Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3

← Back to Stories (view on slashdot.org)

Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3

Posted by samzenpus on Monday January 26, 2015 @03:56AM from the no-patch-for-you dept.

MojoKid writes If you're running Android 4.3 or earlier, you're pretty much out of luck when it comes to a baked-in defense against a WebView vulnerability that was discovered earlier this month by security analyst Tod Beardsley. The vulnerability leaves millions of users open to attack from hackers that choose to exploit the security hole. WebView is a core component of the Android operating system that renders web pages. The good news is that the version of WebView included in Android 4.4 KitKat and Android 5.0 Lollipop is based on Chromium and is not affected by the vulnerability. The bad news is that those running Android 4.3 and earlier are wide open, which means that 60 percent of Android users (or nearly one billion customers) are affected. What's most interesting is that Google has no trouble tossing grenades at the feet of Microsoft and Apple courtesy of its Project Zero program, but doesn't seem to have the resources to fix a vulnerability that affects a substantial portion of the Android user base.

47 of 579 comments (clear)

Min score:

Reason:

Sort:

The solution is obvious by BVis · 2015-01-26 03:58 · Score: 5, Insightful

Clearly Google has decided that the solution for this problem is to update Android. This is not an unreasonable solution. The problem is fixed, and how you get the fix is well documented.
The problem is when your carrier prevents you from upgrading. Blame for this issue lies soley at the feet of Verizon, At&T, Sprint, T-Mobile, etc.

--
Never underestimate the power of stupid people in large groups.
1. Re:The solution is obvious by Mr+D+from+63 · 2015-01-26 04:07 · Score: 4, Informative
  
  They also state that the vulnerability can be easily avoided just by using an updated browser.
2. Re:The solution is obvious by rot26 · 2015-01-26 04:10 · Score: 3, Insightful
  
  My widely distributed product has been discovered to have a serious security flaw affecting millions of users. I have fixed this but it requires you to get your congressman to fetch it for you and have his staff install it. It's not MY fault if you can't convince your congressman to do this, it's HIS fault, and if you suffer, that's just too bad. Take it up at the voting booth.
  
  --
  
  To ensure perfect aim, shoot first and call whatever you hit the target
3. Re:The solution is obvious by Anonymous Coward · 2015-01-26 04:10 · Score: 3, Insightful
  
  That's fucking comical. Google knows very well what the situation with the carriers and OEMs is, they are just as culpable in this mess. If Microsoft or Apple pulled some shit like this the tech blog sphere would implode from the density of the rage. All is forgiven for Glorious Google-sama however!
4. Re:The solution is obvious by soft_guy · 2015-01-26 04:11 · Score: 4, Insightful
  
  Apple tries to control as much as they can on their platforms. Other platforms like Android and Windows take an approach of sharing responsibility for the overall quality between several different companies who can each point at each other and say "not it!" when a problem arrises.
  
  --
  Avoid Missing Ball for High Score
5. Re:The solution is obvious by Anonymous Coward · 2015-01-26 04:15 · Score: 5, Informative
  
  The webview control is also used internally by many apps, so you can't really avoid it. Google is pulling an "XP" here, except they're abandoning software that hasn't even been in the market for two full years.
6. Re:The solution is obvious by Black.Shuck · 2015-01-26 04:15 · Score: 5, Insightful
  
  how is apple able to upgrade their phones for like 5 years and Scamsung, LG and HTC cannot?
  Apple is comparatively disciplined, releasing about one new phone a year, and hardware and software are under their full control.
  Together, the others release dozens, and different companies share different responsibilities. Nice for consumer choice, but not so nice for support, since nobody wants to maintain a software stack nor wrestle with the politics involved in updating so many different devices.
7. Re:The solution is obvious by jgtg32a · 2015-01-26 04:15 · Score: 4, Informative
  
  Android 4.3 was released July 24, 2013
8. Re:The solution is obvious by Lazere · 2015-01-26 04:19 · Score: 5, Insightful
  
  I disagree. Microsoft not supporting XP and Google not supporting 4.3 are two completely different things. 4.3, despite being two major versions ago was released less than two years ago. If Microsoft or Apple stopped supporting an OS version after less than two years, there would hell to pay. Why does Google get a pass just because they have a fast versioning scheme?
9. Re:The solution is obvious by mdielmann · 2015-01-26 04:24 · Score: 5, Interesting
  
