Google GOOGL -0.73% appears to no longer be
fixing security flaws in the oldest versions of
its
smartphone Internet browser.
The previously undisclosed move could leave
some users with older phones exposed to
snooping by hackers and spies, security
researchers said.
The new policy applies to the default browser
in
Android version 4.3, released in mid-2013 and
known as Jelly Bean, and earlier. That covers
roughly two-thirds of the billion-plus Android
devices in use, according to Google, but some
users may have updated their browsers to
newer versions.
The policy does not apply to browsers in
Android 4.4, or KitKat, which Google released
in October 2013, or Android 5.0, or Lollipop,
released in November 2014. Those versions
changed how websites are viewed on Android
devices.
The security blind spot illustrates the
challenges
companies face as they try to move customers
onto newer products and focus security
resources on patching more-current software.
Microsoft MSFT -1.25% applied the same
reasoning when it stopped supporting
Windows
XP , first released in 2001, in April.
That makes any new security holes found in
the
old software dangerous after they become
public, since the companies won’t fix them.
The tension is particularly acute at Google,
which has spent the past few years
championing
Internet security. The company has led the
way
in encrypting email and gives preference in its
search rankings to websites that use
encryption.
Rafay Baloch, a Pakistani security researcher,
discovered Google’s shift a few months ago
after
he found several bugs in the old Android
browser. Researchers like Baloch, sometimes
called “white hat hackers,” comb through
popular software searching for slipups that
could give bad hackers an opening. Tech giants
like Google and Facebook FB -1.31%
sometimes pay researchers for their
discoveries.
As recently as September, Google had fixed, or
patched, one of Baloch’s security flaws in the
older browser. But when he submitted another
one later in the fall, Google’s security team
responded that if the affected Web browser is
on Android 4.3 or earlier, “we generally do not
develop the patches ourselves but do notify
partners of the issue.” Google said it would
distribute patches developed by others.
“What Google doesn’t seem to be considering
seriously, though, is the cost associated with
this move,” Tod Beardsley, a senior engineer at
Rapid 7, who has worked with Baloch and
Google on the issue. Beardsley reasoned that
many consumers buy old phones to save money
and not all carriers push through Android
updates.
This past fall, Google announced a new project
to sell sub-$100 phones in developing markets.
Called Android One the push requires phones
to
ship with Android 4.4 or later and receive
automatic updates for up to two years.
http://www.zroclan.com/2015/01/google-isnt-fixing-some-old-android-bugs.html?m=1