Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3

MojoKid writes If you're running Android 4.3 or earlier, you're pretty much out of luck when it comes to a baked-in defense against a WebView vulnerability that was discovered earlier this month by security analyst Tod Beardsley. The vulnerability leaves millions of users open to attack from hackers that choose to exploit the security hole. WebView is a core component of the Android operating system that renders web pages. The good news is that the version of WebView included in Android 4.4 KitKat and Android 5.0 Lollipop is based on Chromium and is not affected by the vulnerability. The bad news is that those running Android 4.3 and earlier are wide open, which means that 60 percent of Android users (or nearly one billion customers) are affected. What's most interesting is that Google has no trouble tossing grenades at the feet of Microsoft and Apple courtesy of its Project Zero program, but doesn't seem to have the resources to fix a vulnerability that affects a substantial portion of the Android user base.

The solution is obvious

[BVis]

Clearly Google has decided that the solution for this problem is to update Android. This is not an unreasonable solution. The problem is fixed, and how you get the fix is well documented.

The problem is when your carrier prevents you from upgrading. Blame for this issue lies soley at the feet of Verizon, At&T, Sprint, T-Mobile, etc.

Re:The solution is obvious

[Mr+D+from+63]

They also state that the vulnerability can be easily avoided just by using an updated browser.

Re:The solution is obvious

[alen]

how is apple able to upgrade their phones for like 5 years and Scamsung, LG and HTC cannot?

Re:The solution is obvious

[rot26]

My widely distributed product has been discovered to have a serious security flaw affecting millions of users. I have fixed this but it requires you to get your congressman to fetch it for you and have his staff install it. It's not MY fault if you can't convince your congressman to do this, it's HIS fault, and if you suffer, that's just too bad. Take it up at the voting booth.

Re:The solution is obvious

That's fucking comical. Google knows very well what the situation with the carriers and OEMs is, they are just as culpable in this mess. If Microsoft or Apple pulled some shit like this the tech blog sphere would implode from the density of the rage. All is forgiven for Glorious Google-sama however!

Re:The solution is obvious

[soft_guy]

Apple tries to control as much as they can on their platforms. Other platforms like Android and Windows take an approach of sharing responsibility for the overall quality between several different companies who can each point at each other and say "not it!" when a problem arrises.

Re:The solution is obvious

The webview control is also used internally by many apps, so you can't really avoid it. Google is pulling an "XP" here, except they're abandoning software that hasn't even been in the market for two full years.

Re:The solution is obvious

[Black.Shuck]

how is apple able to upgrade their phones for like 5 years and Scamsung, LG and HTC cannot?

Apple is comparatively disciplined, releasing about one new phone a year, and hardware and software are under their full control.

Together, the others release dozens, and different companies share different responsibilities. Nice for consumer choice, but not so nice for support, since nobody wants to maintain a software stack nor wrestle with the politics involved in updating so many different devices.

Re:The solution is obvious

[jgtg32a]

Android 4.3 was released July 24, 2013

Re:The solution is obvious

[fateblossom]

It's not just carriers. It's also manufacturers. I Europe it's common to buy phones off contract but they are not upgraded either.

So the manufactures are also to blame. And I offend think that it's the manufactures fault. And not the carrier. For why else would they not make the updates for the rest of the world?

Re:The solution is obvious

[Lazere]

I disagree. Microsoft not supporting XP and Google not supporting 4.3 are two completely different things. 4.3, despite being two major versions ago was released less than two years ago. If Microsoft or Apple stopped supporting an OS version after less than two years, there would hell to pay. Why does Google get a pass just because they have a fast versioning scheme?

Re:The solution is obvious

[mdielmann]

Exactly. I wouldn't blame Google for this, the problem lies with the carriers not upgrading their fleet of phones. Android is now 3 major version releases past 4.3. Would you really expect Microsoft to continue to support Windows XP anymore? They don't, unless business is willing to shell out big bucks for added support.

Carriers should really be to blame.

Two key differences. First, XP came out in 2001. Second, XP support ended last year. But to be fair, I'd be happy if Google would support their OS for even half that long. So, where is that support for Android 1.1?

Realistically, support should last at least as long as the longest contract in the countries their product is used in. If you went with the standard of a 3-year contract (I think there are 4-year contracts, but I'm certain my carrier has 3-year contracts), that would still leave the later releases of Ice Cream Sandwich (4.0) under support. Face it, their Android OS support is abysmal.

