Google throws nearly a billion Android users under the bus, refuses to patch OS vulnerability

Android mascot broken

When it comes to providing security updates for previous products, various manufacturers have pursued different strategies. Some, like Microsoft, tend to provide security updates long after they’ve stopped selling an operating system (Microsoft only stopped providing Windows XP support last year). Others, like Google and Apple, have pursued tighter timelines for security updates. Google is now doubling down on that schedule, refusing to patch bugs in Android 4.3 or prior, even when those bugs could expose critical vulnerabilities on nearly a billion devices.

The flaws in this case affect Android 4.1 to 4.3, aka Jelly Bean, which began shipping in mid-2012 and was the primary version of Android through late 2013, or roughly 14 months ago. Up until quite recently, Google has aggressively patched problems in Android’s WebView rendering engine. Before KitKat (Android 4.4), all versions of Android used the version of WebView found within the Android Browser for rendering HTML webpages. With KitKat and Lollipop, Google updated the operating system to use a WebView plugin derived from its Chromium project.

When Security firm Rapid7 discovered a new exploit in the Android Browser version of WebView, it contacted Google to inform the company that Android 4.3 and below were vulnerable. Google’s response and policy change are raising major eyebrows. Specifically, the company states that:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

KitKat-Webview

This isn’t a minor issue. 60% of Android users are on pre-KitKit versions. No one uses Lollipop yet.

In other words, security staff are now expected to submit a patch to fix an issue when they report it. If they do, Google will “consider” the patch to see if it resolves the problem. If they don’t, Google now says the only thing it can do is inform various OEMs of the problem.

What Google is doing, in essence, is telling its user community “Sorry, you have to tell Samsung, LG, and Motorola to provide you with an updated version of our operating system.” This is hilariously impossible. It would never fly in the PC world — imagine Microsoft telling customers “Sorry, you have to make HP, Dell, and Lenovo provide you with a free update for our operating system.” The disparity is even larger if you consider that, in most cases, a computer running a previous version of Windows can be upgraded by the end user to run the next version. That upgrade may be a headache, but system requirements on Windows haven’t budged in nine years.

The average phone or tablet buyer has no way to upgrade their operating system unless the carrier provides an OTA update, and two-year upgrade cycles means that plenty of people are going to be stuck on broken devices with known exploits that Google isn’t going to fix. Granted, the fact that Google fixes an exploit doesn’t mean that carriers will deploy it, and fragmentation has been a major problem in Android’s ecosystem over the years — but there’s a difference between acknowledging the difficulty of maintaining security updates for the entirety of one’s user base and flatly refusing to do them.

Pushing OEMs off open-source Android

One obvious reason for Google to stop fixing Android Browser problems is that the company is aggressively moving to get OEMs to stop using Android’s open-source features and to replace them with features licensed directly from Google. Ars Technica has done an extensive write-up on this trend here, and getting rid of the Android Browser is a key facet of moving away from an Android that’s actually maintained and useful.

No, Google isn’t killing Android — it’s just ensuring that the only parts of the program that get feature updates, capability improvements, and performance enhancements are the parts that require licensing agreements and promises not to develop competing products. The reason Amazon’s Kindle Fire has its own app store, and Samsung’s continued interest in Tizen are both the result of Google’s push to embed itself into the center of mobile business while paying lip service to the idea of open source.

By throwing all of the responsibility for security updates back on carriers and security researchers, Google is telling OEMs that they can either agree to its licensing terms and fall in line, or take on the responsibility of performing security updates that they’re typically not qualified or funded to do. It’s a trick worthy of Microsoft in the Bad Old Days, and it’s particularly funny to see the company doing this, given that it threw Microsoft under the bus in December when it published the full details of a security flaw two days before Redmond patched it, on the grounds that the desktop and laptop OS company wasn’t moving fast enough.

Now read: Google finds critical vulnerability in SSL 3.0 called POODLE

Google throws nearly a billion Android users under the bus, refuses to patch OS vulnerability

Android mascot broken

Android mascot broken

When it comes to providing security updates for previous products, various manufacturers have pursued different strategies. Some, like Microsoft, tend to provide security updates long after they’ve stopped selling an operating system (Microsoft only stopped providing Windows XP support last year). Others, like Google and Apple, have pursued tighter timelines for security updates. Google is now doubling down on that schedule, refusing to patch bugs in Android 4.3 or prior, even when those bugs could expose critical vulnerabilities on nearly a billion devices.

The flaws in this case affect Android 4.1 to 4.3, aka Jelly Bean, which began shipping in mid-2012 and was the primary version of Android through late 2013, or roughly 14 months ago. Up until quite recently, Google has aggressively patched problems in Android’s WebView rendering engine. Before KitKat (Android 4.4), all versions of Android used the version of WebView found within the Android Browser for rendering HTML webpages. With KitKat and Lollipop, Google updated the operating system to use a WebView plugin derived from its Chromium project.

