Full Report
Google has revealed that Android smartphones and tablets running versions of the software released before 4.3 (Jellybean) will no longer be given official updates to an important part of the software
Analysis Summary
# Vulnerability: End of Official WebView Security Updates for Pre-Android 4.4 Devices
## CVE Details
- CVE ID: N/A (The article discusses a change in Google's patching policy rather than a specific, documented vulnerability requiring a CVE at the time of publication.)
- CVSS Score: N/A (No specific scoring provided as this is a policy announcement.)
- CWE: CWE-937 (Improper Update/Patch Management - related to the discontinuation of security support)
## Affected Systems
- Products: Android Operating System / Android Smartphones and Tablets
- Versions: Android versions released **before 4.3 (Jellybean)** and systems **before 4.4 (KitKat)**.
- Configurations: Any device running Android versions prior to the versions covered by Google's ongoing patching support (which pivots around Android 4.4/KitKat for official fixes). Approximately 939 million devices are affected due to running legacy software.
## Vulnerability Description
Google has ceased providing official security updates for the **WebView component** in Android versions released prior to Android 4.3 (Jellybean). The WebView component allows applications to display web content within the app environment. For versions before Android 4.4 (KitKat), security researchers reporting bugs must now provide the necessary **patches** themselves for Google to consider incorporating them into the Android Open Source Project (AOSP). If a vulnerability is found in WebView on these legacy systems, Google will no longer develop the fixes internally.
## Exploitation
- Status: The article implies that WebView is a "favored vector for attack for nearly any remote code execution vulnerability." While no active exploitation of this specific policy change is detailed, devices affected by historical, unpatched WebView vulnerabilities remain at high risk.
- Complexity: Varies based on the underlying vulnerability, but as WebView is a common RCE vector, exploited vulnerabilities are often low complexity once a flaw is discovered.
- Attack Vector: Likely Network or Adjacent, via malicious content loaded in an application using the outdated WebView.
## Impact
- Confidentiality: High (If RCE is achieved via an unpatched WebView flaw)
- Integrity: High (If RCE is achieved via an unpatched WebView flaw)
- Availability: Medium (Potential for denial of service or application instability)
## Remediation
### Patches
- **Official Google Patches:** No new official patches will be provided by Google proactively for WebView on affected versions (pre-4.4).
- **Community Patches:** Patches must be developed by security researchers/vendors and submitted to Google for inclusion in the AOSP, which OEMs must then adopt.
- **Upgrade:** Users should upgrade to Android 4.4 (KitKat) or later, where Google continues active development and patching for WebView.
### Workarounds
- Users are strongly advised to update their devices to maintain security, but for those unable to update due to hardware limitations:
- Ensure all applications that utilize WebView are updated via the Google Play Store, as some vendors might backport fixes to their application layers.
- Avoid using applications that rely heavily on web content interactions if the device cannot be updated.
## Detection
- Detection is dependent on the specific underlying Web View vulnerability; however, common indicators would involve anomalous network traffic from apps utilizing WebView or unexpected behavior/crashes in browser/app-embedded content loading.
## References
- Vendor Advisory: Google Android Security Team responses referenced by IT Pro and ZDNet.
- Relevant links:
- hxxps://www.welivesecurity.com/en/mobile-security/google-stops-security-updates-android-webview-939-million-users/
- hxxp://www.itpro.co.uk/android/23833/google-stops-security-updates-for-43-kitkat-and-older
- hxxp://www.forbes.com/sites/thomasbrewster/2015/01/12/google-webview-updates-quietly-killed-for-most-androids/
- hxxp://www.zdnet.com/article/google-stops-providing-patches-for-pre-kitkat-webview-abandons-930m-users/