Capable of Learning?
When will Slurp realize that ignoring bugs is a recipe for getting hammered in the tech press?
Google's Project Zero has revealed a bug in Microsoft's Internet Explorer and Edge browsers. First turned up on November 25, the bug offers evildoers a technique that would let a malicious web site crash a visitor's browser as the main course, with code execution as the dessert. Detailed here, the bug works by attacking a …
Are you sure it is ignoring them? A rushed patch may be dangerous as well. Borking systems gets you hammered by the press as well.
More than the tech press, it looks it's Google that is using its hammer against competitors. Taking advantage it has far less customer-side code that can be analyzed - only Google has access to the code it runs on its servers.
Give it a rest??? I beg to differ.
Google's record is abysmal. They're still unable to push security updates out to their Android installations.
Yeah, sure, there are OEMs in between them and their customers, but the same is true for Microsoft. (Only Apple doesn't have that barrier.)
Google is living in a glass house and it it putting its customers in that same glass house.
It is shit simple to toss a brick through a competitors window and any idiot with a PhD could do it.
The difficulty is making brick proof glass cheap enough for widespread consumer use, nobody at any company and no academic has done that yet.
It seems LDS is the only one of you lot with practical experience in massive scale systems deployed on a wide variety of hardware under the administration of a massive multi-locationed enterprise.
Rushing out fixes is a sure fire recipe for disaster.
Which is why the ethical thing to do is to register the bug with your nation's CERT and only release zero days when your nation's CERT says enough time has elapsed.
Too many inexperienced arrogant people outside are guessing the complexity with orders of magnitude error.
Especially these security types. If they think they're so smart why haven't they created a better operating system? Come on, the way they talk they should have it done in a fortnight.
"More than the tech press, it looks it's Google that is using its hammer against competitors. Taking advantage it has far less customer-side code that can be analyzed - only Google has access to the code it runs on its servers."
Wrong. Google doesn't have access to the source for Edge. Some parts have been open-sourced, but not all of it. Google is finding these issues simply through fuzzing. Google has way more customer facing code than Microsoft. About 2 billion lines in total, and it is fair to say it is all customer facing, as all services are provided over the Internet.
Microsoft supposedly views Edge as strategic, but they can't fix a simple out of bounds bug in 90 days? What is their status page @ https://developer.microsoft.com/en-us/microsoft-edge/platform/status/ all about? Are security fixes not getting enough upvotes? BTW, the Edge status page code IS open sourced.
Dumb question, I know, but is this the same Google that is still unable to update Android?
Maybe instead of publishing "how to hacks" for other people's products and systems they should put some more time and effort into making their own products secure:
1. Figuring out how to make automatic updates work (like Apple did decades ago) and,
2. Getting vendors and re-sellers to agree to let that automatic update process work (like Microsoft did a decade ago).
Or is this some different Google?
Or does Google measure itself by different means than it measures other companies?
I know this other stuff, zero days in other people's products and systems, is important.
However, JOB ONE for Google should be taking care of its own products, its own customers and making stuff attached to its name secure -- rather than sitting up in their in their giant glass house throwing stones.
@WatAWorld: the essential difference is that it's not Google's OS running on Android phones. Android is open source, and Samsung and others write their own version adapted to their own phones.
In comparison, Windows machines don't have a different OS depending whether it's sold by Dell or Lenovo. And of course only Apple sells iPhones.
"the essential difference is that it's not Google's OS running on Android phones. Android is open source, and Samsung and others write their own version adapted to their own phones."
Um... no. That's just not true.
Leaving aside the fact that there's big chunks of Android which aren't open source, most of the phone manufacturers using it don't interfere with the core OS anyway - in fact, if you're a member of the Open Handset Alliance (which is pretty much everyone in the phone business) then you're contractually forbidden to fork Android. At most, you have a few proprietary drivers, a different skin on top and a few bonus apps. That's a pretty accurate description of Touchwiz, which is Samsung's Android 'skin'.
.
As a rule of thumb, if the device has access to the Google Play store, then it's full-fat Android in there with at most a reskin and some device-specific drivers. No-one is sat at Samsung, or Sony, or HTC re-writing Android code.
"Dumb question, I know, but is this the same Google that is still unable to update Android?"
It is not their Android though. It is Sony's, LG's, or whoever names is on the front. Android is just an OS, that is everyone can use. While Google has been tightening up access, basically anyone can throw it onto a device, and sell that device. Why is Google now responsible for pushing updates to that device? Complain to your vendor about not making updates available for the device they sold you.
Someone at MS should suggest a project to rationalise their libraries as that is borderline absurd and also means that it is very unlikely that one person knows the entire stack tree code well enough to spot any more flaws. Mind you, it nicely explains why modern code requires such powerful processors to do tasks that used to be successfully done on devices with 1/100th the power.