Jump to content

Google flushes 61% of Android users down the security toilet


steven36

Recommended Posts

The Google-versus-Microsoft bug patching bunfight just took an interesting new turn.

As of Sunday 11 January 2015, we had Google publishing details, including sample code, for an Elevation of Privilege (EoP) exploit in Windows.

We had Microsoft come out swinging, "Not fair! We were two days away from patching this, and we asked Google in plenty of time, but they told us to talk to the hand."

Google's stance was that the rules are the rules (and Google should know, because it made up those rules itself), and 90 days is how long you get.

Cynically put, here's where we've ended up.

Microsoft's viewpoint is that, sometimes, patching things take a bit longer than you thought.

Redmond: Humans aren't machines, and it's OK to keep that in mind.

Google, in contrast, has the opinion that a miss is as good as 1,609,344mm, and if you are aware that things may take longer than you thought, you ought to start earlier.

Mountain View: Humans aren't machines, and there's your problem.

The saga expands

At this point, Tod Beardsley of Metasploit weighed into the saga with a story of his own about Google.

Metasploit, if you're unaware of it, is a computer break-and-enter automation toolkit, equipped with pre-packaged exploits.

Metasploit makes it possible for people who don't understand vulnerabilities and hacking to break into your computer across the internet by typing a few simple commands.

With permission, of course!

If you're into lock picking, which is a surprisingly popular and relaxing hobby amongst penetration testers, Metaspolit is your snap gun.

So, the Metasploit guys know a lot about finding and documenting vulnerabilities, weaponising them into exploits, and coming up with patches and other mitigations to block the types of attack they know about.

All of this vulnerability and exploit finding means that they're regularly in contact with software vendors to tell them about bugs they've found.

Indeed, as Beardsley tells it, the Metasploit team have found a number of exploitable holes in Android's web browser code over the past year, but most of them only affect older versions of Android, prior to KitKat (version 4.4).

That's a good sign, because it suggests that Android is becoming more secure and more resistant even to determined and skilful attack.

But pre-4.4 versions of Android are still in widespread use by Google's customers, as the company's own usage figures show:

00SCtZI.png

Astonishingly, the latest release of Android, Lollipop, now two months old, doesn't show up at all, presumably because fewer than 1 in 1000 Android users (0.1%) have received it so far.

In other words, you'd expect that exploitable bugs in Android Jelly Bean, at least, would be of special importance to Google.

After all, if you ignore Lollipop (and the statistics suggest that you ought to), Jelly Bean is pretty much the previous version of Android.

If Android were OS X, Jelly Bean would be Mavericks; if Windows, Jelly Bean would be Windows 7, or even Windows 8.

You'd expect it to be supported with timely security fixes, particularly given the infamous "90-day automatic full disclosure, no exceptions" rule of Google's own Project Zero team.

Indeed, on the way to the office this morning, I popped into a High Street electronics shop for an unscientific test.

I headed for the budget-conscious section, where you can pick up perfectly decent but not state-of-the-art laptops, phones and tablets in the $200-$300 range.

The first three Androids I picked up were all running pre-KitKat versions, in an interesting contrast to the budget laptops, which all came with Windows 8.1.

That's why Beardsley was surprised at a recent message from the Google Android security team:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for con­sider­ation. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

Beardsley called this "eyebrow raising news," which it is.

He even followed up to make sure he wasn't missing something, and got this:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue[...] If patches are provided with the report or put into AOSP we are happy to provide them to partners as well.

So, there you have it.

The bottom line

If you report a vulnerability in your Android Jelly Bean web browser, Google will provide you with a patch, provided that you send the patch along with your report.

At least that's what it sounds like.

Google should probably reconsider its decision, for the greater good of the Android ecosystem.

Source
Link to comment
Share on other sites


  • Replies 4
  • Views 1.3k
  • Created
  • Last Reply

google will soon find out the hard way that when you want to play hard ball the big boys sometimes throw at your head...bring your cleats boys

Link to comment
Share on other sites


No more updates for Android Browser, switch to Firefox – here’s why

No matter which software OS you use, it is important that you keep yourself protected from security vulnerabilities otherwise you can get hacked. Developers of the Metasploit framework, which is a penetration testing software, noticed that updates to the WebView component (the one used by Android's HTML renderer) have been discontinued for all Android versions prior to 4.4 (KitKat) and 5.0 (Lollipop). Google has thus decided to abandon lots of users with older Android devices (all 4.x versions except 4.4), even though the version of WebView in them has security vulnerabilities.

In Android 4.4, the vulnerable WebView component was finally replaced with its modern successor, based on the more secure Chromium code base. But the former one, used in Android 4.3 and earlier, has had no updates for a very long time! As of this moment, at least 11 working exploits are available publicly with different attack vectors! This is not just slightly unsafe, it is very dangerous.

Combined with another flaw in Google AdWords, which allows using HTML5+JavaScript in AdSense banners, an attacker can exploit any of these vulnerabilities to successfully attack Android devices with this outdated WebView component. At this moment, malefactors are actively using the AdWords security breach to redirect AdWords traffic to their own sites. Nothing prevents them from changing the method and their goals. See the following Google support thread for more details.

So, what can you do?

Switch to Mobile Firefox on Android

While it will not protect you from third party apps which use WebView, the main app which you might be using to read the web on your mobile device is your browser. So now is a good reason to switch from the outdated default "Browser"/"Internet" app to Firefox for Android. Firefox uses its own alternate rendering engine and is relatively safe. It is getting regular updates and even supports add-ons in the mobile version. For instance, if you install the "AdBlock Plus" or "Adblock Edge" add-on, it will block AdSense on your smartphone and you will not be affected by the AdWords flaw.

You can of course choose another browser of your choice, but my recommendation is to use Firefox. You can get it from Google Play or from F-Droid.

Winaero.com

Link to comment
Share on other sites


  • 2 weeks later...

This change affects no one. Android phones are not updated by Google but by OEMs and phone still stuck on 4.3 or older aren't being updated by OEM's anyway. Even if Google continued to apply security fixes for older webview versions, this would reach no end user

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...