgrade these "obsolete" phones with not too much hassle, yet these huge companies with their development teams can't? It doesn't wash does it...

Without knowing the technical ins and outs, I'm inclined to side with Microsoft. I don't know how complex this patch needs to be, as patches can well fix what's needed while breaking many other things, so this may be this patch has been in development since soon after it was discovered.

Good point there - if this is an issue that effects Windows 7 then I'd much prefer that whatever patch came out didn't break something else, (if it's Windows8 only then I don't care).

Maybe the sensible thing is to blame both - Microsoft for being a bit slow to fix, and Google for being overly-prescriptive.

[Corky34]

My problem with them is that while it's fine for them to stop support, the only official answer is "buy a new device and consign the old one to landfill" - how very environmentally friendly of them.

Very true, it's one of the reasons i refuse to buy so called smart phones, being forced to throw away working hardware just because of the software is anything but smart if you ask me.

4.3 was announced on 24 July 2013.
So no, it's not likely they stopped support when they announced the product And while it may be some form of demented fun to stand in queue for days on end every year to buy a new phone, 18 months for a major release of an OS is not a long span of time, even in today's gotta have the newest now society.

Whoops, i kinda thought i had that wrong a while after i posted.
Well they have to do something to get people buying more c**p.

[mercyground]

anyone bitching about old roms for phones? get yourself over to XDA Developers and flash a new rom. job done.

(I have an old HTC Desire that now runs 4.4.4 and potentially may run 5.0 lollypop)

[crossy]

Maybe Microsoft can get their own back by pointing out "Google cuts back on Android security fixes". Looking at that I'm thinking that perhaps Google should be getting their own house in order before throwing eggs at other people's?

anyone bitching about old roms for phones? get yourself over to XDA Developers and flash a new rom. job done.
(I have an old HTC Desire that now runs 4.4.4 and potentially may run 5.0 lollypop)

And is your new KK ROM fully functional? Last time I checked the ROM's for my old Galaxy S3, all of them had one or more bits that were marked as either "non functional" or as "not entirely stable". Don't get me wrong, I'm not knocking what you're saying, just pointing out that anyone expecting to just wave the XDA-Devs "magic wand" over an orphan device and get the latest 'droid release on it as good as a manufacturer's ROM may be disappointed. Personally though, I'm amazed at what some of the XDA guys CAN achieve and, as I've said above, they do go a long way to embarrassing the better-resourced "official" teams.

[Saracen]

Cards on table? I'm not exactly MS's Number 1 fan. In fact, I'm no fan at all, as anyone that's seen some of my comments on decisions over MUI, etc, will know. But I loathe, detest and despise Google. My opinion of them is broadly on a par with my level of 'affection' for the Third Reich. Seriously. When I say "detest", etc, I mean it.

So my view is probably predictable, but here it is.

Don't be evil. We believe strongly that in the long term, we will be better served-as shareholders and in all other ways-by a company that does good things for the world even if we forgo some short term gains. This is an important aspect of our culture and is broadly shared within the company.

and as CEO Eric Schmidt said in explaining that,

"Don't be evil" is meant to provoke internal debate over what constitutes ethical corporate behavior, rather than representing an absolute moral position.

So .... Google sets an arbitrary 90 day limit. It could equally well have been 75 days, 100 days, 3 calendar months, whatever, in it's reasonably laudable if self-appointed role as World Software QC judge. Then, despite knowing a a fix was 2 days out, and holding off for that, decides to put US, the public, at increased risk of exploitation for the sake of adhering to an arbitrary timetable. Way to go in "ethical corporate behaviour", Mr Schmidt.

If MS said it'd be patched Tuesday 13th, and didn't, then fair enough. Publish. But given the imminent patch, ethical behaviour would be to hold off, check the patch is released and effective, give it a chance to propagate and the public to be protected, and then, by all means, publish.

But no. For the sake of cheap publicity, just expose millions to risk, for the sake of 48 hours. Nice ethics, Google.

Though, frankly, I'd expect nothing less than an arrogant bunch of self-interested bleeps that makes it's fortunes from exploiting invasion of other people's privacy without regard to whether they object or not. Do no evil, indeed. If Google ever needs another line of work, maybe comedian? Or the hind end of a donkey?

[LSG501]

anyone bitching about old roms for phones? get yourself over to XDA Developers and flash a new rom. job done.

(I have an old HTC Desire that now runs 4.4.4 and potentially may run 5.0 lollypop)

The point isn't that we can't get roms (well those who know how) it's more the fact that we shouldn't NEED to go after a user developed rom to fix a, in my opinion, design flaw of android and lazy manufacturers.

[Freebo]

I find this shocking, Google is indeed playing very dirty. Googles system have so many bugs and flaws some which are over 2 yrs old. Google is quick to point out but not quick to fix their own ****.

To be honest this has affected Google reputation more than anything else.

[TheAnimus]

This is stunningly bad behaviour.

Yes if MS hadn't got the patch out, disclose, but realistically, getting a patch, that maintains binary compatibility, that is installed, often automatically on an almost inconceivable number of machines, with different config, uses etc. The QA (testing) for that alone will take weeks.

Given the state of Googles own house, when it comes to Android, on this, I don't think it's remotely fair. Imagine if MS said it's the manufactures job to get you updates how bad the situation would be, manufacturers are not incentivised to push updates, it hurts their physical hardware sales, unless the updates makes the hardware run slower (iOS!). This is one of the main reasons I only use my Android tablet for un-important stuff. No android device, no will they under their current design, have my emails, work data etc.

