Re: Google doesn't respect its own 90 days deadline!
Of course the press release doesn't tell it - but it doesn't take much effort to go to CVE site and discover it ... The CVE entry was created at the beginning of October. Unlike Google, they don't publish detail whenever they like - they take security seriously, unlike Google which is now using it as a weapon against MS even if it put users at more risks.
But the very fact that the CVE entry was reserved, assigned and thereby "timestamped", mean that the vulnerability was discovered and sent to Google well before the 90 days Google decided *others* should fix their issues within.
Also, it can be very dangerous to fix vulnerabilities in beta and hotfix - because as soon as that code is released, a simple diff tells you where to look at, even if details are not made public. Vulnerabilities are not alike other bugs - disclosure *must* be very careful or you just get explotable zero days ones. A sound practice is to fix vulnerabilities first in production release and then backport them to any public beta or whatever - the other way round could be much more dangerous.
And, read: "be kept private until we coordinate disclosure" - so they keep them private until they are ready for a disclosure - no matter how long it takes, no deadline here - so what they ask others to comply with is not valid for them. What is funny is people like you thing it's OK.... but Google has washbrained a lot of people who are scared as hell if they have to pay for the software they use...