Re:The solution is obvious

[Munchr]

No, the carriers made up this system, and it existed long before Android entered the market. Symbian OS, Windows Phone, and Android are all affected. Apple managed to get AT&T to agree to allow Apple to control when and how updates to the iPhone are provided as part of the initial AT&T exclusive partnership agreement for the original iPhone. Every carrier since AT&T has had to agree to the same provision regarding Apple's control, or they don't get the iPhone. I'm not aware of ANY other phone manufacturer that has managed that feat before or since, without being forced to sell their phones directly to the public as carrier free/unlocked phones as Nokia did with the n900.

Re:The solution is obvious

[Noah+Haders]

Google created the rules of the AOSP and the OHA. they could have set a rule about phone upgrades, but decided they would get faster market share growth if they let that one slide. now they are paying the price. actually, the users are paying the price, google still has its market share so they feel good about it.

Re:The solution is obvious

[Asmodae]

It sounds like you've entered full snark mode here. To make the analogy complete you must include the fact that congress passed a law making them the only ones able to push out an update. It's been said before, even if Google did write a patch how do you propose they actually get it onto the vulnerable devices?

Re:The solution is obvious

[prelelat]

It's a bit different though isn't? Updating versions on your phone is more like upgrading to the newest service pack instead of buying a new OS. The OS is available for anyone to grab free of charge, updated patched and new features even. Free of charge.

That's not the same as letting support of XP die and quite frankly I had no problem with it in the first place. That OS is decades old now and the people bitching about security holes were most likely using it for custom software that was probably just as buggy as the OS at that point. I know first hand it can be hard to get custom software companies to update their software but it's not Microsofts fault either.

If the people who take Android and put it on phones are unwilling to release updates for it, that's the vendors fault. They take Android and fork it to suite them, then don't bother updating it when a new version comes out. That's how open source software works when you think about it. The main distro is out there free for the taking. Vendors take it and fork it how they see fit, it no longer is the main channels responsibility.

If we have a problem with this, we are really talking about having a problem with opensource software. Then we can discuss the other issue which is when do we can support on outdated versions?

Re:The solution is obvious

[BVis]

They're not "responsible" for updating the OS on their customers' phones. The customer can update the OS... IF the carrier will let them. OS changes are locked out on most under-contract Android phones.

Re:The solution is obvious

[Tablizer]

how is apple able to upgrade their phones for like 5 years and Scamsung, LG and HTC cannot?

Perhaps you really do get what you pay for.

Re:The solution is obvious

[gstoddart]

Apple abandoned the original iPad in under 2.5 years.

It's not like they don't do it either.

Companies expect you to buy the new hotness all the time, and stop expending resources on older platforms.

Because, after all, they only give a shit about you for as long as it takes to get your money. And then you're just someone who doesn't matter to them.

Re:The solution is obvious

[BVis]

So because Google didn't specifically forbid something, and the carriers went ahead and did it not because it was a good idea, but because fuck the customer, that's Google's fault? If I don't specifically tell someone to look both ways before crossing the street, is it my fault when they don't and get hit by a bus?

The carriers are the bad actors here. Google had a bug in their product, and they have fixed it. The carriers are the ones not allowing their customers to install the fixed version.

Re:The solution is obvious

[dumfrac]

The *Google* Galaxy Nexus was created by... wait for it... GOOGLE. It runs stock Android. _Google_ has certainly NOT fixed their product.

Re:The solution is obvious

[Noah+Haders]

then why would google let someone into the OHA if they're not willing to patch critical vulnerabilities in their phones? If I were in charge and I cared about the customers I would throw somebody out of the OHA for that nonsense.

Re:The solution is obvious

[oodaloop]

Why would they bother to fix it if the carriers aren't going to deploy the fix? Again, this isn't on Google, but on the carriers.

Re:The solution is obvious

[the_B0fh]

Why wouldn't you blame Google for this? Google explicitly said they are not updating the code. Since the carriers depend on Google to provide the code, how are they not culpable?

And the "oh, 5 million lines of code, I don't know where to look" is damned weak sauce. Debian back ports security patches all the time.

Re:The solution is obvious

[TechyImmigrant]

Google aren't manufacturing and selling the phones to the carriers. The manufacturer is.

The phone that Google manufacture are generally updated in a timely fashion.

Re:The solution is obvious

[Karlt1]

Apple abandoned the original iPad in under 2.5 years.

But on the other hand, Apple released a security patch for the iPhone 3GS - released in 2009 -- last February.

The iPad 2 released mid-2011 can still run the latest OS.

Re:The solution is obvious

Except that the hardware requirements for Android have advanced for each new release. Specifically, phones with 512MB of RAM or less cannot be upgraded to Jelly Bean.

