Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3

← Back to Stories (view on slashdot.org)

Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3

Posted by samzenpus on Monday January 26, 2015 @03:56AM from the no-patch-for-you dept.

MojoKid writes If you're running Android 4.3 or earlier, you're pretty much out of luck when it comes to a baked-in defense against a WebView vulnerability that was discovered earlier this month by security analyst Tod Beardsley. The vulnerability leaves millions of users open to attack from hackers that choose to exploit the security hole. WebView is a core component of the Android operating system that renders web pages. The good news is that the version of WebView included in Android 4.4 KitKat and Android 5.0 Lollipop is based on Chromium and is not affected by the vulnerability. The bad news is that those running Android 4.3 and earlier are wide open, which means that 60 percent of Android users (or nearly one billion customers) are affected. What's most interesting is that Google has no trouble tossing grenades at the feet of Microsoft and Apple courtesy of its Project Zero program, but doesn't seem to have the resources to fix a vulnerability that affects a substantial portion of the Android user base.

27 of 579 comments (clear)

Min score:

Reason:

Sort:

The solution is obvious by BVis · 2015-01-26 03:58 · Score: 5, Insightful

Clearly Google has decided that the solution for this problem is to update Android. This is not an unreasonable solution. The problem is fixed, and how you get the fix is well documented.
The problem is when your carrier prevents you from upgrading. Blame for this issue lies soley at the feet of Verizon, At&T, Sprint, T-Mobile, etc.

--
Never underestimate the power of stupid people in large groups.
1. Re:The solution is obvious by rot26 · 2015-01-26 04:10 · Score: 3, Insightful
  
  My widely distributed product has been discovered to have a serious security flaw affecting millions of users. I have fixed this but it requires you to get your congressman to fetch it for you and have his staff install it. It's not MY fault if you can't convince your congressman to do this, it's HIS fault, and if you suffer, that's just too bad. Take it up at the voting booth.
  
  --
  
  To ensure perfect aim, shoot first and call whatever you hit the target
2. Re:The solution is obvious by Anonymous Coward · 2015-01-26 04:10 · Score: 3, Insightful
  
  That's fucking comical. Google knows very well what the situation with the carriers and OEMs is, they are just as culpable in this mess. If Microsoft or Apple pulled some shit like this the tech blog sphere would implode from the density of the rage. All is forgiven for Glorious Google-sama however!
3. Re:The solution is obvious by soft_guy · 2015-01-26 04:11 · Score: 4, Insightful
  
  Apple tries to control as much as they can on their platforms. Other platforms like Android and Windows take an approach of sharing responsibility for the overall quality between several different companies who can each point at each other and say "not it!" when a problem arrises.
  
  --
  Avoid Missing Ball for High Score
4. Re:The solution is obvious by Noah+Haders · 2015-01-26 04:12 · Score: 1, Insightful
  
  the problem is when a phone OS manufacturer constantly cuts corners to deploy fast and ends up in a pickle like this. google is the one who made up the "carriers won't upgrade" system.
5. Re:The solution is obvious by Black.Shuck · 2015-01-26 04:15 · Score: 5, Insightful
  
  how is apple able to upgrade their phones for like 5 years and Scamsung, LG and HTC cannot?
  Apple is comparatively disciplined, releasing about one new phone a year, and hardware and software are under their full control.
  Together, the others release dozens, and different companies share different responsibilities. Nice for consumer choice, but not so nice for support, since nobody wants to maintain a software stack nor wrestle with the politics involved in updating so many different devices.
6. Re:The solution is obvious by Lazere · 2015-01-26 04:19 · Score: 5, Insightful
  
  I disagree. Microsoft not supporting XP and Google not supporting 4.3 are two completely different things. 4.3, despite being two major versions ago was released less than two years ago. If Microsoft or Apple stopped supporting an OS version after less than two years, there would hell to pay. Why does Google get a pass just because they have a fast versioning scheme?
7. Re:The solution is obvious by Munchr · 2015-01-26 04:26 · Score: 4, Insightful
  
  No, the carriers made up this system, and it existed long before Android entered the market. Symbian OS, Windows Phone, and Android are all affected. Apple managed to get AT&T to agree to allow Apple to control when and how updates to the iPhone are provided as part of the initial AT&T exclusive partnership agreement for the original iPhone. Every carrier since AT&T has had to agree to the same provision regarding Apple's control, or they don't get the iPhone. I'm not aware of ANY other phone manufacturer that has managed that feat before or since, without being forced to sell their phones directly to the public as carrier free/unlocked phones as Nokia did with the n900.
8. Re:The solution is obvious by Anonymous Coward · 2015-01-26 04:31 · Score: 1, Insightful
  