  Exactly. I wouldn't blame Google for this, the problem lies with the carriers not upgrading their fleet of phones. Android is now 3 major version releases past 4.3. Would you really expect Microsoft to continue to support Windows XP anymore? They don't, unless business is willing to shell out big bucks for added support.
  Carriers should really be to blame.
  Two key differences. First, XP came out in 2001. Second, XP support ended last year. But to be fair, I'd be happy if Google would support their OS for even half that long. So, where is that support for Android 1.1?
  Realistically, support should last at least as long as the longest contract in the countries their product is used in. If you went with the standard of a 3-year contract (I think there are 4-year contracts, but I'm certain my carrier has 3-year contracts), that would still leave the later releases of Ice Cream Sandwich (4.0) under support. Face it, their Android OS support is abysmal.
  
  --
  Sure I'm paranoid, but am I paranoid enough?
10. Re:The solution is obvious by Munchr · 2015-01-26 04:26 · Score: 4, Insightful
  
  No, the carriers made up this system, and it existed long before Android entered the market. Symbian OS, Windows Phone, and Android are all affected. Apple managed to get AT&T to agree to allow Apple to control when and how updates to the iPhone are provided as part of the initial AT&T exclusive partnership agreement for the original iPhone. Every carrier since AT&T has had to agree to the same provision regarding Apple's control, or they don't get the iPhone. I'm not aware of ANY other phone manufacturer that has managed that feat before or since, without being forced to sell their phones directly to the public as carrier free/unlocked phones as Nokia did with the n900.
11. Re:The solution is obvious by Noah+Haders · 2015-01-26 04:29 · Score: 3, Informative
  
  Google created the rules of the AOSP and the OHA. they could have set a rule about phone upgrades, but decided they would get faster market share growth if they let that one slide. now they are paying the price. actually, the users are paying the price, google still has its market share so they feel good about it.
12. Re:The solution is obvious by BVis · 2015-01-26 04:36 · Score: 4, Insightful
  
  So because Google didn't specifically forbid something, and the carriers went ahead and did it not because it was a good idea, but because fuck the customer, that's Google's fault? If I don't specifically tell someone to look both ways before crossing the street, is it my fault when they don't and get hit by a bus?
  The carriers are the bad actors here. Google had a bug in their product, and they have fixed it. The carriers are the ones not allowing their customers to install the fixed version.
  
  --
  Never underestimate the power of stupid people in large groups.
13. Re:The solution is obvious by dumfrac · 2015-01-26 04:39 · Score: 3, Informative
  
  The *Google* Galaxy Nexus was created by... wait for it... GOOGLE. It runs stock Android. _Google_ has certainly NOT fixed their product.
14. Re:The solution is obvious by the_B0fh · 2015-01-26 04:42 · Score: 3, Insightful
  
  Why wouldn't you blame Google for this? Google explicitly said they are not updating the code. Since the carriers depend on Google to provide the code, how are they not culpable?
  And the "oh, 5 million lines of code, I don't know where to look" is damned weak sauce. Debian back ports security patches all the time.
15. Re:The solution is obvious by Karlt1 · 2015-01-26 04:48 · Score: 4, Informative
  
  Apple abandoned the original iPad in under 2.5 years.
  But on the other hand, Apple released a security patch for the iPhone 3GS - released in 2009 -- last February.
  The iPad 2 released mid-2011 can still run the latest OS.
16. Re:The solution is obvious by Anonymous Coward · 2015-01-26 04:48 · Score: 5, Informative
  
  Except that the hardware requirements for Android have advanced for each new release. Specifically, phones with 512MB of RAM or less cannot be upgraded to Jelly Bean.
17. Re:The solution is obvious by Geordish · 2015-01-26 04:50 · Score: 3, Informative
  
  No, blame for this is on Google, because Android is designed as a firmware but marketed as an operating system. An operating system would get updates without requiring a complete wipe and reinstallation.
  My current phone has got updates from Kit Kat to Lollipop without a wipe and reinstallation. As have all my previous android phones from one version to another. I'm unsure what you are getting at here...
  
