Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3

Posted by samzenpus on from the no-patch-for-you dept.

MojoKid writes If you're running Android 4.3 or earlier, you're pretty much out of luck when it comes to a baked-in defense against a WebView vulnerability that was discovered earlier this month by security analyst Tod Beardsley. The vulnerability leaves millions of users open to attack from hackers that choose to exploit the security hole. WebView is a core component of the Android operating system that renders web pages. The good news is that the version of WebView included in Android 4.4 KitKat and Android 5.0 Lollipop is based on Chromium and is not affected by the vulnerability. The bad news is that those running Android 4.3 and earlier are wide open, which means that 60 percent of Android users (or nearly one billion customers) are affected. What's most interesting is that Google has no trouble tossing grenades at the feet of Microsoft and Apple courtesy of its Project Zero program, but doesn't seem to have the resources to fix a vulnerability that affects a substantial portion of the Android user base.

9 of 579 comments (clear)

  1. Article misses the point by Anonymous Coward · · Score: 5, Informative

    The WebView code was originally tied directly to the android version and HW manufactures aren't willing to deploy 4.4 since it would take effort on their part. To avoid this, in the newer versions of android, they have made it so there can be a play store update to fix and replace the webview-like modules so they can regain control of the patching process and not rely on handset companies.

  2. Not to be an apologist for Google, but by NoNonAlphaCharsHere · · Score: 4, Informative

    Apple and Microsoft control their own update process on all platforms; Google does not. It's the individual carriers who are getting in the way of Android updates.

  3. Re:The solution is obvious by Mr+D+from+63 · · Score: 4, Informative

    They also state that the vulnerability can be easily avoided just by using an updated browser.

  4. Re:The solution is obvious by Anonymous Coward · · Score: 5, Informative

    The webview control is also used internally by many apps, so you can't really avoid it. Google is pulling an "XP" here, except they're abandoning software that hasn't even been in the market for two full years.

  5. Re:The solution is obvious by jgtg32a · · Score: 4, Informative

    Android 4.3 was released July 24, 2013

  6. Re:The solution is obvious by Karlt1 · · Score: 4, Informative

    Apple abandoned the original iPad in under 2.5 years.

    But on the other hand, Apple released a security patch for the iPhone 3GS - released in 2009 -- last February.

    The iPad 2 released mid-2011 can still run the latest OS.

  7. Re:The solution is obvious by Anonymous Coward · · Score: 5, Informative

    Except that the hardware requirements for Android have advanced for each new release. Specifically, phones with 512MB of RAM or less cannot be upgraded to Jelly Bean.

  8. Re:The solution is obvious by bondsbw · · Score: 4, Informative

    2.5 years is pretty good compared with many Android devices. My wife and I have owned 4 Android devices between us, and none of them received updates even 2 years after their initial release date.

    Also I suspect you picked on the first iPad because it was the worst. I can't recall any mainstream Apple product that was supported for less time. Many of them are supported for 4 years or more.

    --
    All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
  9. Re:The solution is obvious by Anonymous Coward · · Score: 5, Informative

    No, they just don't give a shit like any other massive software company. My 1 year old Post-Google Moto phone will never see an official 4.4/5.0 release. Clearly they just can't be fucked to try.