Google has thrown Android users under the bus

[AZgl1500]

Yep, here is a report that states: Android 4.3 and lower will no longer be supported, even when a security hole is revealed.

http://www.extremetech.com/mobile/1...der-the-bus-refuses-to-patch-os-vulnerability

When Security firm Rapid7 discovered a new exploit in the Android Browser version of WebView, it contacted Google to inform the company that Android 4.3 and below were vulnerable. Google’s response and policy change are raising major eyebrows. Specifically, the company states that:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.Google throws nearly a billion Android users under the bus, refuses to patch OS vulnerability | ExtremeTech

Google has publicly stated that they are not going to devote any more development time to 4.x

Pretty darn poor if you ask me.
Here you are, a proven security risk and they won't issue a patch to fix a hole as big as a barn door?

____________________________________
Verizon Galaxy S5, KK 4.4.4, ART
MyPhoneExplorer saves your tailbone
Nova Prime, Textra, Blue Mail, Qi wireless equipped
MacroDroid senses Screen off, turns Wifi & Data OFF
MacroDroid senses Screen on, turns WiFi & Data ON

 

[jj14x]

<Thinking aloud>
The only devices that Google directly provides the updates for (Nexus devices) are already past that point of 4.4. For all other devices, the OEMs are either going to bump up to 4.4 or higher, or they won't.

If OEMs will bump up to 4.4 or higher, all is well. If they won't, even if Google did update WebView, what's the point? OEMs will not push it out to their devices.

So, while the article is true, who does it really impact?


Edit: The article states "What Google is doing, in essence, is telling its user community “Sorry, you have to tell Samsung, LG, and Motorola to provide you with an updated version of our operating system.” "
I don't think that is true - webview became part of the OS only with 4.4. Before that, it was part of the browser, as stated by the same article "Before KitKat (Android 4.4), all versions of Android used the version of WebView found within the Android Browser for rendering HTML webpages. With KitKat and Lollipop, Google updated the operating system to use a WebView plugin derived from its Chromium project."

I don't use a S4/S5 anymore, but doesn't Samsung provide their own browser for use?

 

[zuben el genub]

If you didn't see the rest - Google pointed out a Windows vulnerability before MS could fix it. Then someone else pointed out your your link. Now Google is also after Firefox, saying it's insecure. Google is also after Aviator browser.

http://it.slashdot.org/story/15/01/...utm_source=rss1.0mainlinkanon&utm_medium=feed

https://plus.google.com/103148237334381859790/posts/hDQGK42ADS2

 

[mikedt]

"all versions of Android used the version of WebView found within the Android Browser for rendering HTML webpages."

So this is really a problem related to the stock Android Browser, rather than the OS itself? So if you're using Chrome or Opera or something something instead, should be OK. Chrome is the default browser on many devices, and that is regularly updated.

 

[El Presidente]

I wouldn't say they've really thrown anyone under a bus.

In the mobile world, 4.3 is outdated so you could argue any device running 4.3 is outdated.

No currently supported Nexus device is running 4.3 or below so why should the onus be on Google to update Samsung, LG, HTC devices etc when they have had access to the source for over a year and are capable of doing it themselves?

 

[jj14x]

If you didn't see the rest - Google pointed out a Windows vulnerability before MS could fix it.

You left out one piece of information - Google sent Microsoft information about the bug 3 months ago, and asked Microsoft to fix it within 90 days. And also told them that if that wasn't done, they would publish that information.

This does have its benefits (forcing software companies to fix these bugs - by publicly 'shaming' them), but at the same time, making that information public is not necessarily safe either. A controversial choice.
With Microsoft, with their policy of releasing updates on one day of a month (patch Tuesday), they may not even get the full 90 days to get their fix out

 

[lunatic59]

With Microsoft, with their policy of releasing updates on one day of a month (patch Tuesday), they may not even get the full 90 days to get their fix out

Microsoft will push out-of-schedule updates for critical vulnerabilities. In this case, my guess is that they had the patch ready for the regular release and were playing a game of chicken with Google to see who would flinch first.

As for the WebView vulnerability ... I've read through a lot of it and from what I can gather cookies are stored in a database and can be accessed if the user is tricked into downloading a specific payload and gives it permission to run. Similar to most malware, it requires the user to permit it. It's still just in the proof of concept stage. It may not be patched in older versions but I wouldn't be surprised if anti-malware apps were working on detection and removal.