Re:The solution is obvious

[Geordish]

No, blame for this is on Google, because Android is designed as a firmware but marketed as an operating system. An operating system would get updates without requiring a complete wipe and reinstallation.

My current phone has got updates from Kit Kat to Lollipop without a wipe and reinstallation. As have all my previous android phones from one version to another. I'm unsure what you are getting at here...

Android has a huge attack surface and still completely lacks ways to fix bugs except by abandoning entire "OS" versions.

Not true. Google has a way to patch parts of the operating system on older versions using play services:

http://arstechnica.com/gadgets...

Re:The solution is obvious

[fateblossom]

And yet there is no update.
If it was only the carriers fault then there would be upgrades for the phone that was not carrier locked.
that is why I say that the manufactures are also to blame. And most of the time only them.

If the manufactures made upgrades and released then to all the phones that were unlocked at carriers that would allow a upgrade. Then the carriers that would not allow upgrades would get angry customers. And a chance to loss them if they had a choice to pick someone that would allow upgrades/updates.

Re:The solution is obvious

[BVis]

You could shorten that to "Buy unlocked". I am not aware of any major carrier in the USA that does not lock down their Android phones. There is no incentive to fix bad behavior when everyone else is doing it as well. See: car sales.

Re:The solution is obvious

[CastrTroy]

Isn't this basically what Microsoft does with Windows, or what Linux does. One code base that runs on all kinds of machines. And we still expect them to get vulnerabilities fixed. I could understand if it was a bug with some kind of driver that communicated with the cellular radio or other piece of hardware. Then it would be up to the manufacturer or carrier to fix the bug. But this is a bug in something that has nothing to do with the hardware that it is running on. There should be a more reliable way for bugs to get fixed on Android without going through multiple entities, some of which would just rather you buy new hardware. Imagine if you had to go through Dell, HP, or Acer every time you needed something fixed in Windows. It would be a disaster. But that's exactly what the state of affairs is with Android. I'm due for a new phone soon. I can't afford an iPhone, and my previous phone was Android, but I seriously got burned on updates. I've been considering Windows Phone, but their app selection is quite poor. I find that the current state of affairs with phone operating systems to be quite terrible.

Re:The solution is obvious

[bondsbw]

2.5 years is pretty good compared with many Android devices. My wife and I have owned 4 Android devices between us, and none of them received updates even 2 years after their initial release date.

Also I suspect you picked on the first iPad because it was the worst. I can't recall any mainstream Apple product that was supported for less time. Many of them are supported for 4 years or more.

Re:The solution is obvious

[dinfinity]

Yeah, that can't be right.
A WebView can be used in pretty much any app. It may or may not be vulnerable, depending on whether certain features of the WebView are used, but a WebView has the potential to be the core of a complete (vulnerable) browser in any app.

More info on this matter here: https://community.rapid7.com/c...

My guess (or hope, maybe) is that Google is responding the way they are to strongarm the handset manufacturers into (allowing) properly updating Android on their older products. A sort of 'this shit has been going on long enough: take some fucking responsibility for your products'. Either that or they really see no realistic way to fix this.

Re:The solution is obvious

[bondsbw]

It would be a major improvement if Android products were supported for even 2 year contract periods.

Google should require manufacturers to provide all Android updates for 2 years minimum and 2 minor versions minimum, and security updates for those minor versions for 4 years minimum.

Re:The solution is obvious

[gnupun]

No, it's your hardware provider that is your problem, not Google.

Do you update your Windows/Linux/OSX PC/laptop from the OS vendor or the company that sold you the hardware? It's almost always the OS vendor. A PC/laptop is very similar to a smartphone except the latter is smaller. Google's model of pushing updates through the hardware vendor utterly stupid and adds an extra unnecessary middleman to the process.

Contact your hardware provider and bitch to them, not Google.

Why can't google's patch fix the issue? Is there a different kernel for each android phone so that different patches are needed for each phone?

Re:The solution is obvious

[Dixie_Flatline]

Apple released a security patch for iOS 6 when that SSL vulnerability was found. It was a deprecated OS running on a MINORITY of Apple phones and they issued an update anyway. (http://support.apple.com/en-ca/HT202920)

Why are so many people excited to give Google a pass over this? Support your customers or don't, but be up front about how long they're going to get to see updates. If you're going to drop security support after 18 months, at least let everyone know so they can make an informed decision.

Re:The solution is obvious

[KlomDark]

But 512 megs should be enough for ANYBODY...

Re:The solution is obvious

Google has stopped patching Android 4.3 and lower. Instead they want you to upgrade the OS, and they don't give a rat's ass whether that is actually possible. How is that not worse than pulling an XP, considering that Android 4.3 was the latest version just seven months ago?

