Slashdot Mirror
Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3
MojoKid writes If you're running Android 4.3 or earlier, you're pretty much out of luck when it comes to a baked-in defense against a WebView vulnerability that was discovered earlier this month by security analyst Tod Beardsley. The vulnerability leaves millions of users open to attack from hackers that choose to exploit the security hole. WebView is a core component of the Android operating system that renders web pages. The good news is that the version of WebView included in Android 4.4 KitKat and Android 5.0 Lollipop is based on Chromium and is not affected by the vulnerability. The bad news is that those running Android 4.3 and earlier are wide open, which means that 60 percent of Android users (or nearly one billion customers) are affected. What's most interesting is that Google has no trouble tossing grenades at the feet of Microsoft and Apple courtesy of its Project Zero program, but doesn't seem to have the resources to fix a vulnerability that affects a substantial portion of the Android user base.
The WebView code was originally tied directly to the android version and HW manufactures aren't willing to deploy 4.4 since it would take effort on their part. To avoid this, in the newer versions of android, they have made it so there can be a play store update to fix and replace the webview-like modules so they can regain control of the patching process and not rely on handset companies.
Apple and Microsoft control their own update process on all platforms; Google does not. It's the individual carriers who are getting in the way of Android updates.
They also state that the vulnerability can be easily avoided just by using an updated browser.
You can get an updated browser through Google Play store. Many are available. Using a browser that comes pre-loaded with the OS and to rely on your phone manufacturer/carrier to update it is security risk.
The webview control is also used internally by many apps, so you can't really avoid it. Google is pulling an "XP" here, except they're abandoning software that hasn't even been in the market for two full years.
If it was as easy as deploying an update to an apk through the play store, Google would do it. Google DOES do it. System updates are handled by the Carrier. We all know damn well that carriers do not have incentives to provide device updates. You should never expect an android device to receive major version updates. If thats important to you buy an apple device, just don't complain about bending.
In short, do your god-damned research before buying that shiny new brick.
Android 4.3 was released July 24, 2013
Google created the rules of the AOSP and the OHA. they could have set a rule about phone upgrades, but decided they would get faster market share growth if they let that one slide. now they are paying the price. actually, the users are paying the price, google still has its market share so they feel good about it.
The *Google* Galaxy Nexus was created by... wait for it... GOOGLE. It runs stock Android. _Google_ has certainly NOT fixed their product.
But on the other hand, Apple released a security patch for the iPhone 3GS - released in 2009 -- last February.
The iPad 2 released mid-2011 can still run the latest OS.
Except that the hardware requirements for Android have advanced for each new release. Specifically, phones with 512MB of RAM or less cannot be upgraded to Jelly Bean.
No, blame for this is on Google, because Android is designed as a firmware but marketed as an operating system. An operating system would get updates without requiring a complete wipe and reinstallation.
My current phone has got updates from Kit Kat to Lollipop without a wipe and reinstallation. As have all my previous android phones from one version to another. I'm unsure what you are getting at here...
Android has a huge attack surface and still completely lacks ways to fix bugs except by abandoning entire "OS" versions.
Not true. Google has a way to patch parts of the operating system on older versions using play services:
http://arstechnica.com/gadgets...
2.5 years is pretty good compared with many Android devices. My wife and I have owned 4 Android devices between us, and none of them received updates even 2 years after their initial release date.
Also I suspect you picked on the first iPad because it was the worst. I can't recall any mainstream Apple product that was supported for less time. Many of them are supported for 4 years or more.
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
The "excuse" was omitted in the Slashdot post...
Here it is verbatim from Google on January 12:
"If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch."
That's not even a reason. It's a meaningless restatement of the question:
"Why are you not developing a patch for 4.3?"
"Because 4.3 is before 4.4. Thank you for your question. That's all the time we have."
Google has stopped patching Android 4.3 and lower. Instead they want you to upgrade the OS, and they don't give a rat's ass whether that is actually possible. How is that not worse than pulling an XP, considering that Android 4.3 was the latest version just seven months ago?
It's a valid example: a smartphone is just a shrunk down PC/laptop.
True, but we do get OS updates from only one vendor: the OS vendor. If there's a driver bug or hardware bug, we get the driver update from the hardware vendor. This is not a hardware/hardware driver bug, so the update must come from the OS vendor, google.
What does a pure software component, WebView, have anything to do with hardware drivers? Nothing. Your argument is baseless.
No, they just don't give a shit like any other massive software company. My 1 year old Post-Google Moto phone will never see an official 4.4/5.0 release. Clearly they just can't be fucked to try.