 

[EarlyMon]

Edit: The article states "What Google is doing, in essence, is telling its user community “Sorry, you have to tell Samsung, LG, and Motorola to provide you with an updated version of our operating system.” "
I don't think that is true - webview became part of the OS only with 4.4. Before that, it was part of the browser, as stated by the same article "Before KitKat (Android 4.4), all versions of Android used the version of WebView found within the Android Browser for rendering HTML webpages. With KitKat and Lollipop, Google updated the operating system to use a WebView plugin derived from its Chromium project."

I don't use a S4/S5 anymore, but doesn't Samsung provide their own browser for use?

Pretty sure that WebView is part of the operating system and Google simply replaced the source.

If you updated to Jellybean and kept your old browsers without updating them, all of those using WebView lost the ability to do text reflow on zoom.

http://developer.android.com/reference/android/webkit/WebView.html

http://developer.android.com/guide/webapps/webview.html

Some browsers don't use WebView / WebKit. Double check me on this but the first one that springs to mind is Firefox. Dolphin also modified it specifically to support text reflow and Flash.

EDIT - ok, WebView is part of the sdk, and it's an api to WebKit. Either way, still built-in from the devs point of view.

 

[codesplice]

Android Central has a really nice write-up explaining the situation without any unnecessary hyperbole:

http://www.androidcentral.com/android-webview-security

The TL;DR:

Google fixed the Jelly Bean webview issue over a year ago. The patch is called Android 4.4 KitKat.

And it is ultimately up to the manufacturers to get devices updated to a more recent version of Android. Google makes the source code available in AOSP, but the manufacturers are the ones who create the builds (images, OTAs, etc) for their products.

If you're upset that your device is stuck on 4.3 and is susceptible to the exploit, kindly direct your angst towards the entities that haven't given you an update - your carrier and/or manufacturer, not Google.

Because Google won't be developing patches to Jelly Bean's WebView, it's up to OEMs to develop and roll out their own fixes on affected phones and tablets. Given that these devices are already running a fairly old version of the OS, we're not holding our breath for manufacturers and carriers to deploy anything in a timely manner. And to be clear, that would likely be the case regardless of whether Google developed its own Jelly Bean WebView patches or not.

 

[EarlyMon]

Android Central has a really nice write-up explaining the situation without any unnecessary hyperbole:

http://www.androidcentral.com/android-webview-security

The TL;DR:


And it is ultimately up to the manufacturers to get devices updated to a more recent version of Android. Google makes the source code available in AOSP, but the manufacturers are the ones who create the builds (images, OTAs, etc) for their products.

If you're upset that your device is stuck on 4.3 and is susceptible to the exploit, kindly direct your angst towards the entities that haven't given you an update - your carrier and/or manufacturer, not Google.

Unless you own a Verizon Galaxy Nexus.

 

[codesplice]

Unless you own a Verizon Galaxy Nexus.

Yes, the VZW Galaxy Nexuseses are special.

 

[chanchan05]

Pretty darn poor if you ask me.
Here you are, a proven security risk and they won't issue a patch to fix a hole as big as a barn door?

The bug affects 4.3 and below, so the proven security risk HAS BEEN PATCHED. It's called Android 4.4 and up. It's not Google's fault it OEMs won't update your phone running 4.3 to 4.4 and up.

 

[EarlyMon]

Aside from the polemics, has anyone found an article explaining what the vulnerability is and whether the consequences are extreme or just a nuisance?

 

[codesplice]

Aside from the polemics, has anyone found an article explaining what the vulnerability is and whether the consequences are extreme or just a nuisance?

I think this is from the original publication of the vulnerability? http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html

And TrendMicro's recap: http://blog.trendmicro.com/trendlab...s-vulnerability-has-wider-reach-than-thought/

An attacker could potentially use an IFRAME to load a legitimate site for which the victim has an account. Due to the disclosed bug he now has the ability to run Javascript in the context of that site, something he should not be able to do due to the Same Origin Policy (a site can only use code to access its own content). The victim would then run the risk of possibly having the data they input on that legitimate website, or cookies associated with it, stolen by the attacker.

To recap, in the context of a browser, a same origin policy restricts scripts so that one site cannot access another site’s properties which may include cookies and locations among others. Conceptually, it is a way of isolating sites from one another so that malicious code on one site cannot affect another site. All modern browsers include some form of this policy today.

