Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3

← Back to Stories (view on slashdot.org)

Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3

Posted by samzenpus on Monday January 26, 2015 @03:56AM from the no-patch-for-you dept.

MojoKid writes If you're running Android 4.3 or earlier, you're pretty much out of luck when it comes to a baked-in defense against a WebView vulnerability that was discovered earlier this month by security analyst Tod Beardsley. The vulnerability leaves millions of users open to attack from hackers that choose to exploit the security hole. WebView is a core component of the Android operating system that renders web pages. The good news is that the version of WebView included in Android 4.4 KitKat and Android 5.0 Lollipop is based on Chromium and is not affected by the vulnerability. The bad news is that those running Android 4.3 and earlier are wide open, which means that 60 percent of Android users (or nearly one billion customers) are affected. What's most interesting is that Google has no trouble tossing grenades at the feet of Microsoft and Apple courtesy of its Project Zero program, but doesn't seem to have the resources to fix a vulnerability that affects a substantial portion of the Android user base.

27 of 579 comments (clear)

Min score:

Reason:

Sort:

The solution is obvious by BVis · 2015-01-26 03:58 · Score: 5, Insightful

Clearly Google has decided that the solution for this problem is to update Android. This is not an unreasonable solution. The problem is fixed, and how you get the fix is well documented.
The problem is when your carrier prevents you from upgrading. Blame for this issue lies soley at the feet of Verizon, At&T, Sprint, T-Mobile, etc.

--
Never underestimate the power of stupid people in large groups.
1. Re:The solution is obvious by Mr+D+from+63 · 2015-01-26 04:07 · Score: 4, Informative
  
  They also state that the vulnerability can be easily avoided just by using an updated browser.
2. Re:The solution is obvious by soft_guy · 2015-01-26 04:11 · Score: 4, Insightful
  
  Apple tries to control as much as they can on their platforms. Other platforms like Android and Windows take an approach of sharing responsibility for the overall quality between several different companies who can each point at each other and say "not it!" when a problem arrises.
  
  --
  Avoid Missing Ball for High Score
3. Re:The solution is obvious by Anonymous Coward · 2015-01-26 04:15 · Score: 5, Informative
  
  The webview control is also used internally by many apps, so you can't really avoid it. Google is pulling an "XP" here, except they're abandoning software that hasn't even been in the market for two full years.
4. Re:The solution is obvious by Black.Shuck · 2015-01-26 04:15 · Score: 5, Insightful
  
  how is apple able to upgrade their phones for like 5 years and Scamsung, LG and HTC cannot?
  Apple is comparatively disciplined, releasing about one new phone a year, and hardware and software are under their full control.
  Together, the others release dozens, and different companies share different responsibilities. Nice for consumer choice, but not so nice for support, since nobody wants to maintain a software stack nor wrestle with the politics involved in updating so many different devices.
5. Re:The solution is obvious by jgtg32a · 2015-01-26 04:15 · Score: 4, Informative
  
  Android 4.3 was released July 24, 2013
6. Re:The solution is obvious by Lazere · 2015-01-26 04:19 · Score: 5, Insightful
  
  I disagree. Microsoft not supporting XP and Google not supporting 4.3 are two completely different things. 4.3, despite being two major versions ago was released less than two years ago. If Microsoft or Apple stopped supporting an OS version after less than two years, there would hell to pay. Why does Google get a pass just because they have a fast versioning scheme?
7. Re:The solution is obvious by mdielmann · 2015-01-26 04:24 · Score: 5, Interesting
  
  Exactly. I wouldn't blame Google for this, the problem lies with the carriers not upgrading their fleet of phones. Android is now 3 major version releases past 4.3. Would you really expect Microsoft to continue to support Windows XP anymore? They don't, unless business is willing to shell out big bucks for added support.
  Carriers should really be to blame.
  Two key differences. First, XP came out in 2001. Second, XP support ended last year. But to be fair, I'd be happy if Google would support their OS for even half that long. So, where is that support for Android 1.1?
  Realistically, support should last at least as long as the longest contract in the countries their product is used in. If you went with the standard of a 3-year contract (I think there are 4-year contracts, but I'm certain my carrier has 3-year contracts), that would still leave the later releases of Ice Cream Sandwich (4.0) under support. Face it, their Android OS support is abysmal.
  
