In what can be called some of the most common and boring news in the tech world for most people to read, a new bug has been discovered in one of the world’s most commonly used OSes. For once, Microsoft is off the hook – the bug is actually a flaw in the WebView engine used to render webpages inside Google’s Android OS, versions 4.3 and below.
The bug itself isn’t all that interesting, though it is fairly severe – a basic exploit of the now-defunct WebKit, which had been replaced by Blink in versions 4.4 and up of the OS allows privilege escalation and execution should someone develop a webpage designed to take advantage of it. The actual story comes from Google’s response – a simple, flat-out “thanks for telling us, we’ll let OEMs know but that’s all.”
Metasploit contributor Todd Beardsley lays out the basic facts of Google’s position, which we’ll summarize: The Android development team will not be developing patches for 4.3 or earlier revisions of the OS – instead, the team will pass the information on to the OEMs and let them each determine the best responses for their products. Google has said that it will gladly accept a patch that it deems sufficient from the community and pass it along to the OEMs, but that it will not spare developer time to create its own.
This probably wouldn’t be a problem in and of itself – the last revision of Jelly Bean (4.3, the last affected version) was released at the end of Quarter 2 of 2013, and has seen both minor and major updates in the roughly 18 months since. The average lifespan of a phone is, incidentally, usually around 18 months, so the law of averages says that many of the devices released with 4.3 or below will be retiring within the next 6 months. However, the falling cost of older hardware means that many devices are still being manufactured and sold today that use Jelly Bean.
Google’s own monthly usage stats show that more than 60% of all Android devices currently in use would be affected by this bug. Things are further complicated by the fact that the Android project has no published end-of-support cycle – OEMs and consumers have no real idea of how quickly Google may stop providing support and move on to the next version altogether.
The issue brings to light a core difficulty with Android – its ability to be updated is made more difficult with its ability to run on so many types of devices. Once Google writes a patch that can apply to all devices, the OS can only be updated device-by-device from the OEM by release of a firmware update compiled to run on that specific hardware, and the user then fetching and running that update.
The good news is that this most recent issue will almost assuredly push forward the discussion/effort for a cohesive patching and update system similar to Windows Update. However, none of that will likely come to fruition in the near future, and it is liable to introduce its own security holes for a while when it does.
In the meantime, we’re left with a staggering number of devices vulnerable with little hope for a fix. Though it’s certainly not required for Google to play catch-up for what is now legacy software and write its own patch to help OEMs, it’s nearly assured that without Google doing so, no patch (especially a cohesive, effective one) is likely to ever reach the market for these devices, leaving them permanently vulnerable. Given that version 4.3 itself was only released 18 months ago (a short time for an OS, but long time for the hardware it runs on), the security and mobile development world is now abuzz with discussion of whose shoulders the responsibility should rest on.
Coverage of the events that we’ve read elsewhere (example) already takes aim at Google, citing that Android’s maintainer is the only one likely to get a patch even rolling. However, it’s important to note that many of the affected devices are likely to go out of daily service by the time (or shortly after) the OEMs take Google’s patch, test it and turn it into a full firmware update for each device and push it out to users.
In the meantime, a different fix already exists – OEMs could simply push out a version update to 4.4 for devices that meet the software requirements, which would fix around 70-75% of the affected devices and leave only extremely old devices behind the curve that are already likely vulnerable to other issues.
One has to wonder, since OEMs already have a “patch” available in a total upgrade, whether this is truly Google’s cross to bear. Google doesn’t get paid any license fees for Android, and it seems more like OEMs are simply leaving their customers vulnerable based on a paid motivation of device obsolescence. Leave us your own thoughts in the comments.