When Security firm Rapid7 discovered a new exploit in the Android Browser version of WebView, it contacted Google to inform the company that Android 4.3 and below were vulnerable. Google’s response and policy change are raising major eyebrows. Specifically, the company states that:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

KitKat-Webview

This isn’t a minor issue. 60% of Android users are on pre-KitKit versions. No one uses Lollipop yet.

In other words, security staff are now expected to submit a patch to fix an issue when they report it. If they do, Google will “consider” the patch to see if it resolves the problem. If they don’t, Google now says the only thing it can do is inform various OEMs of the problem.

What Google is doing, in essence, is telling its user community “Sorry, you have to tell Samsung, LG, and Motorola to provide you with an updated version of our operating system.” This is hilariously impossible. It would never fly in the PC world — imagine Microsoft telling customers “Sorry, you have to make HP, Dell, and Lenovo provide you with a free update for our operating system.” The disparity is even larger if you consider that, in most cases, a computer running a previous version of Windows can be upgraded by the end user to run the next version. That upgrade may be a headache, but system requirements on Windows haven’t budged in nine years.

The average phone or tablet buyer has no way to upgrade their operating system unless the carrier provides an OTA update, and two-year upgrade cycles means that plenty of people are going to be stuck on broken devices with known exploits that Google isn’t going to fix. Granted, the fact that Google fixes an exploit doesn’t mean that carriers will deploy it, and fragmentation has been a major problem in Android’s ecosystem over the years — but there’s a difference between acknowledging the difficulty of maintaining security updates for the entirety of one’s user base and flatly refusing to do them.

Pushing OEMs off open-source Android

One obvious reason for Google to stop fixing Android Browser problems is that the company is aggressively moving to get OEMs to stop using Android’s open-source features and to replace them with features licensed directly from Google. Ars Technica has done an extensive write-up on this trend here, and getting rid of the Android Browser is a key facet of moving away from an Android that’s actually maintained and useful.

No, Google isn’t killing Android — it’s just ensuring that the only parts of the program that get feature updates, capability improvements, and performance enhancements are the parts that require licensing agreements and promises not to develop competing products. The reason Amazon’s Kindle Fire has its own app store, and Samsung’s continued interest in Tizen are both the result of Google’s push to embed itself into the center of mobile business while paying lip service to the idea of open source.

By throwing all of the responsibility for security updates back on carriers and security researchers, Google is telling OEMs that they can either agree to its licensing terms and fall in line, or take on the responsibility of performing security updates that they’re typically not qualified or funded to do. It’s a trick worthy of Microsoft in the Bad Old Days, and it’s particularly funny to see the company doing this, given that it threw Microsoft under the bus in December when it published the full details of a security flaw two days before Redmond patched it, on the grounds that the desktop and laptop OS company wasn’t moving fast enough.

Now read: Google finds critical vulnerability in SSL 3.0 called POODLE

Google throws nearly a billion Android users under the bus, refuses to patch OS vulnerability

Android mascot broken

When it comes to providing security updates for previous products, various manufacturers have pursued different strategies. Some, like Microsoft, tend to provide security updates long after they’ve stopped selling an operating system (Microsoft only stopped providing Windows XP support last year). Others, like Google and Apple, have pursued tighter timelines for security updates. Google is now doubling down on that schedule, refusing to patch bugs in Android 4.3 or prior, even when those bugs could expose critical vulnerabilities on nearly a billion devices.

The flaws in this case affect Android 4.1 to 4.3, aka Jelly Bean, which began shipping in mid-2012 and was the primary version of Android through late 2013, or roughly 14 months ago. Up until quite recently, Google has aggressively patched problems in Android’s WebView rendering engine. Before KitKat (Android 4.4), all versions of Android used the version of WebView found within the Android Browser for rendering HTML webpages. With KitKat and Lollipop, Google updated the operating system to use a WebView plugin derived from its Chromium project.

When Security firm Rapid7 discovered a new exploit in the Android Browser version of WebView, it contacted Google to inform the company that Android 4.3 and below were vulnerable. Google’s response and policy change are raising major eyebrows. Specifically, the company states that:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

KitKat-Webview

This isn’t a minor issue. 60% of Android users are on pre-KitKit versions. No one uses Lollipop yet.

In other words, security staff are now expected to submit a patch to fix an issue when they report it. If they do, Google will “consider” the patch to see if it resolves the problem. If they don’t, Google now says the only thing it can do is inform various OEMs of the problem.

