Slashdot Mirror
Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3
MojoKid writes If you're running Android 4.3 or earlier, you're pretty much out of luck when it comes to a baked-in defense against a WebView vulnerability that was discovered earlier this month by security analyst Tod Beardsley. The vulnerability leaves millions of users open to attack from hackers that choose to exploit the security hole. WebView is a core component of the Android operating system that renders web pages. The good news is that the version of WebView included in Android 4.4 KitKat and Android 5.0 Lollipop is based on Chromium and is not affected by the vulnerability. The bad news is that those running Android 4.3 and earlier are wide open, which means that 60 percent of Android users (or nearly one billion customers) are affected. What's most interesting is that Google has no trouble tossing grenades at the feet of Microsoft and Apple courtesy of its Project Zero program, but doesn't seem to have the resources to fix a vulnerability that affects a substantial portion of the Android user base.
Clearly Google has decided that the solution for this problem is to update Android. This is not an unreasonable solution. The problem is fixed, and how you get the fix is well documented.
The problem is when your carrier prevents you from upgrading. Blame for this issue lies soley at the feet of Verizon, At&T, Sprint, T-Mobile, etc.
Never underestimate the power of stupid people in large groups.
They claim not to have the resources to do maintenance because it's 5 million lines of source code. Gee whiz, how many 100s of millions of lines of source code are there for OSes - and yet they don't get EOLed in a couple of years.
What other bugs (in this and other projects) are going to be labed WONT_FIX?
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
The WebView code was originally tied directly to the android version and HW manufactures aren't willing to deploy 4.4 since it would take effort on their part. To avoid this, in the newer versions of android, they have made it so there can be a play store update to fix and replace the webview-like modules so they can regain control of the patching process and not rely on handset companies.
Like everyone else reporting on this story, it completely misses the point -- there's no *point* in Google writing a patch, none of the hardware companies involved would ever bother to deploy it. They have *no* control over that bit of code in your phone unless you're running a Nexus device.
- Michael T. Babcock (Yes, I blog)
Apple and Microsoft control their own update process on all platforms; Google does not. It's the individual carriers who are getting in the way of Android updates.
The explanation I read elsewhere (RTFA quotes from different interview) sounds alot like the excuse of some incompetent developers: use trunk or it is not my problem!
If they had developed a small patch for the problem, I'm pretty sure OEMs wouldn't have a problem pushing it to the users.
But it seems they can't because as all developers working exclusively in the trunk, they have rewrote everything already several times, and looking at the old stuff is... wew! It's old! It's absolutely horrible! Use snapshot from the trunk!! We fixed everything!! It's all better!! We promise!! Honestly!!
All hope abandon ye who enter here.
I think that the users of the default browser are probably doing a lot of other stuff that will compromise security. The advanced users will mostly install a different browser from the Play Store.
I don't get how this can make the front page twice. This time TFS has nothing to do with the TFA, but neither are relevant. Google has already patched this, that is what 4.4 is. If you can't get 4.4 pushed to your phone then chances are you are not going to get another patch to this pushed to your phone. At that point the way Android patches are being pushed it is entirely out of googles hands...
Some days I just get bored and Troll post all the memes I can think of...
You can get an updated browser through Google Play store. Many are available. Using a browser that comes pre-loaded with the OS and to rely on your phone manufacturer/carrier to update it is security risk.
Why all the venom for Google? You don't see Microsoft releasing patches for Windows XP.
Windows XP wasn't released on July 24, 2013.
At best, their excuse can be summarized as "we can fix this for some users, but not all, therefore we are not going to fix it at all".
To ensure perfect aim, shoot first and call whatever you hit the target
If it was as easy as deploying an update to an apk through the play store, Google would do it. Google DOES do it. System updates are handled by the Carrier. We all know damn well that carriers do not have incentives to provide device updates. You should never expect an android device to receive major version updates. If thats important to you buy an apple device, just don't complain about bending.
In short, do your god-damned research before buying that shiny new brick.
The patch is there. 4.4. This doesn't take them off of KitKat, it's the latest version of Kitkat. They've even patched kitkat with other upgrades recently. The hate needs to be directed to the phone manufacturers and phone companies who are not implementing the patch.
I am altering the deal; pray I do not alter it any further.
What are the chances that a vendor that declines to update 4.3 to 4.4 would be willing to do an update for a 4.3.x if Google bothered to do it.
I think it smells bad, but trying to target users with vendors holding back 4.4 but willing to do another 4.3.x update is tricky. This is why google moved toward moving stuff in a more modular fashion: to get the ability to update relevant portions without demanding the vendor get in the middle.
XML is like violence. If it doesn't solve the problem, use more.
Money corrupts. Often its the mentality that "since our competition are jerks, we should be jerks to counter them."
