• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

Google Leaves Android Users Vulnerable To WebView Exploit

January 15, 2015

Views: 2,382

So it seems the Google corporate motto/slogan “Don’t be evil” is falling down again, Google is adopting a very Microsoft-esque approach and orphaning users of older version of Android (basically anything before the current production version 4.4 AKA Kit Kat).

Which is the majority of Android users right now, especially those using lower end devices are unlikely to get 4.4 updates and even less likely to get the upcoming Android 5.x version which is coming to most providers early this year.

Google Leaves Android Users Vulnerable To WebView Exploit

WebView vulnerabilities aren’t unheard of, and they only effect Android 4.3 (Jelly Bean) and below – because the newer version uses a much newer Chromium version of WebView – which is not susceptible to the current crop of exploits.

Over the past year, independent researcher Rafay Baloch (of “Rafay’s Hacking Articles”) and Rapid7’s Joe Vennix have been knocking out Android WebView exploits somewhat routinely, based both on published research and original findings. Today, Metasploit ships with 11 such exploits, thanks to Rafay, Joe, and the rest of the open source security community. Generally speaking, these exploits affect “only” Android 4.3 and prior — either native Android 4.3, or apps built with 4.3 WebView compatibility.

WebView is the core component used to render web pages on an Android device. It was replaced in Android KitKat (4.4) with a more recent Chromium-based version of WebView, used by the popular Chrome browser.

Despite this change, though, it’s likely there will be no slow-down of these Android security bugs, and they will probably last a long time due to a new and under-reported policy from Google’s Android security team: Google will no longer be providing security patches for vulnerabilities reported to affect only versions of Android’s native WebView prior to 4.4. In other words, Google is now only supporting the current named version of Android (Lollipop, or 5.0) and the prior named version (KitKat, or 4.4). Jelly Bean (versions 4.0 through 4.3) and earlier will no longer see security patches for WebView from Google, according to incident handlers at [email protected].

Up until recently, when there’s a newly discovered vulnerability with Android 4.3, the folks at Google were pretty quick with a fix. After all, most people were on the “Jelly Bean” version of Android until December of 2013. Jelly Bean’s final release was just over a year ago in October of 2013. This is why this universal cross-site scripting bug was fixed, as seen in the Android changelog and Rafay’s blog, Rafay Hacking Articles.

The sad part is Google seems to acknowledge this situation and isn’t really willing to do anything about it, basically it seems like Android 4.3 has reached EOL (End of Life) and is being orphaned, Google will not be providing patches any more – even for critical security issues like this.

Perhaps it’s a forking issue and the fact the core of WebView is different now, because other components of Android 4.3 will be receiving back-ported patches.

However, after receiving a report of a new vulnerability in pre-4.4 WebView, the incident handlers at [email protected] responded with this:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

So, Google is no longer going to be providing patches for 4.3. This is some eyebrow-raising news.

I’ve never seen a vulnerability response program that was gated on the reporter providing his own patch, yet that seems to be Google’s position. This change in security policy seemed so bizarre, in fact, that I couldn’t believe that it was actually official Google policy. So, I followed up and asked for confirmation on what was told to the vulnerability reporter. In response, I got a nearly identical statement from [email protected]:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue[…] If patches are provided with the report or put into AOSP we are happy to provide them to partners as well.

When asked for further clarification, the Android security team did confirm that other pre-KitKat components, such as the multi-media players, will continue to receive back-ported patches.

Knowing Google, I don’t foresee them changing their stance on this – they might because of community/media pressue – but honestly I find that unlikely.

Either way, we shall keep an eye out – because if they don’t patch these kind of issues we could be looking at some large-scale Android worm/malware infections popping up on the back of this.

Source: Rapid7

Share50
Tweet56
Share27
Buffer
WhatsApp
Email
133 Shares

Filed Under: Exploits/Vulnerabilities Tagged With: android, android exploit, android malware, android security



Reader Interactions

Comments

  1. Histerik, Al says

    January 15, 2015 at 2:51 am

    It’s silly (and says something about bias) to put the blame squarely on Google. What about OEMs not updating their devices? The solution going forward is to create modular pieces that can be updated via Play (KitKat+) which Google is doing.

    For a more balanced perspective: http://www.androidcentral.com/android-webview-security

    • Darknet says

      January 16, 2015 at 6:13 pm

      That’s always been an issue with Android though, the fragmentation of devices and the difficulty of OEMs to move their devices to fundamentally different versions of Android than they were originally designed for.

      Idealism vs reality – should all devices be on 4.4 and above? Yes of course. Are they going to be? No. So what do we do? Abandon them? It’s a LOT easier for OEMs to push out a patched 4.3 with minor testing than to invest millions in making sure every component of their devices work with 4.4.x.

  2. Michael says

    January 15, 2015 at 5:46 pm

    I’m scratching my head on this one.

    Sometimes vendors don’t provide patches for very old versions in order to encourage customers to finally upgrade their OS (for example, Microsoft stopping to provide WinXP patches).

    But in this case, firstly Android Jelly Bean isn’t that old. It’s not like customers have been holding on to the same phone for 10 years. Secondly, from what I’ve read it’s not easy to upgrade one’s Android version – you need your cellular network provider to make a custom version available for your phone.

    I think that if there’s a large enough outcry, then Google will reconsider.

    • Darknet says

      January 16, 2015 at 6:14 pm

      Yah, it’s not a 5 year old version that’s being left behind. It should be patched IMHO.

  3. Rick Brown says

    February 11, 2015 at 3:12 pm

    There are a very few Android Lollipop users in contrast to Jelly Bean and if Google has left them vulnerable, then it is very obvious that these users will switch to some other OS.

Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

AgentSmith HIDS - Host Based Intrusion Detection

AgentSmith HIDS – Host Based Intrusion Detection

padre - Padding Oracle Attack Tool

padre – Padding Oracle Attack Exploiter Tool

Privacy Implications of Web 3.0 and Darknets

Privacy Implications of Web 3.0 and Darknets

DataSurgeon - Extract Sensitive Information (PII) From Logs

DataSurgeon – Extract Sensitive Information (PII) From Logs

Pwnagotchi - Maximize Crackable WPA Material For Bettercap

Pwnagotchi – Maximize Crackable WPA Key Material For Bettercap

HardCIDR - Network CIDR and Range Discovery Tool

HardCIDR – Network CIDR and Range Discovery Tool

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (225)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (430)
  • Forensics (64)
  • Hacker Culture (8)
  • Hacking News (228)
  • Hacking Tools (681)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (72)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (218)
  • Secure Coding (118)
  • Security Software (233)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,180,763)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,172,332)
  • Top 15 Security Utilities & Download Hacking Tools (2,095,305)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,198,655)
  • Password List Download Best Word List – Most Common Passwords (931,751)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (774,395)
  • Hack Tools/Exploits (672,571)
  • Wep0ff – Wireless WEP Key Cracker Tool (528,816)

Search

Recent Posts

  • AgentSmith HIDS – Host Based Intrusion Detection August 31, 2023
  • padre – Padding Oracle Attack Exploiter Tool May 28, 2023
  • Privacy Implications of Web 3.0 and Darknets March 31, 2023
  • DataSurgeon – Extract Sensitive Information (PII) From Logs March 21, 2023
  • Pwnagotchi – Maximize Crackable WPA Key Material For Bettercap February 12, 2023
  • HardCIDR – Network CIDR and Range Discovery Tool December 29, 2022

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2023 Darknet All Rights Reserved · Privacy Policy