Jump to content

Google defends policy that leaves most Android devices unpatched


RV_

Recommended Posts

If you are running any thing other than the newest versions of Android you are vulnerable. Read on.

 

Excerpt:

 

"Google on Friday defended its decision to stop patching WebView, a core component of Android, on versions older than 4.4, aka "KitKat," saying that the huge code base is unsafe to fix.

 

"Until recently, we have also provided backports for the version of WebKit that is used by WebView on Android 4.3 and earlier," wrote Adrian Ludwig, Android lead security engineer on Google+. "But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a two-plus-year-old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely."

 

Ludwig was responding to claims made earlier in the month by Tod Beardsley, the engineering manager at security vendor Rapid7, who contended that Google's security team would no longer craft fixes for flaws in WebView for Android 4.3 and older. Android 4.3, the predecessor to KitKat, is better known as "Jelly Bean."

 

WebView powers the stock Android browser included with Jelly Bean -- Google replaced that browser with Chrome in KitKat -- and is called by apps that display a Web page in KitKat and earlier. (A much-changed WebView was spun out of the operating system as of Android 5.0, aka "Lollipop.")

 

Because it's not only at the heart of Google's mobile browsers, but also heavily used by apps, any exploitable bugs in WebView would pose a significant threat to users, Beardsley said in a blog post of Jan. 12 and an interview with Computerworld the same day.

 

"WebView is the attack vector for Android," Beardsley said then. "If I'm an attacker, I'll exploit WebView by making a website and hope that people will click on it."

 

According to Beardsley, the Android security response team first replied to bug reports in mid-October with the "we-don't-patch-WebView-anymore" message. Beardsley used his blog to urge Google to change its collective mind and return to patching WebView in those older editions, which by Google's own admission power more than 60 percent of all Android devices."

 

The rest of that article with more is here: http://www.infoworld.com/article/2875139/mobile-technology/google-defends-policy-that-leaves-most-android-devices-unpatched.html?phint=newt%3Dinfoworld_tech_google&phint=idg_eid%3D6aa01e18b29f7b6f9149f611f8eac228#tk.IFWNLE_ifw_goog_2015-01-29

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Guest
This topic is now closed to further replies.
RVers Online University

campgroundviews.com

Our program provides accurate individual wheel weights for your RV, toad, and tow vehicle, and will help you trim the pounds if you need to.

RV Cable Grip

RV Cable Grip

All the water you need...No matter where you go

Country Thunder Iowa

Nomad Internet

Rv Share

Dish For My RV.

RV Air.

Find out more or sign up for Escapees RV'ers Bootcamp.

Advertise your product or service here.

The Rvers- Now Streaming

RVTravel.com Logo



×
×
  • Create New...