  --
  Sure I'm paranoid, but am I paranoid enough?
8. Re:The solution is obvious by Munchr · 2015-01-26 04:26 · Score: 4, Insightful
  
  No, the carriers made up this system, and it existed long before Android entered the market. Symbian OS, Windows Phone, and Android are all affected. Apple managed to get AT&T to agree to allow Apple to control when and how updates to the iPhone are provided as part of the initial AT&T exclusive partnership agreement for the original iPhone. Every carrier since AT&T has had to agree to the same provision regarding Apple's control, or they don't get the iPhone. I'm not aware of ANY other phone manufacturer that has managed that feat before or since, without being forced to sell their phones directly to the public as carrier free/unlocked phones as Nokia did with the n900.
9. Re:The solution is obvious by BVis · 2015-01-26 04:36 · Score: 4, Insightful
  
  So because Google didn't specifically forbid something, and the carriers went ahead and did it not because it was a good idea, but because fuck the customer, that's Google's fault? If I don't specifically tell someone to look both ways before crossing the street, is it my fault when they don't and get hit by a bus?
  The carriers are the bad actors here. Google had a bug in their product, and they have fixed it. The carriers are the ones not allowing their customers to install the fixed version.
  
  --
  Never underestimate the power of stupid people in large groups.
10. Re:The solution is obvious by Karlt1 · 2015-01-26 04:48 · Score: 4, Informative
  
  Apple abandoned the original iPad in under 2.5 years.
  But on the other hand, Apple released a security patch for the iPhone 3GS - released in 2009 -- last February.
  The iPad 2 released mid-2011 can still run the latest OS.
11. Re:The solution is obvious by Anonymous Coward · 2015-01-26 04:48 · Score: 5, Informative
  
  Except that the hardware requirements for Android have advanced for each new release. Specifically, phones with 512MB of RAM or less cannot be upgraded to Jelly Bean.
12. Re:The solution is obvious by CastrTroy · 2015-01-26 04:54 · Score: 4, Insightful
  
  Isn't this basically what Microsoft does with Windows, or what Linux does. One code base that runs on all kinds of machines. And we still expect them to get vulnerabilities fixed. I could understand if it was a bug with some kind of driver that communicated with the cellular radio or other piece of hardware. Then it would be up to the manufacturer or carrier to fix the bug. But this is a bug in something that has nothing to do with the hardware that it is running on. There should be a more reliable way for bugs to get fixed on Android without going through multiple entities, some of which would just rather you buy new hardware. Imagine if you had to go through Dell, HP, or Acer every time you needed something fixed in Windows. It would be a disaster. But that's exactly what the state of affairs is with Android. I'm due for a new phone soon. I can't afford an iPhone, and my previous phone was Android, but I seriously got burned on updates. I've been considering Windows Phone, but their app selection is quite poor. I find that the current state of affairs with phone operating systems to be quite terrible.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
13. Re:The solution is obvious by bondsbw · 2015-01-26 04:54 · Score: 4, Informative
  
  2.5 years is pretty good compared with many Android devices. My wife and I have owned 4 Android devices between us, and none of them received updates even 2 years after their initial release date.
  Also I suspect you picked on the first iPad because it was the worst. I can't recall any mainstream Apple product that was supported for less time. Many of them are supported for 4 years or more.
  
  --
  All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
14. Re:The solution is obvious by bondsbw · 2015-01-26 05:00 · Score: 4, Interesting
  
  It would be a major improvement if Android products were supported for even 2 year contract periods.
  Google should require manufacturers to provide all Android updates for 2 years minimum and 2 minor versions minimum, and security updates for those minor versions for 4 years minimum.
  
  --
  All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
15. Re:The solution is obvious by Dixie_Flatline · 2015-01-26 05:05 · Score: 4, Interesting
  
  Apple released a security patch for iOS 6 when that SSL vulnerability was found. It was a deprecated OS running on a MINORITY of Apple phones and they issued an update anyway. (http://support.apple.com/en-ca/HT202920)
  Why are so many people excited to give Google a pass over this? Support your customers or don't, but be up front about how long they're going to get to see updates. If you're going to drop security support after 18 months, at least let everyone know so they can make an informed decision.
16. Re:The solution is obvious by Tran · 2015-01-26 05:15 · Score: 5, Insightful
  
  Well, unlike the wireless phone companies, there where no vendors for the PCs that insist on putting their hands on the OS to customize the Android experience (mostly to detrimental effect, in my experience). So yes, Verizon, T-Mobile are on the hook for this one.
  My plain vanilla Nexus 4 is still running fine with the latest and greatest, well latest, OS from Google. It is just staring to take some performance hits as compared to when it first came out.
17. Re:The solution is obvious by tlhIngan · 2015-01-26 05:20 · Score: 5, Interesting
  
