Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Stops Patching Vulnerabilities in Old Versions of Android

Vulnerabilities found in WebView and possibly other components included in old versions of the Android operating system will no longer be patched by Google, researchers have learned.

Vulnerabilities found in WebView and possibly other components included in old versions of the Android operating system will no longer be patched by Google, researchers have learned.

WebView is a component that’s used to display Web pages on Android smartphones. Starting with Android 4.4 (KitKat), Google introduced a new WebView based on the Chromium open source project.

The problem is that researchers such as Rafay Baloch and Rapid7’s Joe Vennix have found, and they keep finding, numerous security vulnerabilities in the old WebView, which is used by the Android Open Source Platform (AOSP) browser shipped by default with pre-KitKat versions of the OS. The popular penetration testing tool Metasploit includes exploits for 11 such flaws.

However, it appears that Google has stopped patching any vulnerabilities affecting this older version of WebView, despite the fact that roughly 60% of devices still run Android Jelly Bean (4.1-4.3), Ice Cream Sandwich (4.0), Gingerbread (2.3), and Froyo (2.2). According to recent studies, roughly 930 million devices run a version of the OS that Google considers outdated.

Google’s security team informed researchers at Rapid7 that they no longer develop patches for WebView prior to version 4.4. Instead, those who report the vulnerabilities are welcome to submit patches “for consideration,” Google said.

If vulnerability reports are not accompanied by a patch, all Google can do is notify its partners of the bug’s existence. If a patch is made available, it will be forwarded to partners, the company told Rapid7.

Google hasn’t clarified if the same policy applies to other components included in Android versions prior to 4.4.

While the search giant hasn’t officially informed customers that the operating systems they’re using on their mobile devices have reached end-of-life (EOL), the company says it can “no longer certify 3rd party devices that include the Android Browser,” and “the best way to ensure that Android devices are secure is to update them to the latest version of Android.”

Advertisement. Scroll to continue reading.

Rapid7’s Tod Beardsley has pointed out that this is great news for cybercriminals because many users simply can’t afford to purchase new phones to get the latest version of the operating system.

“Open source security researchers routinely publish vulnerability details and working exploits with the expectation that this kind of public discussion and disclosure can get both vendors and users to take notice of techniques employed by bad guys,” the researcher noted in a blog post. “By ‘burning’ these vulnerabilities, users come to expect that vendors will step up and provide reasonable defenses. Unfortunately, when the upstream vendor is unwilling to patch, even in the face of public disclosure, regular users remain permanently vulnerable.”

The process of patching Android vulnerabilities is complicated as it is: Google usually doesn’t inform users and developers when a flaw has been patched, and carriers and manufacturers are responsible for distributing the updates from Google to their customers.

If Google no longer develops patches for older versions of Android, it’s unlikely that smartphone manufacturers and mobile operators will distribute the patches developed by security researchers, Beardsley noted.

“I empathize with their decision to cut legacy software loose. However, a billion people don’t rely on old versions of my software to manage and safeguard the most personal details of their lives. In that light, I’m hoping Google reconsiders if (when) the next privacy-busting vulnerability becomes public knowledge,” the expert said.

Steve Hultquist, chief evangelist at security analytics company RedSeal, has pointed out how such decisions can impact enterprises.

“Technology keeps moving forward on mobile devices, client computers, servers, and network infrastructure. As a result, the overall security of an organisation relies on the ongoing automated analysis of the current situation and processes and procedures to address the gaps that are uncovered daily,” Hultquist told SecurityWeek. ”As we can see with the distribution of Android releases, being aware of the distribution of systems, their existing security issues, and how they are accessible from threats are all critical aspects of the overall security operation of an enterprise.”

“Having a clear picture of the entire environment and all possible interconnections is a critical need for every organisation,” he added.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.