Re:The solution is obvious

[Cardcaptor_RLH85]

You do know why the Galaxy Nexus isn't being supported anymore right? It has a TI OMAP processor and TI decided to stop supporting their CPU's when they stopped manufacturing them. Me (and the toroplus I'm using to listen to music right now) don't really like it much but, without support from the processor manufacturer to optimize drivers you can end up with a suboptimal experience. I'm using a 4.4 ROM right now and it's just not as fast as the last 4.3 update.

Re:The solution is obvious

[mrbester]

Six of one, half a dozen of the other. As slow as carriers are to roll out updates (and sometimes never, but at least the end user gets told that), if Google doesn't provide it in the first place they aren't going to do it themselves.

Re:The solution is obvious

[c]

Why does Google get a pass just because they have a fast versioning scheme?

Largely because everyone with a clue knows that 99.999% of devices still running Android 4.3.x which haven't been upgraded to 4.4.x have approximately 0.00000 probability of being updated to 4.3.(x+1) even if Google were to make a patch available.

Whether they "support" 4.3 for two days, two years or two decades at this point is largely irrelevant. If you have no means to get a patch to the people affected by the problem and you're going to get criticized irrespective of whether or not you try, then why waste the resources?

And it's pretty darn obvious from what Google's been doing in the last few years that this is not a situation that Google is happy with, nor is it a situation they could reasonably do much more about.

Re:The solution is obvious

[Tran]

Well, unlike the wireless phone companies, there where no vendors for the PCs that insist on putting their hands on the OS to customize the Android experience (mostly to detrimental effect, in my experience). So yes, Verizon, T-Mobile are on the hook for this one.

My plain vanilla Nexus 4 is still running fine with the latest and greatest, well latest, OS from Google. It is just staring to take some performance hits as compared to when it first came out.

Re:The solution is obvious

[TsuruchiBrian]

This is a bad example. You don't get all your drivers from the OS vendor. Google publishes the OS images to the public. The problem is that you can't use them if your hardware vendor has not yet made their drivers compatible with the new version of the OS.

Microsoft doesn't package every driver from every hardware vendor with it's OS. IF your hardware vendor doesn't provide a driver for Windows then that's not Microsoft's fault.

Furthermore, if you really want updates ASAP, you can get a Nexus phone and be the first to receive them directly from Google.

Re:The solution is obvious

[tlhIngan]

Together, the others release dozens, and different companies share different responsibilities. Nice for consumer choice, but not so nice for support, since nobody wants to maintain a software stack nor wrestle with the politics involved in updating so many different devices.

You're off by an order of magnitude.

Samsung, in 2014, released about 3 smartphones per week. Yes, they have over 150 smartphones released in 2014. Tablet wise, I think it was over 1 tablet a week (it was over 50 around October).

It seems a lot of Android manufacturers see Android more as a "fire and forget" style of releases - just get a version of Android, stick it on, sell it, move on.

I mean, supporting 200 brand new Android devices (ignoring 2013 releases and prior) ...

Re:The solution is obvious

[gnupun]

This is a bad example.

It's a valid example: a smartphone is just a shrunk down PC/laptop.

You don't get all your drivers from the OS vendor.

True, but we do get OS updates from only one vendor: the OS vendor. If there's a driver bug or hardware bug, we get the driver update from the hardware vendor. This is not a hardware/hardware driver bug, so the update must come from the OS vendor, google.

The problem is that you can't use them if your hardware vendor has not yet made their drivers compatible with the new version of the OS.

What does a pure software component, WebView, have anything to do with hardware drivers? Nothing. Your argument is baseless.

Re:The solution is obvious

No, they just don't give a shit like any other massive software company. My 1 year old Post-Google Moto phone will never see an official 4.4/5.0 release. Clearly they just can't be fucked to try.

Re:The solution is obvious

[sexconker]

The updates are NOT free. Android is NOT free.
You have to PAY to get access to Android source code. You pay more if you want the newer versions. You have to agree to shit like bundling Google's apps and store (which now also cost money separate from Android itself) or guaranteeing a "flagship" phone launch with expected sales of X within a certain time frame if you want access to the latest builds.

Even if Android was actually free, there are plenty of costs associated with pushing out an update. You've got to make sure the new version runs on the old devices (it won't). Then you've got to do QA. Then you've got to push the update out to the carriers. Then the carriers have to do their own validating. Then the carriers have to push it out.

Then people have to accept the update.

Google is the pot calling the granite counter top of Microsoft black.

