Wednesday, 14 January 2015

Google won't fix a security bug that's in almost a billion Android phones

Google won't fix a security bug that's in almost a billion Android phones


A day after Google publicized a flaw in Windows 8.1 before Microsoft could do anything about it, news broke about a security vulnerability in Android that the Mountain View company, well, won't fix at all. Tod Beardsley, an analyst from Rapid7, a security data and analytics firm, found a serious bug in the WebView component of Android 4.3 and below (it's an older bit of software that lets apps view webpages without launching a separate app) that potentially opens up affected phones to malicious hackers. Android 4.4 and 5.0 are unaffected by the bug, but as 60 percent of Android users -- that's close to a billion people -- still use Android 4.3 or lower, it still affects a lot of people. Unfortunately, as Beardsley found out, Google won't fix it, leaving it up to the various OEMs and manufacturers to issue a patch instead.
The quote from Google to Beardsley is as follows:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

According to Beardsley, it seems that Jelly Bean devices are simply too old to support -- supporting old software versions is fairly unusual, after all. But in this case, he asks Google to reconsider, due to the wider consequences this security flaw could potentially unravel. Until then, however, it might be a good idea to upgrade to Android 4.4, or perhaps get a new phone altogether.
Rapid7

Nicole Lee
Engadget 





0 comments: