Slashdot Mirror
Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3
MojoKid writes If you're running Android 4.3 or earlier, you're pretty much out of luck when it comes to a baked-in defense against a WebView vulnerability that was discovered earlier this month by security analyst Tod Beardsley. The vulnerability leaves millions of users open to attack from hackers that choose to exploit the security hole. WebView is a core component of the Android operating system that renders web pages. The good news is that the version of WebView included in Android 4.4 KitKat and Android 5.0 Lollipop is based on Chromium and is not affected by the vulnerability. The bad news is that those running Android 4.3 and earlier are wide open, which means that 60 percent of Android users (or nearly one billion customers) are affected. What's most interesting is that Google has no trouble tossing grenades at the feet of Microsoft and Apple courtesy of its Project Zero program, but doesn't seem to have the resources to fix a vulnerability that affects a substantial portion of the Android user base.
Clearly Google has decided that the solution for this problem is to update Android. This is not an unreasonable solution. The problem is fixed, and how you get the fix is well documented.
The problem is when your carrier prevents you from upgrading. Blame for this issue lies soley at the feet of Verizon, At&T, Sprint, T-Mobile, etc.
Never underestimate the power of stupid people in large groups.
They claim not to have the resources to do maintenance because it's 5 million lines of source code. Gee whiz, how many 100s of millions of lines of source code are there for OSes - and yet they don't get EOLed in a couple of years.
What other bugs (in this and other projects) are going to be labed WONT_FIX?
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
The WebView code was originally tied directly to the android version and HW manufactures aren't willing to deploy 4.4 since it would take effort on their part. To avoid this, in the newer versions of android, they have made it so there can be a play store update to fix and replace the webview-like modules so they can regain control of the patching process and not rely on handset companies.
Like everyone else reporting on this story, it completely misses the point -- there's no *point* in Google writing a patch, none of the hardware companies involved would ever bother to deploy it. They have *no* control over that bit of code in your phone unless you're running a Nexus device.
- Michael T. Babcock (Yes, I blog)
Why all the venom for Google? You don't see Microsoft releasing patches for Windows XP.
Apple and Microsoft control their own update process on all platforms; Google does not. It's the individual carriers who are getting in the way of Android updates.
The explanation I read elsewhere (RTFA quotes from different interview) sounds alot like the excuse of some incompetent developers: use trunk or it is not my problem!
If they had developed a small patch for the problem, I'm pretty sure OEMs wouldn't have a problem pushing it to the users.
But it seems they can't because as all developers working exclusively in the trunk, they have rewrote everything already several times, and looking at the old stuff is... wew! It's old! It's absolutely horrible! Use snapshot from the trunk!! We fixed everything!! It's all better!! We promise!! Honestly!!
All hope abandon ye who enter here.
I think that the users of the default browser are probably doing a lot of other stuff that will compromise security. The advanced users will mostly install a different browser from the Play Store.
...Ludwig went on to explain that backporting a patch would be a herculean effort....
Google is acting irresponsibly to the users of the vulnerable devices by refusing to patch the vulnerability in its software. Period.
.
imo, there is NO excuse why this vulnerability will not be patched. NONE.
Google has the resources to fix the vulnerability, what they are saying is that they do not have the desire to do so.
(sigh).
I don't get how this can make the front page twice. This time TFS has nothing to do with the TFA, but neither are relevant. Google has already patched this, that is what 4.4 is. If you can't get 4.4 pushed to your phone then chances are you are not going to get another patch to this pushed to your phone. At that point the way Android patches are being pushed it is entirely out of googles hands...
Some days I just get bored and Troll post all the memes I can think of...
Why all the venom for Google? You don't see Microsoft releasing patches for Windows XP.
You're right. They only supported it directly for almost 13 years, the bastards..and are still updating it if you're an embedded/point of sale type install. The nerve!
You can get an updated browser through Google Play store. Many are available. Using a browser that comes pre-loaded with the OS and to rely on your phone manufacturer/carrier to update it is security risk.
Why all the venom for Google? You don't see Microsoft releasing patches for Windows XP.
Windows XP wasn't released on July 24, 2013.
At best, their excuse can be summarized as "we can fix this for some users, but not all, therefore we are not going to fix it at all".
To ensure perfect aim, shoot first and call whatever you hit the target
If it was as easy as deploying an update to an apk through the play store, Google would do it. Google DOES do it. System updates are handled by the Carrier. We all know damn well that carriers do not have incentives to provide device updates. You should never expect an android device to receive major version updates. If thats important to you buy an apple device, just don't complain about bending.
In short, do your god-damned research before buying that shiny new brick.
I am altering the deal; pray I do not alter it any further.
No, you remember when you still believed Googles feel good bullshit. Sorry, but there is a difference.