Re:The solution is obvious

[sexconker]

Except that google isn't charging for their new software.

Yes they fucking are. Android is not free. Android is not open source. AOSP is not Android.
If you are an OEM and you want the latest version of Android you pay money and agree to bundle Google's apps and store (which cost more money) into a "flagship" phone that will launch within a certain time frame and is expected to sell some minimum number of units and will be heavily advertised as running Android X.Y Whatever Candy.

Re:The solution is obvious

[paulatz]

I've got an HTC ONE-S, that was not dirty cheap at all, and I love it: small, lightweight, nice screen, fast. But, shortly after having bought it HTC went back on their promise to udate it at least one mayor version. So now I'm fucked.

I have three choices: 1) stop using a perfectly good phone that I like, but is basically a portable danger until I to get my data stlen by some russian mofo 2) throw away a perfectly good phone 3) sue HTC for selling an unsafe device, and spend all my money for a very dubious outcome

Re:The solution is obvious

[AmiMoJo]

That seems like a strange limitation. I have an old Galaxy S with 394MB of RAM and it runs KitKat via Cyanogen really well. It's quite smooth and usable, more so than it ever was in fact.

Re:The solution is obvious

[Anne+Thwacks]

However, if this security failing leads to a major loss of money or privacy for Android users, I suspect Google could be on the recieving end of a multi-gazillion dollar class action.

And so could the handset manufacturers.

This is going to be so big, the lawyers wont bother laughing all the way to the bank - the banks will come to them.

Re:The solution is obvious

[AmiMoJo]

Download the Android source from the official site for free: https://source.android.com/sou...

You might be thinking of the Play store and other Google apps, which as you say are not free. You can download and install them for free as a user, but if you want to ship them pre-installed on a device then there are licence agreements. Nothing in those agreements about having to launch a flagship phone or nonsense like that... Android is winning because it is available on everything from low cost low end devices to the very top tier hardware.

As for the costs, Cyanogen seems to prove that they can be pretty low. They support a lot of devices with very little funding to do so, partly because they are open source and rely on volunteers. Some companies pay them for support, which seems like a reasonable way to do long term updates.

You should never buy a phone from a carrier. Always get it unbranded and unlocked.

Re:The solution is obvious

[AmiMoJo]

AOSP is Android. You can something like Cyanogen or any number of AOSP based distros with no Google software at all and have a fully functional phone. The Android OS is free.

You are confusing the OS with the Google apps like Gmail and the Play store. If you don't want them, there are open source alternatives available. Cyanogen doesn't ship with any Google apps by default, you have to download and install them yourself manually.

Re:The solution is obvious

[AmiMoJo]

It's not 150 smartphones a year, it's 150 distinct models. Often the only difference between models is the default language, or some minor variation in the case (far eastern models usually have a place to attach a strap, western models don't but otherwise the hardware is identical). Often it's just a different modem driver to support different regions LTE, that kind of thing. The core software is the same, and sure enough when they do release updates they tend to be for all models in a family at once.

Re:The solution is obvious

[Chas]

No, it's your hardware provider that is your problem, not Google.

Wrong. It's not up to Samsung what's installed on my Galaxy S4.

The "updates" are FREE, there's zero reason not to be on the current release.

Wrong. If my wireless provider doesn't release an update, I'm shit out of luck unless I want to root my phone, which voids my warranty and can negate my service contract. It'd also piss off my employer, as they're the ones supplying the phone and service and we have a contractual obligation with them NOT to root the phone.

Contact your hardware provider and bitch to them, not Google.

Again, the hardware provider isn't the one who controls this situation.

Re:The solution is obvious

[Ramze]

" a smartphone is just a shrunk down PC/laptop."

No. It isn't. Seriously. PC/Laptop CPUs are all either x86 or i64 (mostly i64) compatible and standardized. The various modified ARM versions in mobiles are not. ARM tech is licensed and various core manufacturers make their own changes - but also, there are ARM4, ARM5, ARM6, ARM7, and ARM8 based CPUs out there with incompatible binaries. MS and Apple just compile once and go (Though Apple compiles for A5, etc for tablets and MS compiles for 32 bit and 64 bit)- but you have to compile for each architecture for various devices running Android. In fact, it's smarter for the manufacturer to compile it specifically for the configuration they created - as well as enabling/disabling features to optimize memory, speed, etc. Manufacturers also may have to recompile any other binaries/drivers to inter-operate with the updated code.

