Yes, y'all heard right. If y'all are too i of millions of users nevertheless running Android 4.3 Jelly Bean or before versions of the operating system, y'all volition non teach whatever safety updates for WebView every bit Google has decided to destination back upwards for older versions of Android WebView – a default spider web browser on Android devices.
WebView is the centre constituent used to homecoming spider web pages on an Android device, but it was replaced on Android 4.4 KitKat alongside a to a greater extent than recent Chromium-based version of WebView that is too used inwards the Chrome spider web browser.
Just a hateful solar daytime afterward Google publicized a põrnikas inwards Windows 8.1 before Microsoft could exercise anything well-nigh it, Tod Beardsley, a safety analyst from Rapid7 who oversees the Metasploit project, discovered a serious põrnikas inwards the WebView constituent of Android 4.3 together with before that perchance left millions of Android smartphone users vulnerable to malicious hackers.
Android KitKit 4.4 together with Lollipop 5.0 are non affected past times the vulnerability, but over lx percentage of Android users – roughly a billion people (950 Million) – nevertheless purpose the older version of Android 4.3 or below, which clearly states that the põrnikas nevertheless affects to a greater extent than than a lot of people.
However, the reply from Google afterward Beardsley notified the vulnerability made him together with everyone of us stunned. Well, the tech giant won't piece the vulnerability inwards the WebView at all. The quote from Google to Beardsley is every bit follows:
"If the affected version [of WebView] is before 4.4, nosotros by together with large exercise non educate the patches ourselves, but welcome patches alongside the study for consideration. Other than notifying OEMs, we volition non endure able to create got activity on whatever study that is affecting versions before 4.4 that are non accompanied alongside a patch."
As a result, solely devices running KitKit 4.4 together with Lollipop 5.0 volition have safety updates for WebView from Google together with the remaining Android versions volition stay unpatched or rely on fixes from tertiary political party developers. The society has said that it volition welcome third-party patches.
"Google's reasoning for this policy shift is that they 'no longer certify 3rd political party devices that include the Android Browser', together with 'the best means to ensure that Android devices are secure is to update them to the latest version of Android'," explained Beardsley.
"On its face, this seems similar a reasonable decision. Maintaining back upwards for a software production that is 2 versions behind would endure fairly odd inwards both the proprietary together with opened upwards origin software worlds."
In other words, inwards illustration if a hacker or a cyber criminal finds a means to exploit WebView on older versions of Android OS, Google volition non free whatever piece for the vulnerability itself. However, if whatever outsider develops a patch, Google volition contain those patches into the Android Open Source Project code together with volition farther furnish them to handset makers. This is where the company’s responsibleness teach over.
Though, Google says that WebView back upwards inwards older versions of Android operating arrangement is baked firmly into the operating arrangement inwards such a means that it makes much harder for Google to create a piece to affected devices. This number has been mitigated past times the search engine giant inwards newer versions of Android past times dropping WebView from the centre OS together with incorporating it into the Google Play Services app.
Though, Google says that WebView back upwards inwards older versions of Android operating arrangement is baked firmly into the operating arrangement inwards such a means that it makes much harder for Google to create a piece to affected devices. This number has been mitigated past times the search engine giant inwards newer versions of Android past times dropping WebView from the centre OS together with incorporating it into the Google Play Services app.
