Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3

Posted by samzenpus on from the no-patch-for-you dept.

MojoKid writes If you're running Android 4.3 or earlier, you're pretty much out of luck when it comes to a baked-in defense against a WebView vulnerability that was discovered earlier this month by security analyst Tod Beardsley. The vulnerability leaves millions of users open to attack from hackers that choose to exploit the security hole. WebView is a core component of the Android operating system that renders web pages. The good news is that the version of WebView included in Android 4.4 KitKat and Android 5.0 Lollipop is based on Chromium and is not affected by the vulnerability. The bad news is that those running Android 4.3 and earlier are wide open, which means that 60 percent of Android users (or nearly one billion customers) are affected. What's most interesting is that Google has no trouble tossing grenades at the feet of Microsoft and Apple courtesy of its Project Zero program, but doesn't seem to have the resources to fix a vulnerability that affects a substantial portion of the Android user base.

4 of 579 comments (clear)

  1. Article misses the point by Anonymous Coward · · Score: 5, Informative

    The WebView code was originally tied directly to the android version and HW manufactures aren't willing to deploy 4.4 since it would take effort on their part. To avoid this, in the newer versions of android, they have made it so there can be a play store update to fix and replace the webview-like modules so they can regain control of the patching process and not rely on handset companies.

  2. Re:The solution is obvious by Anonymous Coward · · Score: 5, Informative

    The webview control is also used internally by many apps, so you can't really avoid it. Google is pulling an "XP" here, except they're abandoning software that hasn't even been in the market for two full years.

  3. Re:The solution is obvious by Anonymous Coward · · Score: 5, Informative

    Except that the hardware requirements for Android have advanced for each new release. Specifically, phones with 512MB of RAM or less cannot be upgraded to Jelly Bean.

  4. Re:The solution is obvious by Anonymous Coward · · Score: 5, Informative

    No, they just don't give a shit like any other massive software company. My 1 year old Post-Google Moto phone will never see an official 4.4/5.0 release. Clearly they just can't be fucked to try.