Google refuses to patch vulnerability affecting 930 million users

By on

android-security-warning

Google has quietly disclosed that it will not be patching any vulnerabilities in a component in versions of Android before KitKat. This means that 60 percent of all active Android devices – or 930 million – are now vulnerable to an attack.

The company made this disclosure to Tod Beardsley, a security researcher from Rapid7, after another vulnerability reporter was told by Google that they will not fix the bug. In a “bizarre” email, the incident handlers told Beardsley that:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue[…] If patches are provided with the report or put into AOSP we are happy to provide them to partners as well.

The vulnerabilities that Google refuses to patch are part of a core component inside Android called WebView, which is used to generate web pages on Android devices. Security researchers have found multiple bugs that could be exploited. One was a universal cross-site scripting attack, which has since been patched by Google in 2013. Another is a bug that failed to enforce Same Origin Policy – which governs how pages load content from other sites.

This vulnerability does not affect those running Android 4.4 KitKat or above, as Google replaced it with a Chromium-based version – making it more on par with the Chrome browser.

However, it does leave 60 percent of all active Android devices – according to Google’s statistics from its Dashboard, at the time of writing – now vulnerable to an attack unless someone outside the company develops a patch and Google’s partners push that update to its user base – many of whom have been really, really bad in pushing updates to users. As well, as Beardsley notes, “is AT&T or Motorola really more likely to incorporate a patch that comes from some guy on the Internet?”

It’s very easy to dismiss this and say that everyone should just upgrade to the new version by a variety of ways (some official, some not so), but not everyone wants to upgrade for a variety of reasons. As well, to have Google come out and state that they won’t patch a vulnerability means that hackers will likely find ways to exploit the security holes – especially when 60 percent of all active Android devices are now vulnerable.

While Beardsley is calling for them to reconsider their decision, it’s likely that Google will not reverse it.

Join the Conversation

  • cr3d1ts

    You can test your built-in Android Browser for known vulnerability at this link http://www.androidleak.tk/

    It seems that about 25 % of Android devices are vulnerable.

  • Grumpigeek

    Looks like Google’s old “don’t be evil” mantra has gone out the window.

    Worse still, most of the older devices cannot be upgraded to KitKat (unless rooted) because no KitKat update has been released for them.

    What an appalling and grossly negligent way for Google to behave!