Google has quietly disclosed that it will not be patching any vulnerabilities in a component in versions of Android before KitKat. This means that 60 percent of all active Android devices – or 930 million – are now vulnerable to an attack.
The company made this disclosure to Tod Beardsley, a security researcher from Rapid7, after another vulnerability reporter was told by Google that they will not fix the bug. In a “bizarre” email, the incident handlers told Beardsley that:
If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue[…] If patches are provided with the report or put into AOSP we are happy to provide them to partners as well.
The vulnerabilities that Google refuses to patch are part of a core component inside Android called WebView, which is used to generate web pages on Android devices. Security researchers have found multiple bugs that could be exploited. One was a universal cross-site scripting attack, which has since been patched by Google in 2013. Another is a bug that failed to enforce Same Origin Policy – which governs how pages load content from other sites.
This vulnerability does not affect those running Android 4.4 KitKat or above, as Google replaced it with a Chromium-based version – making it more on par with the Chrome browser.
However, it does leave 60 percent of all active Android devices – according to Google’s statistics from its Dashboard, at the time of writing – now vulnerable to an attack unless someone outside the company develops a patch and Google’s partners push that update to its user base – many of whom have been really, really bad in pushing updates to users. As well, as Beardsley notes, “is AT&T or Motorola really more likely to incorporate a patch that comes from some guy on the Internet?”
It’s very easy to dismiss this and say that everyone should just upgrade to the new version by a variety of ways (some official, some not so), but not everyone wants to upgrade for a variety of reasons. As well, to have Google come out and state that they won’t patch a vulnerability means that hackers will likely find ways to exploit the security holes – especially when 60 percent of all active Android devices are now vulnerable.
While Beardsley is calling for them to reconsider their decision, it’s likely that Google will not reverse it.