So it seems the Google corporate motto/slogan “Don’t be evil” is falling down again, Google is adopting a very Microsoft-esque approach and orphaning users of older version of Android (basically anything before the current production version 4.4 AKA Kit Kat).
Which is the majority of Android users right now, especially those using lower end devices are unlikely to get 4.4 updates and even less likely to get the upcoming Android 5.x version which is coming to most providers early this year.
WebView vulnerabilities aren’t unheard of, and they only effect Android 4.3 (Jelly Bean) and below – because the newer version uses a much newer Chromium version of WebView – which is not susceptible to the current crop of exploits.
Over the past year, independent researcher Rafay Baloch (of “Rafay’s Hacking Articles”) and Rapid7’s Joe Vennix have been knocking out Android WebView exploits somewhat routinely, based both on published research and original findings. Today, Metasploit ships with 11 such exploits, thanks to Rafay, Joe, and the rest of the open source security community. Generally speaking, these exploits affect “only” Android 4.3 and prior — either native Android 4.3, or apps built with 4.3 WebView compatibility.
WebView is the core component used to render web pages on an Android device. It was replaced in Android KitKat (4.4) with a more recent Chromium-based version of WebView, used by the popular Chrome browser.
Despite this change, though, it’s likely there will be no slow-down of these Android security bugs, and they will probably last a long time due to a new and under-reported policy from Google’s Android security team: Google will no longer be providing security patches for vulnerabilities reported to affect only versions of Android’s native WebView prior to 4.4. In other words, Google is now only supporting the current named version of Android (Lollipop, or 5.0) and the prior named version (KitKat, or 4.4). Jelly Bean (versions 4.0 through 4.3) and earlier will no longer see security patches for WebView from Google, according to incident handlers at firstname.lastname@example.org.
Up until recently, when there’s a newly discovered vulnerability with Android 4.3, the folks at Google were pretty quick with a fix. After all, most people were on the “Jelly Bean” version of Android until December of 2013. Jelly Bean’s final release was just over a year ago in October of 2013. This is why this universal cross-site scripting bug was fixed, as seen in the Android changelog and Rafay’s blog, Rafay Hacking Articles.
The sad part is Google seems to acknowledge this situation and isn’t really willing to do anything about it, basically it seems like Android 4.3 has reached EOL (End of Life) and is being orphaned, Google will not be providing patches any more – even for critical security issues like this.
Perhaps it’s a forking issue and the fact the core of WebView is different now, because other components of Android 4.3 will be receiving back-ported patches.
However, after receiving a report of a new vulnerability in pre-4.4 WebView, the incident handlers at email@example.com responded with this:
If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.
So, Google is no longer going to be providing patches for 4.3. This is some eyebrow-raising news.
I’ve never seen a vulnerability response program that was gated on the reporter providing his own patch, yet that seems to be Google’s position. This change in security policy seemed so bizarre, in fact, that I couldn’t believe that it was actually official Google policy. So, I followed up and asked for confirmation on what was told to the vulnerability reporter. In response, I got a nearly identical statement from firstname.lastname@example.org:
If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue[…] If patches are provided with the report or put into AOSP we are happy to provide them to partners as well.
When asked for further clarification, the Android security team did confirm that other pre-KitKat components, such as the multi-media players, will continue to receive back-ported patches.
Knowing Google, I don’t foresee them changing their stance on this – they might because of community/media pressue – but honestly I find that unlikely.
Either way, we shall keep an eye out – because if they don’t patch these kind of issues we could be looking at some large-scale Android worm/malware infections popping up on the back of this.