What are the chances that a vendor that declines to update 4.3 to 4.4 would be willing to do an update for a 4.3.x if Google bothered to do it.
I think it smells bad, but trying to target users with vendors holding back 4.4 but willing to do another 4.3.x update is tricky. This is why google moved toward moving stuff in a more modular fashion: to get the ability to update relevant portions without demanding the vendor get in the middle.
XML is like violence. If it doesn't solve the problem, use more.
Why all the venom for Google? You don't see Microsoft releasing patches for Windows XP.
Windows XP wasn't released on July 24, 2013.
And upgrades from Windows XP to Vista/7/8 also weren't free.
Money corrupts. Often its the mentality that "since our competition are jerks, we should be jerks to counter them."
Table-ized A.I.
there's no *point* in Google writing a patch, none of the hardware companies involved would ever bother to deploy it.
This has been my experience in the industry as well. I don't see OEMs scrambling to get the latest updates from the chip vendor or from Google. And I see chip vendors who basically abandon support for older chips on newer releases.
I blame Google, OEMs and Vendors for the problem and not really the carriers. While carriers usually want software to be qualified before an update is allowed, there are many carriers with different rules and many phones that are not under contract.
Carriers are less particular about OS updates(patches) than they were a few years ago, and have switched mainly to being worried about OS upgrades. Either because it might cause lots of customer support calls with broken phones or it will cut into their phone sales (they sell phones through 2 years service contracts, you thought they were free?).
“Common sense is not so common.” — Voltaire
After all, you might break something.
But the summary does not. Sheesh.
I am sure that Google Project Zero will write a working exploit for this vulnerability and then release it 90 days from now. Oh they won't? I thought that was the responsible thing to do? Maybe some security researcher should help them with this.
Are you being deliberately dense?
Okay, try this.
Windows 7 was released in 2009, and will get security fixes until 2020.
Even Windows Vista (released in 2007 for home) will get security fixes until 2017.
Let's look at phone versions instead:
Windows Phone 7 was released in October 2010 and left support in October 2014.
Windows Phone 8 was released in October 2012 and will be supported until January 2016.
Looks like Windows users are getting a little better support from their supplier.
Oh arse
This "vulnerability" can be completely avoided by installing Firefox or Chrome on your android 4.3 device and using either as the default browser. It's irresponsible of /. to ring the security panic bell without mention of how one can simply neuter the threat.
"Mit der Dummheit kaempfen Goetter selbst vergebens." - Schiller
Glad I jumped ship years ago.
Not a security hole in my phone's browser!??!?!? Whatever will we do? How will we go on??? The sky is falling! The sky is falling! What a world...what a world...
We can patch it ourselves! Right? Right?!
Why all the venom for Google? You don't see Microsoft releasing patches for Windows XP.
Windows XP wasn't released on July 24, 2013.
And upgrades from Windows XP to Vista/7/8 also weren't free.
But they were at least POSSIBLE, unlike Android upgrades from 4.3 to 4.4 on widely deployed hardware! It can't be called free if you have to buy a new phone to do it.
(Two
If we have a security update that closes an "important" hole, and if a class of customers get ripped off because the hole's not closed - either through not distributing a patch or making the patches O/S available, who's liable? The cell provider? Google? both? Both have deep pockets, but the latter has about the deepest...
Actually, the vulnerability didn't exist in Gingerbread, it came after that. While a small set, it's still not technically accurate to say it's hit all Android before 4.3
A number of browsers have been tested and are not susceptible to the problem, even on a 4.0 to 4.3 system.
These include Chrome, Firefox, UC Browser (with Cloud Boost on), Opera, and Dolphin.
I suppose I could claim that Google has provided an easy-to-download fix for everyone in the form of the Chrome browser but I guess the conversation is going to rage into the whole magilla about other updates, etc etc.
I'm just here to point out to those concerned - you have browser options for this particular issue.
You can test yours by Googling "cyberoam android vulnerability" and choosing the XNSS test link. Sorry, I'm posting as an AC because I can't find my login credentials lol.
Cheers,
EarlyMon
The LG E970 AT&T sold me just over a year ago is running 4.1.2. They should be obligated to give me a new phone that is not vulnerable.
All those carriers sell iPhones too and every iPhone is software upgradeable--and has been from day one.
Seems more like an Android problem to me.
Sure it uses some internal components made by other companies, so does the iPhone, so does every consumer product. That's not an excuse to stop supporting a product made by your company.
Does this mean that there now exists a universal root method for all Android = 4.3? And it won't even be patched. That would be great!
I don't really understand the rage being directed at Google here. They have fixed the issue in new versions of Android. If they back-ported the fix to 4.3 (assuming that's even possible) what would make carriers/manufacturers implement the fix when they already aren't updating the core version? Nothing. And they wouldn't. The carriers/manufacturers have financially abandoned these older models in favor or their new stuff.