[KeyboardDemon]

Neither Google nor Microsoft has our security interests in mind over this, the only thing they appear to care about is scoring points over each other. More could have been done by each side, I would have been more impressed with Google for holding back until the 14th and equally as impressed with Microsoft for releasing the patch two days earlier.

[crossy]

Imagine if MS said it's the manufactures job to get you updates how bad the situation would be, manufacturers are not incentivised to push updates, it hurts their physical hardware sales, unless the updates makes the hardware run slower (iOS!).

Actually it seems to be a widespread view that Samsung's Android updates tend to make it's devices run slower. In this household we've got two Samsung phones and two Samsung tablets and all four seem to have developed a kind of "bit rot" where performance gets worse the older they get. And it's noticeable worse after a Samsung bundled app update.
Both tablets are due for a hard reset shortly, one of the phones got junked and the other is heading that way. Needless to say I'm very wary about buying Samsung gear again, (eldest got a Lenovo-badged Intel-powered tablet for Christmas rather than going the Galaxy Tab route for this reason. And it's actually a pretty decent piece of kit).
Anyone who says that Google is merely playing at mobile OS has probably got it right in my book. Then again, cynicism says that they don't give two hoots about Android anyway, except as a platform to get GApps on. And given that, perhaps they're not the best placed to be "policing" security.

In my horribly biased opinion, what I'd like to see is a Project Zero type team made up of the leading software manufacturers, so that'd be Microsoft, IBM, Google, Adobe, Oracle (grr, Java, grr) and arguably Apple, (and I'm sure there's others out there). Even better if there were some non-commercial folks on there, e.g. FSF, Canonical or Mozilla. There's great PR mileage in being able to gang up on someone else and poke fun at their shoddily insecure apps, so there's an incentive. Why do this? Because security is everyone's responsibility - so the more eyes on the problem, the better.

Though, frankly, I'd expect nothing less than an arrogant bunch of self-interested bleeps that makes it's fortunes from exploiting invasion of other people's privacy without regard to whether they object or not. Do no evil, indeed. If Google ever needs another line of work, maybe comedian? Or the hind end of a donkey?

I hear Fox News is looking for a new terrorism expert... rofl (#foxnewsfacts)
Maybe there's a niche for a "Google Soundbite" product?

[wasabi]

And is your new KK ROM fully functional? Last time I checked the ROM's for my old Galaxy S3, all of them had one or more bits that were marked as either "non functional" or as "not entirely stable". Don't get me wrong, I'm not knocking what you're saying, just pointing out that anyone expecting to just wave the XDA-Devs "magic wand" over an orphan device and get the latest 'droid release on it as good as a manufacturer's ROM may be disappointed. Personally though, I'm amazed at what some of the XDA guys CAN achieve and, as I've said above, they do go a long way to embarrassing the better-resourced "official" teams.

I use Cyanogenmod KK on my S3 and it is very stable. Used Carbon before that which was good but not quite as stable. Much better than the official Samsung bloatware ever was, and since it is AOSP based there are other people who know what they're doing checking the code under the hood.

[JGJones]

I thought I'll have a go to argue in favour of Google here:

Microsoft have already fixed this hole - but chose to keep an existing security vulnerability open longer for their own timetable - that is to do it on a Patch Thursday and not earlier.

After all if Google found it, who's to say others haven't and is using it?

Disclaimer: I'm more in favour of security updates as soon as it's fixed, any other bug fixes (non-security related) on a schedule so I'm not wholly in agreement with Microsoft for delaying a security fix.

Microsoft also say they don't agree with the going public aspect of security patches. Here's a damn good recent reason why it's important: Moonpig UK - the cards company. They had a very very serious security issue with their website that exposed all customer details. It was reported to them repeat-ably and Moonpig did nothing about it until 17/18 months later when it was made public. Now they're doing something about it...maybe.

A company had 17 months and didn't do anything. Another company had 3 months (90 days) and didn't release a patch (even though they had it all ready but was postponing it).

Reasonable disclosure isn't always an easy thing to do though - what's the right timescale etc?

http://www.ifc0nfig.com/moonpig-vulnerability/

[LSG501]

Microsoft also say they don't agree with the going public aspect of security patches. Here's a damn good recent reason why it's important: Moonpig UK - the cards company. They had a very very serious security issue with their website that exposed all customer details. It was reported to them repeat-ably and Moonpig did nothing about it until 17/18 months later when it was made public. Now they're doing something about it...maybe.

A company had 17 months and didn't do anything. Another company had 3 months (90 days) and didn't release a patch (even though they had it all ready but was postponing it).

Reasonable disclosure isn't always an easy thing to do though - what's the right timescale etc?

http://www.ifc0nfig.com/moonpig-vulnerability/

Difference in that argument is that MS were actually patching said security issue, they just weren't deploying it until the scheduled patch Tuesday (ie when companies expect the patches) a few days later, in this case Google waiting a couple of days wouldn't have hurt anyone except their attempt at getting one over MS, which it hasn't in my opinion, it's just lowered a lot of tech savvy people's opinion of google, because by announcing it before the patch they've only caused the end user potential issues.

Most of us don't mind the usual a versus b company 'fighting', just look at android/iOS or Apple/Samung, it's when the companies put the consumer at risk just to try and get one over another company that people don't appreciate the approach.

In the case of Moonpigs API security issue, making it public was necessary to get them to fix the issue, they didn't even attempt to patch it, MS were making the appropriate changes to fix the bug.