A UXSS attack does not need for any vulnerability on the target website to be present. A user visiting a malicious URL is sufficient for the attack to be carried out. For example, the cookies of any site visited by the user in the past can be easily stolen. In other scenarios, the target site can be “modified” as if it had been compromised by an attacker, with all of these “modifications” happening within the user’s browser.

 

[EarlyMon]

I think this is from the original publication of the vulnerability? http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html

And TrendMicro's recap: http://blog.trendmicro.com/trendlab...s-vulnerability-has-wider-reach-than-thought/

OK, so if you can't get the patch, according to the article, switch to Firefox. Or Chrome.


Any non WebView browser - that's the patch, that's the real story on how to protect yourself.


Exactly what I said earlier.

 

[EarlyMon]

So - let's recap.

The top story going everywhere could have been - "Firefox or Chrome needed to protect most Android users!"

But no. No one mentioned that except the researchers.

Everyone - everyone - else, focused on the click bait: "Google Throws 930 Million Android Users Under The Bus!" "Google Refuses To Patch Huge Defect!"

Yeah - one patch is called 4.4 - but a whole lot of people cannot access that.

Most others can install a browser that is immune to the problem. How many can do that?

I don't know about the rest of you - but I'm still using a 2011 Gingerbread phone as a wifi appliance from time to time - with Firefox.

So how big is the number? Taken in light of what's possible, yes, it can go up to 930 million - or it could down to a few percent of that.

Many budget phones can't get more apps installed. Many that can, won't, because there are no headlines telling them what to do.

There's only one headline right now - "The Android Sky Is Falling!"

But - it's really not.

 

[zuben el genub]

I install a browser, native browser and Google search gone. One disabled, one by launcher. I wouldn't blame Google for lack of update. The one carrier phone I had before I got mad and rooted it was enough to show it wasn't Google.
I've told friends to blame Sprint rather than Google for an update they don't like or is late. I happen to like 4.3.

I'm not making a judgment call on any of this. I'm just generally amused by and interested in the whole situation. There's more in the background - Google and other Silicon Valley businesses have agreed to stop poaching employees. Google is declaring Firefox on computer (never mind android) unsafe. The same for Thunderbird. I'm reading and wondering how much is sour grapes as Mozilla dropped Google as partner and went to Yahoo. A lot of the tech companies have issues with one another. Cellcos and cable are mad at Verizon for suing the FCC. What's the saying about thieves falling out?

I finally had to look up that exploit. The news and search only mention what it did, how it worked and how to avoid it by using only the big 3 (sub Opera for IE on Android) for safety. No mention of any of the others that many people here like. It would also be nice if a better explanation of how it works and how to avoid it was written so Grandma could understand it. It has some in an uproar on other tech sites and the posts make it sound like update now and buy a new phone now if you can't update!

I just post the news since some articles never get mentioned.

 

[EarlyMon]

One of the links provided does too mention several broken browsers. If yours isn't listed and you're on 4.3 or lower, you're vulnerable.

It's been explained, in plain language.

If you want it explained any better, you'll have to find someone as smart as yourself. No idea who that would be.

Enjoy laughing at it all. You usually do.

Many off-topic articles are indeed, never mentioned otherwise.

 

[Gmash]

There are a million browsers out there, how to know which ones are WebView based and which aren't?

 

[EarlyMon]

There are a million browsers out there, how to know which ones are WebView based and which aren't?

http://whatsmyuseragent.com/

Firefox, good, no mention of WebKit -

Other, suspect -

Doesn't work if you have a browser where you went in and defined your own user agent.

Not fooled by mobile vs desktop browsing.

 

[EarlyMon]

This says Firefox and Chrome are safe -

http://www.ghacks.net/2014/09/17/te...vice-is-affected-by-recent-sop-vulnerability/

That's from last September.

Here's one I found that's just the test, easier to use. Go to this page, tap the button, see if your browser is safe -

http://csc.cyberoam.com/cyberoamsupport/webpages/android_vulnerability/index.html

What does yours say? Let's hear it.

 

[Lordvincent 90]

Boat browser = vulnerable

 

[EarlyMon]

Boat browser = vulnerable

Yep, Boat is definitely sensitive to the system version - I found that when Jellybean broke some of it. No problem with 4.4.

What Android rev are you using?

 

[Lordvincent 90]

What Android rev are you using?

4.2.2 (HTC One SV - Boost Mobile)

 

[EarlyMon]

4.2.2 (HTC One SV - Boost Mobile)

Can you confirm Firefox or Chrome on yours?