People are used to a big brother company controlling everything about a software experience (Apple, Microsoft). The google approach is open. Unfortunately this requires the user to do a little bit of thinking, make an informed choice, and support the right companies with their money.
If it ain't broke, don't fix it.
This is not an unreasonable solution.
What???? it's totally unreasonable for a web connected but embedded OS.
Some drink at the fountain of knowledge. Others just gargle.
nice reference!
You become what you hate.
Some drink at the fountain of knowledge. Others just gargle.
Like everyone else reporting on this story, it completely misses the point -- there's no *point* in Google writing a patch, none of the hardware companies involved would ever bother to deploy it. They have *no* control over that bit of code in your phone unless you're running a Nexus device.
I call BULLSHIT.
Release the patch, THEN blame the carriers if they won't deploy it.
And you fell for the misdirection...
The basic issue isn't Google. It's that even if they patched the issue phone, tablet and whatnot vendors still need to issue an update for their devices. Which isn't going to happen for most devices released more than a year ago. The main problem is that the browser came build in with the OS. This sort of issue is one of the reason Google is slowly moving much of the base Android into packages so it can issue updates in the google store without needing a vendor to push an update.
Until your ISP starts blocking Windows Update, which is for all intents and purposes what the carriers are doing to Android.
Fuck off, you disgusting little wanker.
HW vendors are indeed not interested to provide upgrades for hw they no longer sell.
While that is true, it was Google's choice to allow binary device drivers for Android interaction by the vendors.
It are these proprietary device drivers which are preventing initiatives such as Cyanogenmod and others to provide a clear upgrade path.
It illustrates the big mistake Google makes in this regard (allowing binary drivers and focusing on Apache licenses).
The position of Google is strong enough to make a stance in the interest of the users (and the world) that all Android drivers should be OpenSourced... in that way the users can 'bake their own' and get their own responsability with respect to upgrades.
The current situation brings the responsibility upon unwilling HW vendors, unwilling providers and ultimately Google.
Sooner or later this is going to blow up into the face of Google because bigger security problems will one day be found!
It's time Google takes a stance for OpenSource software in the interest of the users and the larger common good (certainly now it's completely on par with their own interests)!
They support two prior versions of OS-X and that's it. So OS-X 10.7, released 3 years ago, is unsupported as of October 2014. I guess that works if you have the attitude of just always updating to the latest OS, but it can be an issue for various enterprise setups that prefer to version freeze for longer times, or for 3rd party software/hardware that doesn't get updated. Also can screw you over if Apple decides to change hardware like with the PPC to Intel change.
I might have missed it, but I am a little surprised to not find this possible exploit listed in the Project Zero database...
Why does Google keep getting slammed for being the bad guy for releasing information about vulnerabilities? I read about people finding and publishing vulnerabilities all the time and follow discussions on what is responsible disclosure and nobody but Google gets treated like this.
Yahoo does the 90 days thing too. Most I've seen do a lot less than 90 days before disclosure. I understand worrying about script kiddies, but I'd rather know I have a vulnerability than just blithely hope nobody but Google found it.
The odds are that a lot of this stuff is known long before Yahoo or Google or Secunia or whoever announces it. The three months Google is leaving me vulnerable to the talented hackers makes me a lot more nervous than the people who find out about it in the news.
Google seems to be using "Google Play Services" (a piece of middle-ware downloaded from Google Play) as a way to support newer APIs on older Android versions and make sure apps can run on these older Android builds. Why can't they just put the newer web browser engine into either "Google Play Services" or some other downloadable bit that goes on Google Play and gives all Android users the same browser engine. Good for apps that embed it since they get the same behavior on all Android versions. Good for Google since it only has to maintain one browser engine version and doesn't need to care about older versions anymore. And good for users since they get a better browser experience (and less bugs) even on older Android versions.
But that's precisely one of the reasons why they aren't bothering to patch this; in fully up-to-date Android releases, WebView has been replaced by a Blink component which Google can update via the Play Store, independently of OS updates. Many, many components of Android are like this these days (which is a problem for anyone not wanting Play Services, but that's another story). And actually Apple is a bad example, since they still for many OS components need to update the entire OS, it's just that unlike Google they've retained tight control and thus can push out those updates whenever they want.
I remember sigs. Oh, a simpler time!
We're talking about the unpatched Google Nexus stuck a 4.3, no option to upgrade.
That would be ONE word: Cyanogenmod
It's almost as if, and I know this will be hard for you to comprehend so bear with me, Google and Microsoft are TWO different companies! If Microshaft was a total douchetastic company, then Google must be one as well. Thanks for enlightening me, AC.
I have a rooted phone running 4.3. I use Chrome for browsing, but realize other apps may use webview and be vulnerable. In fact they make it easy for developers to do so.
http://developer.android.com/g...