  Together, the others release dozens, and different companies share different responsibilities. Nice for consumer choice, but not so nice for support, since nobody wants to maintain a software stack nor wrestle with the politics involved in updating so many different devices.
  You're off by an order of magnitude.
  Samsung, in 2014, released about 3 smartphones per week. Yes, they have over 150 smartphones released in 2014. Tablet wise, I think it was over 1 tablet a week (it was over 50 around October).
  It seems a lot of Android manufacturers see Android more as a "fire and forget" style of releases - just get a version of Android, stick it on, sell it, move on.
  I mean, supporting 200 brand new Android devices (ignoring 2013 releases and prior) ...
18. Re:The solution is obvious by Anonymous Coward · 2015-01-26 05:37 · Score: 5, Informative
  
  No, they just don't give a shit like any other massive software company. My 1 year old Post-Google Moto phone will never see an official 4.4/5.0 release. Clearly they just can't be fucked to try.
19. Re:The solution is obvious by AmiMoJo · 2015-01-26 06:26 · Score: 4, Insightful
  
  Download the Android source from the official site for free: https://source.android.com/sou...
  You might be thinking of the Play store and other Google apps, which as you say are not free. You can download and install them for free as a user, but if you want to ship them pre-installed on a device then there are licence agreements. Nothing in those agreements about having to launch a flagship phone or nonsense like that... Android is winning because it is available on everything from low cost low end devices to the very top tier hardware.
  As for the costs, Cyanogen seems to prove that they can be pretty low. They support a lot of devices with very little funding to do so, partly because they are open source and rely on volunteers. Some companies pay them for support, which seems like a reasonable way to do long term updates.
  You should never buy a phone from a carrier. Always get it unbranded and unlocked.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Article misses the point by Anonymous Coward · 2015-01-26 04:03 · Score: 5, Informative

The WebView code was originally tied directly to the android version and HW manufactures aren't willing to deploy 4.4 since it would take effort on their part. To avoid this, in the newer versions of android, they have made it so there can be a play store update to fix and replace the webview-like modules so they can regain control of the patching process and not rely on handset companies.
Nice troll by MikeBabcock · 2015-01-26 04:05 · Score: 4, Insightful

Like everyone else reporting on this story, it completely misses the point -- there's no *point* in Google writing a patch, none of the hardware companies involved would ever bother to deploy it. They have *no* control over that bit of code in your phone unless you're running a Nexus device.

--
- Michael T. Babcock (Yes, I blog)
1. Re:Nice troll by Godai · 2015-01-26 04:11 · Score: 4, Insightful
  
  Also a point that gets largely glossed over is that this only affects apps that use Webview as a widget -- browser apps like Chrome or Opera aren't affected because they've updated themselves to use Chromium (or something else). This may affect 60% of Android users, but what percentage of those are using the browser inside an app to visit random sketchy websites? I'm guessing the actual user base at risk is quite small.
  The way this is reported it sounds like if you use Chrome on anything south of 4.4, you're IN GRAVE MORTAL DANGER OF TEH HACKZ.
  
  --
  Wood Shavings!
  - Godai
2. Re:Nice troll by OhPlz · 2015-01-26 04:24 · Score: 4, Interesting
  
  I have a Google Nexus. 4.3 is the last version supporting my phone. The phone does everything I need it to, so I don't want to waste money on a newer one. I think this is a blatant attempt to force people to buy newer phones. All their craplets get updated, but not the Android OS.
Not to be an apologist for Google, but by NoNonAlphaCharsHere · 2015-01-26 04:07 · Score: 4, Informative

Apple and Microsoft control their own update process on all platforms; Google does not. It's the individual carriers who are getting in the way of Android updates.
1. Re:Not to be an apologist for Google, but by finkployd · 2015-01-26 04:10 · Score: 4, Insightful
  
  No really an apology for google though, more of a "here is how google royally screwed up in their relationships with carriers that Apple and Microsoft seem to have gotten right".
2. Re:Not to be an apologist for Google, but by Lazere · 2015-01-26 04:26 · Score: 5, Insightful
  
  Alternatively; "Here is how Google royally screwed up writing their OS so that updating even relatively minor parts requires a full OS upgrade while Apple and Microsoft seem to have figured out how patching works."