Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google stops providing updates for Android Jelly Bean


  • Please log in to reply
2 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:02:20 PM

Posted 12 January 2015 - 03:54 PM

 

900+ million users left in a lurch as Google says it has stopped providing security patches for the Webview component in Android 4.3 Jellybean and earlier versions

Sad but true. If you one of those people who use Android 4.3 and below version operating system on your smartphone and are waiting for Google to patch the Android Same Origin Policy (SOP) vulnerability, well you are not going to get it from Google.

The Android legacy SOP flaw which was discovered by Rafay Baloch, a Pakistani security researcher, affects the webview component of the Android default browser shipped with around 930,000 smartphones operating on Android 4.3 Jelly Bean and below.

The vulnerability in the WebView component, occurs when replacing the ‘data’ attribute of a given HTML object with a JavaScript URL scheme.  A potential hacker could leverage the UXSS flaw to scrape cookie data and page contents from a vulnerable browser window.

The security hole can be exploited in all versions of the Android Open Source Platform (AOSP) browser which also known as Android stock or default browser. The vulnerability exists only in Android OS 4.3 Jellybean and below.

Google stops providing updates for Android Jelly Bean and lower versions for Webview component

 



BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor

  • Topic Starter

  • Moderator
  • 13,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:02:20 PM

Posted 13 January 2015 - 03:44 PM

 

Just as Google is coming under fire for publicizing a Windows bug two days before Microsoft released a fix, the company is now in the crosshairs because of its approach towards updating its own software.

Not for the first time, a bug has been found in the WebView component of Android 4.3 and below. This is the embeddable browser control powered by a version of the WebKit rendering engine used in Android apps.

Android 4.4 and 5.0, which use Blink rather than WebKit for their WebView, are unaffected. But by Google's own numbers, some 60 percent of Android users are using 4.3 or below. As such, this is a widespread, high-impact bug. The normal procedure would be to report the bug to Google, and for Google to develop a fix and publish it as part of Android Open Source Project release.

But, writes Tod Beardsley, developer of the Metasploit security testing framework, that's not what happened this time. The Android security team was notified of the problem, and the response was

 

Google won’t fix bug hitting 60 percent of Android phones

 

Why would Google want to fix this when it's just easier to sell you a new phone.



#3 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:08:20 PM

Posted 13 January 2015 - 04:20 PM

From: http://www.theregister.co.uk/2015/01/12/google_drops_android_webview/

"Google's reasoning for this policy shift is that they 'no longer certify 3rd party devices that include the Android Browser', and 'the best way to ensure that Android devices are secure is to update them to the latest version of Android'," explained Tod Beardsley, engineering manager at Rapid7, the developers of the Metasploit penetration testing tool. "On its face, this seems like a reasonable decision. Maintaining support for a software product that is two versions behind would be fairly unusual in both the proprietary and open source software worlds."


The biggest gripe that people lodge at the Android platform is fragmentation and sheer number of different hard ware that it must work with. This is Google's way of reining in that fragmentation. Is it fair? Is it right? Who's to say. But how would you address the fragmentation gripes?

The easy fix is to disable the OEM Android browser and use an alternative. Just like probably 80 percent of the people who choose an alternative to IE in Windows.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users