[fpgeek]

> Android security lags behind, because Google doesn't want to force OEMs and providers to provide updates.

What do OEM updates have to do with a security hole in Chrome? Despite all the merger chatter, Chrome isn't an OS-level part Android the way it is with ChromeOS.

The exploit sounds serious, but once the Chrome team understands it and comes up with a fix, all Google needs to do to deploy it is publish a new version of Chrome on the Play Store. I suppose they could add a nudge or two via Play Services (or otherwise) if people aren't installing the new version, but, in any case, that's nowhere near the effort required to get an OS update out (and neither OEMs nor carriers can block the fix).

[pjmlp]

First of all, I was replying to " I wonder if the next generation of phone operating systems will have something more akin to a true exo or micro kernel to help mitigate these sorts of attacks."

Second, most mobile users use whatever app is labeled as "Internet" on their phones and tablets. Only savy users get to install Chrome.

Third, anyone using an Android system older than Lollipop won't get WebView updates.

So on those devices a Chrome update is indeed an OS update.