
As 0days get meaner, Google defenses increasingly outpace Microsoft - TazeTSchnitzel
http://arstechnica.com/security/2015/01/as-0days-get-meaner-google-defenses-increasingly-outpace-microsoft/
======
EpicEng
So... the article makes a direct comparison between updating a centralized
server and updating _millions_ of computers individually. And oh yeah; the
latter is an OS patch.

I'm not defending any specific instance here, but in general, I think it is
reasonable to expect a Windows patch to take longer to develop and deploy than
an update to Google Apps.

~~~
CJefferson
Yes. Let's consider how well Google do with Android. Even Android on Nexus
devices, where they (in principle) should have much more control. Their update
speed, and how long versions get updates for, is still far behind Microsft.

~~~
dmix
How much of this is due to the UX of updating mobile operating systems vs
software?

OTA updates on Android phones means downloading (often 250mb) files -> asking
the user to reboot to recovery -> installer takes a few minutes -> boots back
into the phone.

Most people keep their phone on 24-7. So this is not as simple as updating
software apps in the background w/o reboot.

~~~
throwaway5752
A lot of the Windows security updates require restarts. It's not a dissimilar
problem. And OS patches have to happen on shared systems, Exchange servers,
Sharepoint servers, domain controllers, etc. Uptime is more important on those
than a cell phone by any objective measure.

edit - Also, Microsoft has complicated relationships with many large vendors
and probably tests on a LOT of permutations for each patch vs whatever Google
does for Android. I am surprised to find myself sympathizing with
Microsoft.... that being said, this is digressing. MSFT should have a
universal fast track for 0days and decouple it from the standard upgrade
process. 90 days should be enough, and have no real problem with Google's
actions.

~~~
dmix
Indeed, but this must be considered if someone is going to critique Google's
speed at updating Android vs desktop operating systems. The updates need to be
stable and important if the user is going to be walked through this disruptive
process.

Additionally, Windows OS has a long history, is much more stable, and
Microsoft controls the majority of the codebase unlike Google.

Android's codebase is built on top of quite a rickety legacy foundation of old
patchworked linux kernels that have to be in sync with drivers from
proprietary manufacturers like Qualcomm - although is has improved a lot in
recent years.

Yet, I do agree Google/Android vendors should be pushing updates at a much
higher frequency.

~~~
luuio
Not disagreeing with what you said, just want to point out that Microsoft
needs to deal with even more driver from proprietary manufacturers :-)

~~~
dmix
Google has a critical dependence on a few very slow moving manufacturers
before they can do each update. And their vendors aren't nearly as capable or
incentived as Intel or Nvidia to release updates quickly - since their
arrangement is a fixed-hardware deal with particular phones. Not for
supporting x operating system on a variety of hardware, with competitors at
their throats.

~~~
luuio
I cannot think of a company that works with Android and not with Windows.
Again, agree that Android has to support a lot of hardware, but Windows needs
to support even more.

------
jlarocco
Not to defend Microsoft too much, but that's a bogus comparison.

And besides that, I don't even know what the point is. It's faster fix and
deploy websites than it is to fix and deploy operating system patches? Well no
shit.

~~~
AceJohnny2
deployment != fix

However, Microsoft does have to contend with a much larger and more legacy
diverse codebase, and astronomically higher risk of regression.

------
droopybuns
This is not apples to apples. As soon as you apply the same ecosystem concepts
(end points not owned and operated by the company) google has the exact same
problems.

Reminder: Silent closure of android bugs over the holidays.

How many beers did the google pr team buy Dan Goodin?

[http://www.reddit.com/r/Android/comments/2qjkuf/someone_sile...](http://www.reddit.com/r/Android/comments/2qjkuf/someone_silently_closed_37_1952_of_android_bugs/)

~~~
Grazester
I don't see how that article made Google look particularly good. Maybe we read
different articles.

For whatever reason I just can't help but think 3 months was enough time for
these bug to get fixed. Didn't Microsoft want Google to delay the announcement
until their patch Tuesday when they usually release their updates? If an
update is critical(which I guess wasn't) then why not push it before hand if
you have it already?

