Google threw Microsoft under the bus this weekend by disclosing a security flaw in Windows that the Redmond company wasn’t going to patch until today, after it passed the Mountain View-based company’s self imposed 90-day waiting period for disclosing such bugs. Microsoft blasted back at Google, saying that its rivals should have waited for the company’s Patch Tuesday release before disclosing the bug.
As it turns out, Google is in its own security pickle. Security researcher Tod Beardsley found a bug in Android WebView 4.3 – the part of Android that’s used to display web pages on devices running version 4.3 of Google’s mobile operating system. After disclosing it to Google, he was told that the company won’t be developing patches for WebView bugs that only affect versions of Android below 4.4, also known as “KitKat.”
That’s a problem, since the vast majority of Android devices are running an older version of the company’s OS, which could leave them vulnerable to any flaws that get found in the future. It’s possible for Android OEMs to create their own patches for this and other exploits, since Android is open source. And Google told Beardsley that it will consider patches submitted to the Android Open Source Project, or AOSP.
This policy is a move by Google that may force manufacturers to put old devices on newer versions of Android. Even when the company releases a software update, it first has to be implemented by manufacturers on their devices, and approved by carriers for use on their network. In practice, that means it can take a while before phones get updated to major new releases.
By refusing to issue security patches for older versions, the company puts a lot of users at risk – almost 1 billion, according to some estimates – but could force manufacturers to take the burden of patching security holes or updating their phones in order to maintain user security.