Days after Google was rebuked by Microsoft for publicising a Windows flaw, the company is being criticised for its approach to vulnerability patching in its own software.
Vulnerabilities are often found in older versions of WebView, the core component used to render web pages on Android devices, but Tod Beardsley of Metasploit reports that Google will now no longer provide security patches for WebView vulnerabilities in versions of Android earlier than KitKat (version 4.4).
Android’s security handlers told Beardsley:
“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”
From now on, then, Google will only support the current version of Android, Lollipop (or 5.0), and the previous version, KitKat (or 4.4). Security patches for WebView in earlier versions of Android such as Jelly Bean (versions 4.0 to 4.3) will no longer be issued.
Given the fact that, according to Google’s own figures, only 0.1% of Android users have installed Lollipop and some 60% of users – that’s about 930 million Android devices – use Jelly Bean or earlier, this is surprising to say the least.
As Beardsley comments:
“I’ve never seen a vulnerability response program that was gated on the reporter providing his own patch, yet that seems to be Google’s position. This change in security policy seemed so bizarre, in fact, that I couldn’t believe that it was actually official Google policy.”
This is good news for hackers, but bad news for organisations that support BYOD (bring your own device).
Android enjoys an 84% market share. If 60% of devices use vulnerable software, the amount of information potentially at risk is enormous. If your organisation supports BYOD, it needs a comprehensive BYOD policy.