If you’re running Android 4.3 or earlier, you’re pretty much out of luck when it comes to a baked-in defense against a WebView vulnerability that was discovered earlier this month by security analyst Tod Beardsley. The vulnerability leaves millions of users open to attack from hackers that choose to exploit the security hole.

For those that don’t already know, WebView is a core component of the Android operating system that renders web pages. The good news is that the version of WebView included in Android 4.4 KitKat and Android 5.0 Lollipop is based on Chromium and is not affected by the vulnerability. The bad news is that those running Android 4.3 and earlier are wide open, which means that 60 percent of Android users (or nearly one billion customers) are affected.

Google responded to Beardsley on January 12 with the following statement:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

What’s most interesting is that Google has no trouble tossing grenades at the feet of Microsoft and Apple courtesy of its Project Zero program, but doesn’t seem to have the resources to fix a vulnerability that affects a substantial portion of the Android user base.

On Friday, Google’s Adrian Ludwig took to Google+ to further explain his company’s position on patching vulnerabilities in older versions of Android. While Google still has no plans of extending an olive branch to users running Android 4.3 or earlier, Ludwig did give some insight into why this decision was made.

“Keeping software up to date is one of the greatest challenges in security,” Ludwig explained. “Google invests heavily in making sure Android and Chrome are as safe as possible and doing so requires that they be updated very frequently.”
More at Hot Hardware...

--jeremy