  Android has a huge attack surface and still completely lacks ways to fix bugs except by abandoning entire "OS" versions.
  Not true. Google has a way to patch parts of the operating system on older versions using play services:
  http://arstechnica.com/gadgets...
18. Re:The solution is obvious by CastrTroy · 2015-01-26 04:54 · Score: 4, Insightful
  
  Isn't this basically what Microsoft does with Windows, or what Linux does. One code base that runs on all kinds of machines. And we still expect them to get vulnerabilities fixed. I could understand if it was a bug with some kind of driver that communicated with the cellular radio or other piece of hardware. Then it would be up to the manufacturer or carrier to fix the bug. But this is a bug in something that has nothing to do with the hardware that it is running on. There should be a more reliable way for bugs to get fixed on Android without going through multiple entities, some of which would just rather you buy new hardware. Imagine if you had to go through Dell, HP, or Acer every time you needed something fixed in Windows. It would be a disaster. But that's exactly what the state of affairs is with Android. I'm due for a new phone soon. I can't afford an iPhone, and my previous phone was Android, but I seriously got burned on updates. I've been considering Windows Phone, but their app selection is quite poor. I find that the current state of affairs with phone operating systems to be quite terrible.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
19. Re:The solution is obvious by bondsbw · 2015-01-26 04:54 · Score: 4, Informative
  
  2.5 years is pretty good compared with many Android devices. My wife and I have owned 4 Android devices between us, and none of them received updates even 2 years after their initial release date.
  Also I suspect you picked on the first iPad because it was the worst. I can't recall any mainstream Apple product that was supported for less time. Many of them are supported for 4 years or more.
  
  --
  All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
20. Re:The solution is obvious by bondsbw · 2015-01-26 05:00 · Score: 4, Interesting
  
  It would be a major improvement if Android products were supported for even 2 year contract periods.
  Google should require manufacturers to provide all Android updates for 2 years minimum and 2 minor versions minimum, and security updates for those minor versions for 4 years minimum.
  
  --
  All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
21. Re:The solution is obvious by Dixie_Flatline · 2015-01-26 05:05 · Score: 4, Interesting
  
  Apple released a security patch for iOS 6 when that SSL vulnerability was found. It was a deprecated OS running on a MINORITY of Apple phones and they issued an update anyway. (http://support.apple.com/en-ca/HT202920)
  Why are so many people excited to give Google a pass over this? Support your customers or don't, but be up front about how long they're going to get to see updates. If you're going to drop security support after 18 months, at least let everyone know so they can make an informed decision.
22. Re:The solution is obvious by KlomDark · 2015-01-26 05:06 · Score: 3, Funny
  
  But 512 megs should be enough for ANYBODY...
23. Re:The solution is obvious by Anonymous Coward · 2015-01-26 05:07 · Score: 3, Informative
  
  Google has stopped patching Android 4.3 and lower. Instead they want you to upgrade the OS, and they don't give a rat's ass whether that is actually possible. How is that not worse than pulling an XP, considering that Android 4.3 was the latest version just seven months ago?
24. Re:The solution is obvious by c · 2015-01-26 05:12 · Score: 3, Interesting
  
  Why does Google get a pass just because they have a fast versioning scheme?
  Largely because everyone with a clue knows that 99.999% of devices still running Android 4.3.x which haven't been upgraded to 4.4.x have approximately 0.00000 probability of being updated to 4.3.(x+1) even if Google were to make a patch available.
  Whether they "support" 4.3 for two days, two years or two decades at this point is largely irrelevant. If you have no means to get a patch to the people affected by the problem and you're going to get criticized irrespective of whether or not you try, then why waste the resources?
  And it's pretty darn obvious from what Google's been doing in the last few years that this is not a situation that Google is happy with, nor is it a situation they could reasonably do much more about.
  
  --
  Log in or piss off.
25. Re:The solution is obvious by Tran · 2015-01-26 05:15 · Score: 5, Insightful
  
  Well, unlike the wireless phone companies, there where no vendors for the PCs that insist on putting their hands on the OS to customize the Android experience (mostly to detrimental effect, in my experience). So yes, Verizon, T-Mobile are on the hook for this one.
  My plain vanilla Nexus 4 is still running fine with the latest and greatest, well latest, OS from Google. It is just staring to take some performance hits as compared to when it first came out.
26. Re:The solution is obvious by TsuruchiBrian · 2015-01-26 05:16 · Score: 3, Insightful
  
