![\"Google](\"https:\/\/farm8.staticflickr.com\/7568\/15658031344_b54cef4011.jpg\")
<\/p>\nSo it seems the Google corporate motto\/slogan “Don’t be evil” is falling down again, Google is adopting a very Microsoft-esque approach and orphaning users of older version of Android (basically anything before the current production version 4.4 AKA Kit Kat).<\/p>\n
Which is the majority of Android users right now, especially those using lower end devices are unlikely to get 4.4 updates and even less likely to get the upcoming Android 5.x version which is coming to most providers early this year.<\/p>\n
<\/p>\n
WebView vulnerabilities aren’t unheard of, and they only effect Android 4.3 (Jelly Bean) and below – because the newer version uses a much newer Chromium version of WebView – which is not susceptible to the current crop of exploits.<\/p>\n
Over the past year, independent researcher Rafay Baloch (of “Rafay’s Hacking Articles”) and Rapid7’s Joe Vennix have been knocking out Android WebView exploits somewhat routinely, based both on published research and original findings. Today, Metasploit ships with 11 such exploits, thanks to Rafay, Joe, and the rest of the open source security community. Generally speaking, these exploits affect “only” Android 4.3 and prior — either native Android 4.3, or apps built with 4.3 WebView compatibility.<\/p>\n
WebView is the core component used to render web pages on an Android device. It was replaced in Android KitKat (4.4) with a more recent Chromium-based version of WebView, used by the popular Chrome browser.<\/p>\n
Despite this change, though, it\u2019s likely there will be no slow-down of these Android security bugs, and they will probably last a long time due to a new and under-reported policy from Google’s Android security team: Google will no longer be providing security patches for vulnerabilities reported to affect only versions of Android’s native WebView prior to 4.4. In other words, Google is now only supporting the current named version of Android (Lollipop, or 5.0) and the prior named version (KitKat, or 4.4). Jelly Bean (versions 4.0 through 4.3) and earlier will no longer see security patches for WebView from Google, according to incident handlers at security@android.com. <\/p>\n
Up until recently, when there’s a newly discovered vulnerability with Android 4.3, the folks at Google were pretty quick with a fix. After all, most people were on the “Jelly Bean” version of Android until December of 2013. Jelly Bean’s final release was just over a year ago in October of 2013. This is why this universal cross-site scripting bug was fixed, as seen in the Android changelog and Rafay’s blog, Rafay Hacking Articles.<\/p><\/blockquote>\n