Also, MS and Apple have standardized OSes. Android is not - it's a base for the manufacturers and carriers to modify. Because it's modified, it's up to the manufacturer who made the modifications to update the systems to be compatible. It simply is not possible for Google to maintain a list of all manufacturer's various hardware and software modifications for each device produced (assuming manufacturers would even give them that info).

"What does a pure software component, WebView, have anything to do with hardware drivers? Nothing."

Now, here is where you have a solid argument. Google could release a patch for each Android version affected rather than require an upgrade to a new Android version to resolve the issue. That's not an unreasonable request for maintenance on 2 year old software. Even then, it would be up to the manufacturers to compile and test the code for their devices, then to release it.

I'm not sure there's much of an argument if the devices could be upgraded instead of patched. MOST of them can be upgraded to Android 5 - it was designed to have a smaller footprint so that even older devices that couldn't take previous updates could upgrade to 5. Either way, it'd be the device manufacturers' responsibility to test and push out the update.

Your device manufacturer chose the hardware configuration, modified the OS, and accepted responsibility for supporting the hardware AND software updates for the device. That's why it's their fault and not Google's. Android 5 can be run with few modifications on practically any device that could run Android 4 (ice cream sandwich) which came out 3 or 4 years ago. There's no reason each and every device manufacturer couldn't recompile from source, test, and push out the very latest Android to just about every device out there. Why haven't they? Because they don't care about long term support. They are in the business of selling you a NEW device, not maintaining your old one beyond a reasonable time for them not to be sued.

Want to blame someone? Manufacturer FIRST, then Carrier, then Google. Google's done their part IMHO by releasing free fully patched OSes for the manufacturer. It's not their fault if the manufacturer refuses to compile, test, and push out the updates (with their carriers' blessings) which they accepted full responsibility for doing.

 

Re:The solution is obvious

[Dixie_Flatline]

You're talking like Google's a minority player in this deal. Google's the big dog here. Google dictates terms, and this one isn't so onerous. They patch the OS and they send the patch to a bunch of handset makers. They integrate the patch and push the update. This isn't a fundamental system overhaul, it's a bug fix. Unless the phones are incapable of receiving an update at all, they should be able to get this no problem. If there are costs, Google can offer to defray them. This is about building a brand and taking care of your customers. All this is doing is further pushing the perception that Apple takes care of its customers and Google and it's partners don't. Samsung is the only one that could theoretically afford to turn Google down because they could switch to Tizen, but they're getting drubbed by Apple at the top end and Xiaomi at the bottom; I don't think they're in a position to make a afuss.

But if that's what they want, that's fine--I'm an Apple shareholder (20 whole shares!) and that just makes my stock more valuable. And I own an iPhone and will continue to buy them. Whenever I look at Android, one of my big concerns is how long I'll get updates. If this is the sort of thing I can expect--buy a new phone for the latest security patch--I'll continue paying $700 for an iPhone and getting updates for 4+ years, thanks. I'm sure I'm not the only one.

Re:The solution is obvious

[BVis]

Obvious troll is obvious. Grind your axe somewhere else.

Re:The solution is obvious

[ShieldW0lf]

Bullshit.

Google are a highly effective propaganda company.

But, as providers of a platform for developers, they are absolutely horrible. Writing software for their "platform" is like building a house on quicksand.

They make me look back on the time spent developing for Microsofts products with fondness.

Their excuse sucks

[BarbaraHudson]

They claim not to have the resources to do maintenance because it's 5 million lines of source code. Gee whiz, how many 100s of millions of lines of source code are there for OSes - and yet they don't get EOLed in a couple of years.

What other bugs (in this and other projects) are going to be labed WONT_FIX?

Re:Their excuse sucks

[BarbaraHudson]

it was fixed. it is fixed... in Android 4.4. Android 4.4 is free update. People don't have the patch because carriers don't patch 2 year old phones.

And this is a problem with the current android ecosystem.

Re:Their excuse sucks

[dumfrac]

NO. It is certainly NOT fixed. The Google Galaxy Nexus is a product created by Google. It runs stock Android, and Google has not released 4.4 for the *Google* Galaxy Nexus. Don't claim that Google has released a fix.

Re:Their excuse sucks

[monkeyzoo]

The "excuse" was omitted in the Slashdot post...

Here it is verbatim from Google on January 12:
"If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch."

That's not even a reason. It's a meaningless restatement of the question:
"Why are you not developing a patch for 4.3?"
"Because 4.3 is before 4.4. Thank you for your question. That's all the time we have."

Re:Their excuse sucks

[mrbester]

It's worse than that. They are saying that if you don't submit a patch with your bug report then you can fuck off, because they don't care. Even if you do submit a patch they'll only "consider" it, meaning when they feel like getting around to it. Which will be never, because *they don't care*.

Re:Their excuse sucks

[meta-monkey]

I'm eagerly awaiting the inclusion of WebKit in systemd.

Article misses the point

The WebView code was originally tied directly to the android version and HW manufactures aren't willing to deploy 4.4 since it would take effort on their part. To avoid this, in the newer versions of android, they have made it so there can be a play store update to fix and replace the webview-like modules so they can regain control of the patching process and not rely on handset companies.

Re:Article misses the point

[ThePhilips]

The WebView code was originally tied directly to the android version and HW manufactures aren't willing to deploy 4.4 since it would take effort on their part.

4.4 changed WebView and that broke a number of apps.

And not simply broke. Google has removed sizable chunk of WebView functionality because it is not really WebView anymore, it is small Chrome browser window and the features everybody was relying upon where never part of Chrome and as such... tough luck.

To the company with the resources of Google, lame excuses like that are just unacceptable.

Nice troll

[MikeBabcock]

Like everyone else reporting on this story, it completely misses the point -- there's no *point* in Google writing a patch, none of the hardware companies involved would ever bother to deploy it. They have *no* control over that bit of code in your phone unless you're running a Nexus device.

Re:Nice troll

[Godai]

Also a point that gets largely glossed over is that this only affects apps that use Webview as a widget -- browser apps like Chrome or Opera aren't affected because they've updated themselves to use Chromium (or something else). This may affect 60% of Android users, but what percentage of those are using the browser inside an app to visit random sketchy websites? I'm guessing the actual user base at risk is quite small.

The way this is reported it sounds like if you use Chrome on anything south of 4.4, you're IN GRAVE MORTAL DANGER OF TEH HACKZ.

Re:Nice troll

[OhPlz]

I have a Google Nexus. 4.3 is the last version supporting my phone. The phone does everything I need it to, so I don't want to waste money on a newer one. I think this is a blatant attempt to force people to buy newer phones. All their craplets get updated, but not the Android OS.

Re:Nice troll

[dumfrac]

(Not the OP here.) I presume that it is the Google Galaxy Nexus. Google has not made 4.4 available for the Google Galaxy Nexus.

Re:Nice troll

[ganjadude]

believe it or not, FB app used to open chrome by default for me. in a recent update it now goes through an internal browser in the FB app. so it seems they went backwards

Not to be an apologist for Google, but

[NoNonAlphaCharsHere]

Apple and Microsoft control their own update process on all platforms; Google does not. It's the individual carriers who are getting in the way of Android updates.

Re:Not to be an apologist for Google, but

[finkployd]

No really an apology for google though, more of a "here is how google royally screwed up in their relationships with carriers that Apple and Microsoft seem to have gotten right".

Re:Not to be an apologist for Google, but

[Noah+Haders]

Apple and Microsoft control their own update process on all platforms; Google does not. It's the individual carriers who are getting in the way of Android updates.

Google set it up this way. According to the Google Play dashboard, 61% of people are v4.3 or lower. you know that 90% of them will never update. And the google play store only collects phones that visit the service, imagine the tens of millions "grandma's phone" people who use an android because that is the default cheap phone without making use of the play store. Sounds like a basket of fail to me.

https://developer.android.com/...

Re:Not to be an apologist for Google, but

[Lazere]

Alternatively; "Here is how Google royally screwed up writing their OS so that updating even relatively minor parts requires a full OS upgrade while Apple and Microsoft seem to have figured out how patching works."

Re:Not to be an apologist for Google, but

[finkployd]

Also a fair point. I cannot believe is 2015 and Google still hasn't figured this out.

Re:Not to be an apologist for Google, but

[Rick+Zeman]

Apple and Microsoft control their own update process on all platforms; Google does not. It's the individual carriers who are getting in the way of Android updates.

And who entered into the contracts with carriers saying who is responsible for what? Google can't dodge some form of culpability for this.

Use trunk or it is not my problem.

[ThePhilips]

The explanation I read elsewhere (RTFA quotes from different interview) sounds alot like the excuse of some incompetent developers: use trunk or it is not my problem!

If they had developed a small patch for the problem, I'm pretty sure OEMs wouldn't have a problem pushing it to the users.

But it seems they can't because as all developers working exclusively in the trunk, they have rewrote everything already several times, and looking at the old stuff is... wew! It's old! It's absolutely horrible! Use snapshot from the trunk!! We fixed everything!! It's all better!! We promise!! Honestly!!

Totally agree

[isafbma]

I think that the users of the default browser are probably doing a lot of other stuff that will compromise security. The advanced users will mostly install a different browser from the Play Store.

