Re: 90 days?
how anyone here can know for sure that 90 days "is enough" to develop a fix is beyond me
From the description of the vulnerability, it certainly seems like 90 days should be more than sufficient. I dare say confirming the obvious fix with the exploit code supplied by Google would be trivial. Then, yes, there's the problem of looking to see if it breaks something else; but it's difficult to see why anything would need to update the app cache while running under a privileged impersonation token.
So at least the problem as described by Google appears to be fixable within the time limit. There might well be a class of similar problems, but there's no reason not to do a phased fix - correct the obvious, known issue first, and then look for others.