~~~
droopybuns
Logistics and supply chain are real fields. Distributing updates that don't
break one off oem combinations of hardware required testing?

Apply your logic to android. The patches exist in AOSP. Why don't they get to
the devices?

If you don't own the servers that get the patch, your testing obligations are
much higher. The Google team is indifferent to realities that they aren't
exposed too. This behavior is childish and rude- and it isn't going to be the
kind of behavior that the EU is going to look kindly on when they press their
anti trust case.

~~~
Grazester
To be honest I dont even know why Google bothers search for bug. I would
assume they do because they still have some systems running Microsoft software
otherwise I would simply treat it as someone elses headache.

------
spacemanmatt
My take: 90 days is a reasonable amount of time for Microsoft to get a fix
out. It's not a reasonable amount of time to get a fix out and get it deployed
to a reasonable percent of the user base.

The article is not just saying Google can fix their web applications faster.
They're saying that is the whole point of making technology choices like
webtop versus desktop.

Further, after the decades of outright disdain to bother releasing a stable,
much less, a secure product from Microsoft, I'm not in a hurry to grant them
leeway on this. If they published a counterpoint explaining why they need so
much more time, I'd give it a fair reading.

~~~
iolothebard
The fact you have an opinion on what's reasonable for MS to do is fucking
comical.

How much do you know of the inner workings of MS? The great internet arbiter.

~~~
spacemanmatt
Microsoft's competitive problems are not my concern. Other platforms do better
than 90-day turnaround. No "inner working" knowledge is needed here.

------
cwyers
Everyone pointing out Google's Android update policy of "buy a new device,
asshole" isn't wrong. But I think an honorable mention goes to Chrome's update
policy of "who gives a shit if something breaks anyway." The whole article is
laughable.

~~~
spacemanmatt
Apple stops supporting older iOS devices, too. But I agree, Chrome quality
kinda goes up and down.

~~~
serge2k
When the devices are so old and far behind that they can't reasonably run a
new OS

------
norswap
The article makes an interesting point I hadn't considered when I first heard
about Google disclosing MS's vulnerabilities. And then I thought how rare this
was (and not because I'm a person of great insight) and it made me sad.

------
sarciszewski
What exactly is stopping Microsoft from issuing patches as soon as they're
ready, and sysadmins configuring their machines to only look for said updates
on the second Tuesday of every month? This model works for other operating
systems.

~~~
CJefferson
Because there are teams of people who jump on patches as soon as they are
released, backward engineer what they fixed, and use that to produce attacks.

Of course for bugs which already have public 0-day attacks, that isn't a
problem, but the majority of bugs are not publicly known at fix time, and it
is important that everyone gets the patches applied ASAP after release, hence
the well-defined day when patches are released. At my work that day is
purposefully blocked off to get patches applied, and be prepared for any
fallout.

~~~
sarciszewski
> Because there are teams of people who jump on patches as soon as they are
> released, backward engineer what they fixed, and use that to produce
> attacks.

This should serve as an incentive to stay on the bleeding edge of security
updates. Make automatic updates automatic without requiring a restart every
time. Not an incentive to sit on our hands and wait until the second Tuesday
of a month. The term Exploit Wednesday was coined in response to Patch
Tuesday. :)

Ultimately, I think this change from a monthly security release pattern to a
"as soon as it's ready" security release pattern is what needs to happen. For
the good of everyone.

Then if people get 0wned, it's their own damn fault.

------
jeremy_wiebe
In addition to the already noted comparison between a web app patch and OS
patch it's interesting that the organization that has found these two security
vulnerabilities in Microsoft software is (partially?) funded by Google.

~~~
landr0id
Google's Project Zero has actually found quite a lot of vulnerabilities in
commonly-used software. To date they've publicly disclosed 107 vulns, most of
which include a PoC: [https://code.google.com/p/google-security-
research/issues/li...](https://code.google.com/p/google-security-
research/issues/list?can=1&q=&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles)