Table-ized A.I.
there's no *point* in Google writing a patch, none of the hardware companies involved would ever bother to deploy it.
This has been my experience in the industry as well. I don't see OEMs scrambling to get the latest updates from the chip vendor or from Google. And I see chip vendors who basically abandon support for older chips on newer releases.
I blame Google, OEMs and Vendors for the problem and not really the carriers. While carriers usually want software to be qualified before an update is allowed, there are many carriers with different rules and many phones that are not under contract.
Carriers are less particular about OS updates(patches) than they were a few years ago, and have switched mainly to being worried about OS upgrades. Either because it might cause lots of customer support calls with broken phones or it will cut into their phone sales (they sell phones through 2 years service contracts, you thought they were free?).
“Common sense is not so common.” — Voltaire
After all, you might break something.
But the summary does not. Sheesh.
4.4 is not the "patch". Not only it contains major redesigns of the software, but also it has different hardware requirements compared to previous 4.x versions.
All hope abandon ye who enter here.
Except, 4.4 has been released by the manufacturer (Google) for the Google Galaxy Nexus, so the patch is certinaly not "there".
I am sure that Google Project Zero will write a working exploit for this vulnerability and then release it 90 days from now. Oh they won't? I thought that was the responsible thing to do? Maybe some security researcher should help them with this.
Are you being deliberately dense?
Okay, try this.
Windows 7 was released in 2009, and will get security fixes until 2020.
Even Windows Vista (released in 2007 for home) will get security fixes until 2017.
Let's look at phone versions instead:
Windows Phone 7 was released in October 2010 and left support in October 2014.
Windows Phone 8 was released in October 2012 and will be supported until January 2016.
Looks like Windows users are getting a little better support from their supplier.
Oh arse
You missed the point - they haven't updated Ice Cream Sandwich) (4.0 - 4.04) and Jelly Bean (4.1 - 4.3.1) to fix this problem. Installing 4.4 definitely takes them off their old version, and it's not an option for many (probably most) people.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
This "vulnerability" can be completely avoided by installing Firefox or Chrome on your android 4.3 device and using either as the default browser. It's irresponsible of /. to ring the security panic bell without mention of how one can simply neuter the threat.
"Mit der Dummheit kaempfen Goetter selbst vergebens." - Schiller
We can patch it ourselves! Right? Right?!
Why all the venom for Google? You don't see Microsoft releasing patches for Windows XP.
Windows XP wasn't released on July 24, 2013.
And upgrades from Windows XP to Vista/7/8 also weren't free.
But they were at least POSSIBLE, unlike Android upgrades from 4.3 to 4.4 on widely deployed hardware! It can't be called free if you have to buy a new phone to do it.
(Two
If we have a security update that closes an "important" hole, and if a class of customers get ripped off because the hole's not closed - either through not distributing a patch or making the patches O/S available, who's liable? The cell provider? Google? both? Both have deep pockets, but the latter has about the deepest...
All those carriers sell iPhones too and every iPhone is software upgradeable--and has been from day one.
Seems more like an Android problem to me.
Sure it uses some internal components made by other companies, so does the iPhone, so does every consumer product. That's not an excuse to stop supporting a product made by your company.
Does this mean that there now exists a universal root method for all Android = 4.3? And it won't even be patched. That would be great!
I don't really understand the rage being directed at Google here. They have fixed the issue in new versions of Android. If they back-ported the fix to 4.3 (assuming that's even possible) what would make carriers/manufacturers implement the fix when they already aren't updating the core version? Nothing. And they wouldn't. The carriers/manufacturers have financially abandoned these older models in favor or their new stuff.
People are used to a big brother company controlling everything about a software experience (Apple, Microsoft). The google approach is open. Unfortunately this requires the user to do a little bit of thinking, make an informed choice, and support the right companies with their money.
If it ain't broke, don't fix it.
This is not an unreasonable solution.
What???? it's totally unreasonable for a web connected but embedded OS.
Some drink at the fountain of knowledge. Others just gargle.
You become what you hate.
Some drink at the fountain of knowledge. Others just gargle.
The basic issue isn't Google. It's that even if they patched the issue phone, tablet and whatnot vendors still need to issue an update for their devices. Which isn't going to happen for most devices released more than a year ago. The main problem is that the browser came build in with the OS. This sort of issue is one of the reason Google is slowly moving much of the base Android into packages so it can issue updates in the google store without needing a vendor to push an update.
HW vendors are indeed not interested to provide upgrades for hw they no longer sell.
While that is true, it was Google's choice to allow binary device drivers for Android interaction by the vendors.
It are these proprietary device drivers which are preventing initiatives such as Cyanogenmod and others to provide a clear upgrade path.
It illustrates the big mistake Google makes in this regard (allowing binary drivers and focusing on Apache licenses).