  This is a bad example. You don't get all your drivers from the OS vendor. Google publishes the OS images to the public. The problem is that you can't use them if your hardware vendor has not yet made their drivers compatible with the new version of the OS.
  Microsoft doesn't package every driver from every hardware vendor with it's OS. IF your hardware vendor doesn't provide a driver for Windows then that's not Microsoft's fault.
  Furthermore, if you really want updates ASAP, you can get a Nexus phone and be the first to receive them directly from Google.
27. Re:The solution is obvious by tlhIngan · 2015-01-26 05:20 · Score: 5, Interesting
  
  Together, the others release dozens, and different companies share different responsibilities. Nice for consumer choice, but not so nice for support, since nobody wants to maintain a software stack nor wrestle with the politics involved in updating so many different devices.
  You're off by an order of magnitude.
  Samsung, in 2014, released about 3 smartphones per week. Yes, they have over 150 smartphones released in 2014. Tablet wise, I think it was over 1 tablet a week (it was over 50 around October).
  It seems a lot of Android manufacturers see Android more as a "fire and forget" style of releases - just get a version of Android, stick it on, sell it, move on.
  I mean, supporting 200 brand new Android devices (ignoring 2013 releases and prior) ...
28. Re:The solution is obvious by gnupun · 2015-01-26 05:27 · Score: 3, Informative
  
  This is a bad example.
  
  It's a valid example: a smartphone is just a shrunk down PC/laptop.
  
  You don't get all your drivers from the OS vendor.
  
  True, but we do get OS updates from only one vendor: the OS vendor. If there's a driver bug or hardware bug, we get the driver update from the hardware vendor. This is not a hardware/hardware driver bug, so the update must come from the OS vendor, google.
  
  The problem is that you can't use them if your hardware vendor has not yet made their drivers compatible with the new version of the OS.
  What does a pure software component, WebView, have anything to do with hardware drivers? Nothing. Your argument is baseless.
29. Re:The solution is obvious by Anonymous Coward · 2015-01-26 05:37 · Score: 5, Informative
  
  No, they just don't give a shit like any other massive software company. My 1 year old Post-Google Moto phone will never see an official 4.4/5.0 release. Clearly they just can't be fucked to try.
30. Re:The solution is obvious by AmiMoJo · 2015-01-26 06:26 · Score: 4, Insightful
  
  Download the Android source from the official site for free: https://source.android.com/sou...
  You might be thinking of the Play store and other Google apps, which as you say are not free. You can download and install them for free as a user, but if you want to ship them pre-installed on a device then there are licence agreements. Nothing in those agreements about having to launch a flagship phone or nonsense like that... Android is winning because it is available on everything from low cost low end devices to the very top tier hardware.
  As for the costs, Cyanogen seems to prove that they can be pretty low. They support a lot of devices with very little funding to do so, partly because they are open source and rely on volunteers. Some companies pay them for support, which seems like a reasonable way to do long term updates.
  You should never buy a phone from a carrier. Always get it unbranded and unlocked.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Their excuse sucks by BarbaraHudson · 2015-01-26 04:00 · Score: 3, Insightful

They claim not to have the resources to do maintenance because it's 5 million lines of source code. Gee whiz, how many 100s of millions of lines of source code are there for OSes - and yet they don't get EOLed in a couple of years.
What other bugs (in this and other projects) are going to be labed WONT_FIX?

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
1. Re:Their excuse sucks by meta-monkey · 2015-01-26 08:16 · Score: 3, Funny
  
  I'm eagerly awaiting the inclusion of WebKit in systemd.
  
  --
  We don't have a state-run media we have a media-run state.
Article misses the point by Anonymous Coward · 2015-01-26 04:03 · Score: 5, Informative

The WebView code was originally tied directly to the android version and HW manufactures aren't willing to deploy 4.4 since it would take effort on their part. To avoid this, in the newer versions of android, they have made it so there can be a play store update to fix and replace the webview-like modules so they can regain control of the patching process and not rely on handset companies.
1. Re:Article misses the point by ThePhilips · 2015-01-26 04:44 · Score: 3, Interesting
  
  The WebView code was originally tied directly to the android version and HW manufactures aren't willing to deploy 4.4 since it would take effort on their part.
  4.4 changed WebView and that broke a number of apps.
  And not simply broke. Google has removed sizable chunk of WebView functionality because it is not really WebView anymore, it is small Chrome browser window and the features everybody was relying upon where never part of Chrome and as such... tough luck.
  To the company with the resources of Google, lame excuses like that are just unacceptable.
  
