If you're talking about this story, the Google researcher's version (which seems to be borne out by Microsoft's later responses) is that he disclosed the vulnerability only after giving Microsoft access to his findings and tools, and warning them several months in advance of the disclosure:
And who does full disclosure on New Year's Day? That's like waiting for a natural disaster and then saying, "BTW, been sittin on this too... full disclosure".
"For responsible disclosure, I will not publish the details of the vulnerability until an ultimate fix is out."
Is this even responsible? Even when a fix is out it's well known that most handsets won't be able to implement it because they have no upgrade path from their manufacturer. (Samsung Galaxy and Android 2.1, I'm looking at you) You'd still put a huge percentage of the mobile market at risk by putting this out there even a year after it's corrected. Why not just sit on it and be happy you did some good for the security world.
Why should full disclosure procedures be different just because it's a mobile phone?
To quote from Wikipedia: "In the case that a vendor is notified and a fix is not produced within a reasonable time, disclosure is generally made to the public." (http://en.wikipedia.org/wiki/Full_disclosure)
I think quite a majority of the security community agrees that full disclosure is quite a bit better than security through obscurity (where you have a security vulnerability, but you hope that your enemies don't learn about it).
There's no reason why it shouldn't be possible to upgrade/fix the software on handsets within a reasonable amount of time. So why treat this any different than any other piece of software?
If you want software vendors (and handset manufacturers) to fix security holes within a reasonable amount of time then full disclosure is one of the few ways how you can put pressure on them.
I don't believe the situations are all to be evaluated equally. In the case of this market most users even if they want to upgrade, even if they know of the problem, even if they know how to install updates, will never get them. These are devices that function for years with OS's that are immediately abandoned once released by the manufacturer. Android 1.6, 2.0, even 2.1 will probably never see another OTA update, especially since this doesn't seem to just be a quick patch issue. (considering it's not coming out until the next full release). Pressure or not there needs to be a modicum of realism as well. I don't care if you found a gaping hole in 1.6, no manufacturer is going to put out the resources to fix it, only force the end user to buy newer phones.
Full disclosure policies require some level of common sense implementation too and I don't believe they are always the best solution for a large market of essentially embedded OS's containing personal data. It would be VERY different if Google was ignoring this, then you could use releasing as leverage. But it seems they are jumping on it right away so the net positive effect has already been achieved. Why detriment the users who are HIGHLY unlikely to get an update.
If you understand the mobile community, and you understand that a large segment of them are not going to get a fix for this no matter how idealistic we hope the world could be, are you not then knowingly exposing them to risk?
See this is what I don't agree with. Using a vulnerability to induce action is one thing, and a very important purpose, especially when nothing is being done. Once all has been done that is going to be done however there is no further net positive gain in releasing specifics of the exploit beyond what is vulnerable.
I don't find it perfectly reasonably to assume every hacker will figure it out. Some may, but that doesn't justify dropping the information into the hands of those who wouldn't have but can still leverage it for negative uses.
It's like if I discovered the locks on all BMWs can be popped remotely with a simple code. I tell BMW, and they promptly work to fix it in all cars still under warranty. Kudo's to them. Do I then take out a front page ad in the New York Times and say "Hey, just so you know, all old Beemers can be opened easy as pie like this." and call that action justified? And to note, there is a difference between raising awareness by saying "Hey Beemer owners, your older cars have a security problem... you should consider upgrading because you're vulnerable"... and standing on a street corner handing out instructions for grand theft auto. One is raising awareness... the other is explicitly putting at risk owners who might not be able to afford a new car right now... or who might be locked into a cellular contract on old hardware.
Well, I'm sure we can argue all day about whether there's a net positive gain, but the gain is clear: By committing to make security issues public, you're giving manufacturers a reason to continue support for products that they sell, so that they may be less likely to engage in the irresponsible behavior that we're discussing right here.
There are other externalities with making a decision like that. Handset providers may look at it as a point in favor of not getting security updates out there rapidly--after all, most vulnerabilities are responsibly disclosed, and look, they seem to be holding back disclosures indefinitely since we never update, therefore, we never need to update.
If I'm reading this right, this means that the fix for the problem in 2.2 was supposed to come in 2.3, but maybe will now come in 2.4.
Except that, going with how Android upgrades have gone so far, most users on 2.2 will never see 2.3. Why is Google not pushing security updates free from carrier/manufacturer control? This is pretty terrible.
I believe they're attempting to do this by separating some of the apps from the Android framework so that they can update them independently. Unfortunately, since Android is just so different from device to device, it'd be incredibly difficult to make a single change that can be given to all devices.
And there was a partial fix for this in 2.3 as the other poster has correctly noted, and Google believed they had fixed it, but it turns out that it is still exploitable.
It's incredibly strange to see this on the front page given I was doing research with him last semester and ended up taking this semester off due to a massive course load. Looks like I left just a bit too early, could've got myself on the HN front page :)
"RIM led the ranking with 31.6 percent market share of smartphones, while Google Android maintained the #2 position with 28.7 percent, up 7.3 percentage points versus September. Apple accounted for 25.0 percent of smartphone subscribers (up 0.7 percentage points), followed by Microsoft with 8.4 percent and Palm with 3.7 percent."