The position of Google is strong enough to make a stance in the interest of the users (and the world) that all Android drivers should be OpenSourced... in that way the users can 'bake their own' and get their own responsability with respect to upgrades.
The current situation brings the responsibility upon unwilling HW vendors, unwilling providers and ultimately Google.
Sooner or later this is going to blow up into the face of Google because bigger security problems will one day be found!
It's time Google takes a stance for OpenSource software in the interest of the users and the larger common good (certainly now it's completely on par with their own interests)!
They support two prior versions of OS-X and that's it. So OS-X 10.7, released 3 years ago, is unsupported as of October 2014. I guess that works if you have the attitude of just always updating to the latest OS, but it can be an issue for various enterprise setups that prefer to version freeze for longer times, or for 3rd party software/hardware that doesn't get updated. Also can screw you over if Apple decides to change hardware like with the PPC to Intel change.
Why does Google keep getting slammed for being the bad guy for releasing information about vulnerabilities? I read about people finding and publishing vulnerabilities all the time and follow discussions on what is responsible disclosure and nobody but Google gets treated like this.
Yahoo does the 90 days thing too. Most I've seen do a lot less than 90 days before disclosure. I understand worrying about script kiddies, but I'd rather know I have a vulnerability than just blithely hope nobody but Google found it.
The odds are that a lot of this stuff is known long before Yahoo or Google or Secunia or whoever announces it. The three months Google is leaving me vulnerable to the talented hackers makes me a lot more nervous than the people who find out about it in the news.
Google seems to be using "Google Play Services" (a piece of middle-ware downloaded from Google Play) as a way to support newer APIs on older Android versions and make sure apps can run on these older Android builds. Why can't they just put the newer web browser engine into either "Google Play Services" or some other downloadable bit that goes on Google Play and gives all Android users the same browser engine. Good for apps that embed it since they get the same behavior on all Android versions. Good for Google since it only has to maintain one browser engine version and doesn't need to care about older versions anymore. And good for users since they get a better browser experience (and less bugs) even on older Android versions.
But that's precisely one of the reasons why they aren't bothering to patch this; in fully up-to-date Android releases, WebView has been replaced by a Blink component which Google can update via the Play Store, independently of OS updates. Many, many components of Android are like this these days (which is a problem for anyone not wanting Play Services, but that's another story). And actually Apple is a bad example, since they still for many OS components need to update the entire OS, it's just that unlike Google they've retained tight control and thus can push out those updates whenever they want.
I remember sigs. Oh, a simpler time!
We're talking about the unpatched Google Nexus stuck a 4.3, no option to upgrade.
You obviously don't write software for a living. It takes effort to redirect people to an unmaintained code base and have them both write and investigate possible side-effects of their patch and then deploy it in a format that's usable by all the manufacturers with devices out there. Its an actual cost to an actual company doing actual business that just isn't worthwhile.
Being an open OS, there's nothing stopping Motorola, Samsung or LG from patching their own versions of 4.3 either, just as they modified it with their UI and other extensions. Feel free to whine to them instead; unless you bought a Nexus device, they sold you the phone, Google didn't.
- Michael T. Babcock (Yes, I blog)
I have a rooted phone running 4.3. I use Chrome for browsing, but realize other apps may use webview and be vulnerable. In fact they make it easy for developers to do so.
http://developer.android.com/g...
I'm wondering if I can simply disable it by deleting/renaming a library or something similar, or will that make the entire OS unstable? I don't care if it breaks apps - those would only the vulnerable ones anyway. Absent that, it looks like it is possible to remove access to individual apps through their manifest files.
http://developer.android.com/g...
But of course as I said that would break them.
I'm not a developer, but maybe a script that will search out all manifest files (as root of course) and neuter any vulnerable apps by altering them would be useful. Once you know which ones are broken you can set about safely fixing them.
Any thoughts?
Issues like this shoot a big hole through BYOD and any consideration of security compliance. You now have a deliberately insecure device with no supported patch available. Good luck with your auditors.
Phones with 512MB can, however, be upgraded to KitKat 4.4, which reduced the minimim required RAM back to 512MB.
Why would anyone engrave "Elbereth"?
which allows google to extort more license fees
What?
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
I have a Galaxy S1 i9000 which has 384mb of RAM, running cm11 (kitkat) better than it ever ran gingerbread. Indeed, it's officially supported by cm11.
Stop gulping down (and propagating) the excuses spewed forth by hardware vendors. Sure, more RAM is better - and the more the merrier - but there is no "can't" in this equation. Hardware vendors are just playing Apple's favorite game: planned obsolescence so you can fork out for another device and toss your current one on the giant ewaste heap to make it the problem of some developing nation so desperate for income they'll take the toxic crap.