Android Patching

[Xinef+Jyinaer]

I don't get how this can make the front page twice. This time TFS has nothing to do with the TFA, but neither are relevant. Google has already patched this, that is what 4.4 is. If you can't get 4.4 pushed to your phone then chances are you are not going to get another patch to this pushed to your phone. At that point the way Android patches are being pushed it is entirely out of googles hands...

Solution: update the browser

[danbob999]

You can get an updated browser through Google Play store. Many are available. Using a browser that comes pre-loaded with the OS and to rely on your phone manufacturer/carrier to update it is security risk.

Re:Solution: update the browser

[maorb]

That solves the browser issue, but many apps (especially those that have in app advertising) remain vulnerable whenever they load an ad. So people using the free versions of many popular apps can still fall victim to this vulnerability.

Re:Solution: update the browser

[Pope+Hagbard]

Ah, there's an entry on my Slashdot Bingo card: an irrelevant and inaccurate car analogy.

Re:Solution: update the browser

[danbob999]

Good to know. One more reason for not tolerating adware.

This isn't Google's problem.

If it was as easy as deploying an update to an apk through the play store, Google would do it. Google DOES do it. System updates are handled by the Carrier. We all know damn well that carriers do not have incentives to provide device updates. You should never expect an android device to receive major version updates. If thats important to you buy an apple device, just don't complain about bending.

In short, do your god-damned research before buying that shiny new brick.

To be fair...

[Junta]

What are the chances that a vendor that declines to update 4.3 to 4.4 would be willing to do an update for a 4.3.x if Google bothered to do it.

I think it smells bad, but trying to target users with vendors holding back 4.4 but willing to do another 4.3.x update is tricky. This is why google moved toward moving stuff in a more modular fashion: to get the ability to update relevant portions without demanding the vendor get in the middle.

ding ding ding

[OrangeTide]

there's no *point* in Google writing a patch, none of the hardware companies involved would ever bother to deploy it.

This has been my experience in the industry as well. I don't see OEMs scrambling to get the latest updates from the chip vendor or from Google. And I see chip vendors who basically abandon support for older chips on newer releases.

I blame Google, OEMs and Vendors for the problem and not really the carriers. While carriers usually want software to be qualified before an update is allowed, there are many carriers with different rules and many phones that are not under contract.

Carriers are less particular about OS updates(patches) than they were a few years ago, and have switched mainly to being worried about OS upgrades. Either because it might cause lots of customer support calls with broken phones or it will cut into their phone sales (they sell phones through 2 years service contracts, you thought they were free?).

Re:Why Google? Shouldn't Microsoft patch XP?

[tomknight]

Are you being deliberately dense?

Okay, try this.
Windows 7 was released in 2009, and will get security fixes until 2020.
Even Windows Vista (released in 2007 for home) will get security fixes until 2017.

Let's look at phone versions instead:
Windows Phone 7 was released in October 2010 and left support in October 2014.
Windows Phone 8 was released in October 2012 and will be supported until January 2016.

Looks like Windows users are getting a little better support from their supplier.

Easy problem to fix

[DrProton]

This "vulnerability" can be completely avoided by installing Firefox or Chrome on your android 4.3 device and using either as the default browser. It's irresponsible of /. to ring the security panic bell without mention of how one can simply neuter the threat.

Good thing Android is open source!

We can patch it ourselves! Right? Right?!

Google phone, made by Google, sold by Google.

[Brannon]

Sure it uses some internal components made by other companies, so does the iPhone, so does every consumer product. That's not an excuse to stop supporting a product made by your company.

Isn't Google's fault, or is it?

[internet-redstar]

Many remarks say that Google isn't to blame as they provide bug-free versions of Android as well.
HW vendors are indeed not interested to provide upgrades for hw they no longer sell.

While that is true, it was Google's choice to allow binary device drivers for Android interaction by the vendors.
It are these proprietary device drivers which are preventing initiatives such as Cyanogenmod and others to provide a clear upgrade path.
It illustrates the big mistake Google makes in this regard (allowing binary drivers and focusing on Apache licenses).
The position of Google is strong enough to make a stance in the interest of the users (and the world) that all Android drivers should be OpenSourced... in that way the users can 'bake their own' and get their own responsability with respect to upgrades.
The current situation brings the responsibility upon unwilling HW vendors, unwilling providers and ultimately Google.

Sooner or later this is going to blow up into the face of Google because bigger security problems will one day be found!
It's time Google takes a stance for OpenSource software in the interest of the users and the larger common good (certainly now it's completely on par with their own interests)!