Google refuses to patch vulnerability affecting 930 million users

Google refuses to patch vulnerability affecting 930 million users


Google has quietly disclosed that it will not be patching any vulnerabilities in a component in versions of Android before KitKat. This means that 60 percent of all active Android devices – or 930 million – are now vulnerable to an attack.

The company made this disclosure to Tod Beardsley, a security researcher from Rapid7, after another vulnerability reporter was told by Google that they will not fix the bug. In a “bizarre” email, the incident handlers told Beardsley that:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue[…] If patches are provided with the report or put into AOSP we are happy to provide them to partners as well.

The vulnerabilities that Google refuses to patch are part of a core component inside Android called WebView, which is used to generate web pages on Android devices. Security researchers have found multiple bugs that could be exploited. One was a universal cross-site scripting attack, which has since been patched by Google in 2013. Another is a bug that failed to enforce Same Origin Policy – which governs how pages load content from other sites.

This vulnerability does not affect those running Android 4.4 KitKat or above, as Google replaced it with a Chromium-based version – making it more on par with the Chrome browser.

However, it does leave 60 percent of all active Android devices – according to Google’s statistics from its Dashboard, at the time of writing – now vulnerable to an attack unless someone outside the company develops a patch and Google’s partners push that update to its user base – many of whom have been really, really bad in pushing updates to users. As well, as Beardsley notes, “is AT&T or Motorola really more likely to incorporate a patch that comes from some guy on the Internet?”

It’s very easy to dismiss this and say that everyone should just upgrade to the new version by a variety of ways (some official, some not so), but not everyone wants to upgrade for a variety of reasons. As well, to have Google come out and state that they won’t patch a vulnerability means that hackers will likely find ways to exploit the security holes – especially when 60 percent of all active Android devices are now vulnerable.

While Beardsley is calling for them to reconsider their decision, it’s likely that Google will not reverse it.

Share Tweet Send
You've successfully subscribed to TechGeek
Great! Next, complete checkout for full access to TechGeek
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.