  Why the fuck should a god damn carrier who doesn't even make the fucking software be responsible for updating the OS an a phone they didn't manufacture? What were the faggots at Google thinking?
9. Re:The solution is obvious by Anonymous Coward · 2015-01-26 04:33 · Score: 0, Insightful
  
  No, it's your hardware provider that is your problem, not Google.
  The "updates" are FREE, there's zero reason not to be on the current release.
  They aren't pulling an XP here, they evolve, release constantly, each new release the same price - FREE.
  Contact your hardware provider and bitch to them, not Google.
10. Re:The solution is obvious by Tablizer · 2015-01-26 04:35 · Score: 2, Insightful
  
  how is apple able to upgrade their phones for like 5 years and Scamsung, LG and HTC cannot?
  Perhaps you really do get what you pay for.
  
  --
  Table-ized A.I.
11. Re:The solution is obvious by BVis · 2015-01-26 04:36 · Score: 4, Insightful
  
  So because Google didn't specifically forbid something, and the carriers went ahead and did it not because it was a good idea, but because fuck the customer, that's Google's fault? If I don't specifically tell someone to look both ways before crossing the street, is it my fault when they don't and get hit by a bus?
  The carriers are the bad actors here. Google had a bug in their product, and they have fixed it. The carriers are the ones not allowing their customers to install the fixed version.
  
  --
  Never underestimate the power of stupid people in large groups.
12. Re:The solution is obvious by the_B0fh · 2015-01-26 04:42 · Score: 3, Insightful
  
  Why wouldn't you blame Google for this? Google explicitly said they are not updating the code. Since the carriers depend on Google to provide the code, how are they not culpable?
  And the "oh, 5 million lines of code, I don't know where to look" is damned weak sauce. Debian back ports security patches all the time.
13. Re:The solution is obvious by CastrTroy · 2015-01-26 04:54 · Score: 4, Insightful
  
  Isn't this basically what Microsoft does with Windows, or what Linux does. One code base that runs on all kinds of machines. And we still expect them to get vulnerabilities fixed. I could understand if it was a bug with some kind of driver that communicated with the cellular radio or other piece of hardware. Then it would be up to the manufacturer or carrier to fix the bug. But this is a bug in something that has nothing to do with the hardware that it is running on. There should be a more reliable way for bugs to get fixed on Android without going through multiple entities, some of which would just rather you buy new hardware. Imagine if you had to go through Dell, HP, or Acer every time you needed something fixed in Windows. It would be a disaster. But that's exactly what the state of affairs is with Android. I'm due for a new phone soon. I can't afford an iPhone, and my previous phone was Android, but I seriously got burned on updates. I've been considering Windows Phone, but their app selection is quite poor. I find that the current state of affairs with phone operating systems to be quite terrible.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
14. Re:The solution is obvious by gnupun · 2015-01-26 05:04 · Score: 2, Insightful
  
  No, it's your hardware provider that is your problem, not Google.
  Do you update your Windows/Linux/OSX PC/laptop from the OS vendor or the company that sold you the hardware? It's almost always the OS vendor. A PC/laptop is very similar to a smartphone except the latter is smaller. Google's model of pushing updates through the hardware vendor utterly stupid and adds an extra unnecessary middleman to the process.
  
  Contact your hardware provider and bitch to them, not Google.
  Why can't google's patch fix the issue? Is there a different kernel for each android phone so that different patches are needed for each phone?
15. Re:The solution is obvious by Tran · 2015-01-26 05:15 · Score: 5, Insightful
  
  Well, unlike the wireless phone companies, there where no vendors for the PCs that insist on putting their hands on the OS to customize the Android experience (mostly to detrimental effect, in my experience). So yes, Verizon, T-Mobile are on the hook for this one.
  My plain vanilla Nexus 4 is still running fine with the latest and greatest, well latest, OS from Google. It is just staring to take some performance hits as compared to when it first came out.
16. Re:The solution is obvious by TsuruchiBrian · 2015-01-26 05:16 · Score: 3, Insightful
  
