[justonepost]

They're both in the wrong. Epic for screwing it up and rushing rather than investing in security, and Google for trying to score PR points at the expense of their users. Google is being anti-secure here by not allowing the update to filter through the ecosystem.

[Someone1234]

> Google for trying to score PR points at the expense of their users.

Except this is how Google has always handled these bugs. The article even links to other examples involving other companies.

> Google is being anti-secure here by not allowing the update to filter through the ecosystem.

Or pro-secure here by telling users to urgently update rather than doing nothing and hoping nobody spots the bug and starts exploiting it before users get lucky.

[zaarn]

Well, it's not that there is nothing being done. You're distributing the patch.

You don't have to go yelling about the fact you're distributing a highly important security patch, that only draws the attention of the bad guys.

Wanting to distribute such patches as low profile is a valid choice and is not "doing nothing and waiting to people to exploit it".

[jhanschoo]

If you are a hacker it is not improbable that you are keeping tabs on updates for high profile software like Fortnight. In that case, doing things "low-profike" gives bad actors an edge.

[zaarn]

Even if you keep tabs on it, would you inspect every single update that comes out or would you rather inspect the ones labelled "security updates"?

Low-profile means what it says on the tin; make it sound so boring that hackers are less likely to attempt it.

Plus being low profile reduces exposure to people who only look for high profile stuff.

And plus "not improbable" =!= "fact".