I'm wondering if I can simply disable it by deleting/renaming a library or something similar, or will that make the entire OS unstable? I don't care if it breaks apps - those would only the vulnerable ones anyway. Absent that, it looks like it is possible to remove access to individual apps through their manifest files.
http://developer.android.com/g...
But of course as I said that would break them.
I'm not a developer, but maybe a script that will search out all manifest files (as root of course) and neuter any vulnerable apps by altering them would be useful. Once you know which ones are broken you can set about safely fixing them.
Any thoughts?
If it has Galaxy in the name, no matter whose logo is painted on it, it was made by Samsung.
Issues like this shoot a big hole through BYOD and any consideration of security compliance. You now have a deliberately insecure device with no supported patch available. Good luck with your auditors.
Phones with 512MB can, however, be upgraded to KitKat 4.4, which reduced the minimim required RAM back to 512MB.
Why would anyone engrave "Elbereth"?
Google wants more licenses on devices. Carriers, device makers want to sell more devices. So, google doesn't patch an older OS, the carriers & phone makers say the update won't work on their devices, freaking out people and making it easier to sell them a new device...Google, the carriers, the manufacturers win.
Everybody always harps on the free software foundation and yet this is exactly what happens when we go "open source". We end up with an unworkable system. It's not enough to simply go mostly free. We need to demand the sources for EVERYTHING. Including drivers and boycott companies using digital restrictions to lock down the hardware. Some of the companies and/or products I'd recommend avoiding (not sure about the phone market specifically- but I'd probably look at replicant.us for ideas):
Say no to HP, Dell, Sony, Apple, Toshiba, Lenovo/IBM laptops. Actually say no to them and any company that forces a proprietary operating system down your throat or hardware dependent on non-free drivers/firmware. Unfortunately there aren't many choices left. ThinkPenguin.com (US/UK/worldwide) is good for such hardware, and there is one other (unfortunately refurbished Lenovo, which is bad, but the DRM is removed at least) for laptops (in Europe): shop.gluglug.org.uk. There is also another laptop coming (not x86 based which should solve the non-free BIOS issue, etc as well and not be dependent on a company like Lenovo which is hurting its users).
Avoid printers that aren't HP (and avoid a lot of HP printers too, many depend on non-free blobs, but fortunately HP itself indirectly tells you what is good/bad via docs at hplipopensource.com; they document what is dependent on non-free firmware and plug-ins).
Avoid wifi cards that don't have an 802.11n atheros chip. Avoid tablets right now because they're all dependent on non-free firmware and most all non-free graphics.
Avoid AMD and NVIDIA graphics. Both companies are hostile to free software. AMD despite its propaganda hasn't released sufficient code/specs for a fully free driver. NVIDIA's driver is completely closed (though there is a reverse engineered one for older graphics cards).
This is the reason that I dunno Android will replace MacOs, Windows or Linux.Google just toss the builds to anybody who is willing to give a payment for place Google apps and the store. And Google forces the users of the hardware to open a G+ account and expect that they put their credit card number for buy things.
After this, what happens next is not their business. File a trouble ticket and good luck.
they have a policy of develop -> bin-> move on.
this is a big worry for those of us considering chromebooks for corporate
official paperweight policy is 5 years from when product is first released (so as most of the stuff has been released a while ago we are talking 3-4 years lifespan)
Write an exploit of this that redirects google analytics and get it deployed to a few million hand sets and I expect a proper fix would happen from all the major vendors.
Folks, you are paying top dollar for service plans that make promises of secure transactions.
Sue them - sue everybody - Google, AT&T, Verizon, Sprint/Nextel/whomever-they-are-this-week.
Promises were made, and the courts are there for YOUR satisfaction. Sue them together as a class action suit, and one of the wireless companies will break.
Better yet, just cancel your service and go with another provider or as a pay-go plan with a third party provider. Immediate results, a new phone, and satisfaction of a message delivered. Terminate your service as a breach of contract - defective and unsecured communications.
Renewing your service with the same provider will most likely eliminate you from future class action suits. The provider would have proven they took steps to remedy the problem, by forcing YOU to BUY a new phone. You should get the phone YOU want FOR FREE, and not something from the discount shelf.
I have a Galaxy S1 i9000 which has 384mb of RAM, running cm11 (kitkat) better than it ever ran gingerbread. Indeed, it's officially supported by cm11.
Stop gulping down (and propagating) the excuses spewed forth by hardware vendors. Sure, more RAM is better - and the more the merrier - but there is no "can't" in this equation. Hardware vendors are just playing Apple's favorite game: planned obsolescence so you can fork out for another device and toss your current one on the giant ewaste heap to make it the problem of some developing nation so desperate for income they'll take the toxic crap.