  This is a bad example. You don't get all your drivers from the OS vendor. Google publishes the OS images to the public. The problem is that you can't use them if your hardware vendor has not yet made their drivers compatible with the new version of the OS.
  Microsoft doesn't package every driver from every hardware vendor with it's OS. IF your hardware vendor doesn't provide a driver for Windows then that's not Microsoft's fault.
  Furthermore, if you really want updates ASAP, you can get a Nexus phone and be the first to receive them directly from Google.
17. Re:The solution is obvious by AmiMoJo · 2015-01-26 06:26 · Score: 4, Insightful
  
  Download the Android source from the official site for free: https://source.android.com/sou...
  You might be thinking of the Play store and other Google apps, which as you say are not free. You can download and install them for free as a user, but if you want to ship them pre-installed on a device then there are licence agreements. Nothing in those agreements about having to launch a flagship phone or nonsense like that... Android is winning because it is available on everything from low cost low end devices to the very top tier hardware.
  As for the costs, Cyanogen seems to prove that they can be pretty low. They support a lot of devices with very little funding to do so, partly because they are open source and rely on volunteers. Some companies pay them for support, which seems like a reasonable way to do long term updates.
  You should never buy a phone from a carrier. Always get it unbranded and unlocked.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Their excuse sucks by BarbaraHudson · 2015-01-26 04:00 · Score: 3, Insightful

They claim not to have the resources to do maintenance because it's 5 million lines of source code. Gee whiz, how many 100s of millions of lines of source code are there for OSes - and yet they don't get EOLed in a couple of years.
What other bugs (in this and other projects) are going to be labed WONT_FIX?

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Nice troll by MikeBabcock · 2015-01-26 04:05 · Score: 4, Insightful

Like everyone else reporting on this story, it completely misses the point -- there's no *point* in Google writing a patch, none of the hardware companies involved would ever bother to deploy it. They have *no* control over that bit of code in your phone unless you're running a Nexus device.

--
- Michael T. Babcock (Yes, I blog)
1. Re:Nice troll by Godai · 2015-01-26 04:11 · Score: 4, Insightful
  
  Also a point that gets largely glossed over is that this only affects apps that use Webview as a widget -- browser apps like Chrome or Opera aren't affected because they've updated themselves to use Chromium (or something else). This may affect 60% of Android users, but what percentage of those are using the browser inside an app to visit random sketchy websites? I'm guessing the actual user base at risk is quite small.
  The way this is reported it sounds like if you use Chrome on anything south of 4.4, you're IN GRAVE MORTAL DANGER OF TEH HACKZ.
  
  --
  Wood Shavings!
  - Godai
2. Re:Nice troll by dumfrac · 2015-01-26 04:43 · Score: 3, Insightful
  
  (Not the OP here.) I presume that it is the Google Galaxy Nexus. Google has not made 4.4 available for the Google Galaxy Nexus.
Re:Not to be an apologist for Google, but by finkployd · 2015-01-26 04:10 · Score: 4, Insightful

No really an apology for google though, more of a "here is how google royally screwed up in their relationships with carriers that Apple and Microsoft seem to have gotten right".
Android Patching by Xinef+Jyinaer · 2015-01-26 04:10 · Score: 3, Insightful

I don't get how this can make the front page twice. This time TFS has nothing to do with the TFA, but neither are relevant. Google has already patched this, that is what 4.4 is. If you can't get 4.4 pushed to your phone then chances are you are not going to get another patch to this pushed to your phone. At that point the way Android patches are being pushed it is entirely out of googles hands...

--
Some days I just get bored and Troll post all the memes I can think of...
Re:Not to be an apologist for Google, but by Lazere · 2015-01-26 04:26 · Score: 5, Insightful

Alternatively; "Here is how Google royally screwed up writing their OS so that updating even relatively minor parts requires a full OS upgrade while Apple and Microsoft seem to have figured out how patching works."
To be fair... by Junta · 2015-01-26 04:28 · Score: 3, Insightful

What are the chances that a vendor that declines to update 4.3 to 4.4 would be willing to do an update for a 4.3.x if Google bothered to do it.
I think it smells bad, but trying to target users with vendors holding back 4.4 but willing to do another 4.3.x update is tricky. This is why google moved toward moving stuff in a more modular fashion: to get the ability to update relevant portions without demanding the vendor get in the middle.

--
XML is like violence. If it doesn't solve the problem, use more.
Re:Solution: update the browser by maorb · 2015-01-26 05:01 · Score: 3, Insightful

That solves the browser issue, but many apps (especially those that have in app advertising) remain vulnerable whenever they load an ad. So people using the free versions of many popular apps can still fall victim to this vulnerability.