Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Says It’s Not Practical to Fix Flaws in Pre-KitKat Android

Researchers reported earlier this month that Google was no longer patching vulnerabilities affecting the WebView component in Android Jelly Bean (4.3) and prior. The search giant has motivated its decision by saying that it’s no longer practical to apply patches to old branches.

Researchers reported earlier this month that Google was no longer patching vulnerabilities affecting the WebView component in Android Jelly Bean (4.3) and prior. The search giant has motivated its decision by saying that it’s no longer practical to apply patches to old branches.

Over the past months, security experts identified several vulnerabilities in the WebView used by the Android Open Source Platform (AOSP) browser shipped by default with versions of Android older than KitKat (4.4). After reporting the issues to Google, researchers were informed that the company is no longer developing patches for older versions of WebView, but pointed out that those who report bugs can submit patches for consideration.

Some researchers believe the company should not neglect these versions of the operating system because, according to Google’s own statistics, approximately 60% of devices still run Android Jelly Bean, Ice Cream Sandwich, Gingerbread, and Froyo.

Android Vulnerabiliites“The news of Google not only abandoning security updates to its WebView in version 4.3 and below, but also the lack of transparency of doing so, is proof that device makers won’t be responsible for security indefinitely, letting the weight fall on corporate IT/Security departments in their stead,” Domingo Guerra, president and co-founder of Appthority, told SecurityWeek when the news broke. “With Android market share being #1 worldwide, it is hugely concerning, and surprising, that Google is leaving such a large install-base out in the wind.”

Last week, Adrian Ludwig, lead engineer for Android security at Google, explained the company’s decision and provided recommendations for both users and developers.

Ludwig has pointed out that Google has made great progress as far as WebView and browser security are concerned. Android KitKat is designed to allow device manufacturers (OEMs) to quickly deliver WebView binary updates from Google. Furthermore, with the latest version of Android, Lollipop (5.0), the updates are delivered directly through Google Play so that OEMs are no longer responsible for distributing patches.

“Until recently we have also provided backports for the version of WebKit that is used by Webview on Android 4.3 and earlier. But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely,” Ludwig explained in a blog post. “With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices.”

Some members of the industry highlighted that Google’s recent decision to stop providing patches for older versions of Android puts hundreds of millions of devices at risk. Others, however, believe this is actually a step in the right direction.

“Lookout doesn’t have hard data to confirm or deny this hypothesis, but it is our belief that the majority of devices in the world are either on an upgrade path to 4.4 or later, or they are generally not receiving updates at all. Therefore, the likely exposure to this policy change will likely not be very large, as in the former case, you’re in the clear, and in the latter case, you would be vulnerable either way,” Jeremy Linden, security product manager at Lookout, told SecurityWeek

Advertisement. Scroll to continue reading.

“We certainly believe the changes made by Google to allow upgrades to WebKit (as well as other components of the OS) outside of OEM/carrier pushes are very positive changes that reduce the impact of Android fragmentation for security issues,” Linden added.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.