  --
  All hope abandon ye who enter here.
Nice troll by MikeBabcock · 2015-01-26 04:05 · Score: 4, Insightful

Like everyone else reporting on this story, it completely misses the point -- there's no *point* in Google writing a patch, none of the hardware companies involved would ever bother to deploy it. They have *no* control over that bit of code in your phone unless you're running a Nexus device.

--
- Michael T. Babcock (Yes, I blog)
1. Re:Nice troll by Godai · 2015-01-26 04:11 · Score: 4, Insightful
  
  Also a point that gets largely glossed over is that this only affects apps that use Webview as a widget -- browser apps like Chrome or Opera aren't affected because they've updated themselves to use Chromium (or something else). This may affect 60% of Android users, but what percentage of those are using the browser inside an app to visit random sketchy websites? I'm guessing the actual user base at risk is quite small.
  The way this is reported it sounds like if you use Chrome on anything south of 4.4, you're IN GRAVE MORTAL DANGER OF TEH HACKZ.
  
  --
  Wood Shavings!
  - Godai
2. Re:Nice troll by OhPlz · 2015-01-26 04:24 · Score: 4, Interesting
  
  I have a Google Nexus. 4.3 is the last version supporting my phone. The phone does everything I need it to, so I don't want to waste money on a newer one. I think this is a blatant attempt to force people to buy newer phones. All their craplets get updated, but not the Android OS.
3. Re:Nice troll by dumfrac · 2015-01-26 04:43 · Score: 3, Insightful
  
  (Not the OP here.) I presume that it is the Google Galaxy Nexus. Google has not made 4.4 available for the Google Galaxy Nexus.
Not to be an apologist for Google, but by NoNonAlphaCharsHere · 2015-01-26 04:07 · Score: 4, Informative

Apple and Microsoft control their own update process on all platforms; Google does not. It's the individual carriers who are getting in the way of Android updates.
1. Re:Not to be an apologist for Google, but by finkployd · 2015-01-26 04:10 · Score: 4, Insightful
  
  No really an apology for google though, more of a "here is how google royally screwed up in their relationships with carriers that Apple and Microsoft seem to have gotten right".
2. Re:Not to be an apologist for Google, but by Lazere · 2015-01-26 04:26 · Score: 5, Insightful
  
  Alternatively; "Here is how Google royally screwed up writing their OS so that updating even relatively minor parts requires a full OS upgrade while Apple and Microsoft seem to have figured out how patching works."
Android Patching by Xinef+Jyinaer · 2015-01-26 04:10 · Score: 3, Insightful

I don't get how this can make the front page twice. This time TFS has nothing to do with the TFA, but neither are relevant. Google has already patched this, that is what 4.4 is. If you can't get 4.4 pushed to your phone then chances are you are not going to get another patch to this pushed to your phone. At that point the way Android patches are being pushed it is entirely out of googles hands...

--
Some days I just get bored and Troll post all the memes I can think of...
Solution: update the browser by danbob999 · 2015-01-26 04:13 · Score: 3, Informative

You can get an updated browser through Google Play store. Many are available. Using a browser that comes pre-loaded with the OS and to rely on your phone manufacturer/carrier to update it is security risk.
1. Re:Solution: update the browser by maorb · 2015-01-26 05:01 · Score: 3, Insightful
  
  That solves the browser issue, but many apps (especially those that have in app advertising) remain vulnerable whenever they load an ad. So people using the free versions of many popular apps can still fall victim to this vulnerability.
To be fair... by Junta · 2015-01-26 04:28 · Score: 3, Insightful

What are the chances that a vendor that declines to update 4.3 to 4.4 would be willing to do an update for a 4.3.x if Google bothered to do it.
I think it smells bad, but trying to target users with vendors holding back 4.4 but willing to do another 4.3.x update is tricky. This is why google moved toward moving stuff in a more modular fashion: to get the ability to update relevant portions without demanding the vendor get in the middle.

--
XML is like violence. If it doesn't solve the problem, use more.
Good thing Android is open source! by Anonymous Coward · 2015-01-26 05:00 · Score: 3, Funny

We can patch it ourselves! Right? Right?!