What Google is doing, in essence, is telling its user community “Sorry, you have to tell Samsung, LG, and Motorola to provide you with an updated version of our operating system.” This is hilariously impossible. It would never fly in the PC world — imagine Microsoft telling customers “Sorry, you have to make HP, Dell, and Lenovo provide you with a free update for our operating system.” The disparity is even larger if you consider that, in most cases, a computer running a previous version of Windows can be upgraded by the end user to run the next version. That upgrade may be a headache, but system requirements on Windows haven’t budged in nine years.

The average phone or tablet buyer has no way to upgrade their operating system unless the carrier provides an OTA update, and two-year upgrade cycles means that plenty of people are going to be stuck on broken devices with known exploits that Google isn’t going to fix. Granted, the fact that Google fixes an exploit doesn’t mean that carriers will deploy it, and fragmentation has been a major problem in Android’s ecosystem over the years — but there’s a difference between acknowledging the difficulty of maintaining security updates for the entirety of one’s user base and flatly refusing to do them.

Pushing OEMs off open-source Android

One obvious reason for Google to stop fixing Android Browser problems is that the company is aggressively moving to get OEMs to stop using Android’s open-source features and to replace them with features licensed directly from Google. Ars Technica has done an extensive write-up on this trend here, and getting rid of the Android Browser is a key facet of moving away from an Android that’s actually maintained and useful.

No, Google isn’t killing Android — it’s just ensuring that the only parts of the program that get feature updates, capability improvements, and performance enhancements are the parts that require licensing agreements and promises not to develop competing products. The reason Amazon’s Kindle Fire has its own app store, and Samsung’s continued interest in Tizen are both the result of Google’s push to embed itself into the center of mobile business while paying lip service to the idea of open source.

By throwing all of the responsibility for security updates back on carriers and security researchers, Google is telling OEMs that they can either agree to its licensing terms and fall in line, or take on the responsibility of performing security updates that they’re typically not qualified or funded to do. It’s a trick worthy of Microsoft in the Bad Old Days, and it’s particularly funny to see the company doing this, given that it threw Microsoft under the bus in December when it published the full details of a security flaw two days before Redmond patched it, on the grounds that the desktop and laptop OS company wasn’t moving fast enough.

Now read: Google finds critical vulnerability in SSL 3.0 called POODLE

15 Firefox Collections To Suit Your Online Browsing Needs

Are you a fan of Firefox add-ons? They make your life easier by automating a lot of things you do with your favorite browser. In fact, there are actually collections that Firefox users have put together to benefit other Firefox users. These are called Firefox Collections.

Firefox Collections make it easy to keep track of your favorite add-ons and share them with the world. You can follow any collection to keep track of updates (newly added add-ons), try out recommended add-ons and even test out brand new ones. Most of these collections bear the ratings for the add-ons to help you decide, and these collections are often better-targeted and more actively curated by the collection owners.

Here are just some of the Firefox collections that I have come across that I’m sure will help you out one way or another.

Web Developer’s Toolbox

Firefox has a great selection of Web development add-ons and this collection brings the best of them together. So far there are 14 add-ons to help you troubleshoot, edit and debug Web projects all from within Firefox.

Top Add-ons: Firebug, Greasemonkey, Stylish, iMacros, User Agent Switcher, Web Developer.

Reference Desk

Looking for the best way to document useful Web pages, links, text and images? This collection is great for students, researchers, writers, bloggers or anyone else who does a lot of Web research or maybe those who just like to save things for later.

Top Add-ons: Evernote Web Clipper, Pocket, ScrapBook, StumbleUpon, SimilarWeb.

Family Organizer

As the name implies, this collection is aimed at families. The add-ons listed can be used to create a “safe and fun online experience” for mothers, fathers and children. So far there’s only 6 on the list, but let’s hope that it is actively updated.

Top Add-ons: Web of Trust, ReminderFox, Integrated Inbox, FoxFilter.

Traveler’s Pack

If you travel a lot and usually plan the trips yourself, having add-ons to help with the process (planning, booking, documenting) can help tremendously. That’s just what this collection aims to do.

Top Add-ons: Self-Destructing Cookies (useful if you’re planning a surprise trip), Forecastfox Weather, FoxClocks, Simple Currency Converter.

Firebug Add-ons

Firebug is a very popular Web development tool that integrates with Firefox. You can use it to edit, debug and monitor CSS, HTML and JavaScript for any Web page. If you use Firebug frequently, this collection is a great way to keep up with add-ons to help extend this amazing tool.

Top Add-ons: Firebug, YSlow, FirePHP, CodeBurner, FireQuery, Firefinder.

The Paranoid Kit

There are quite a few privacy/security collections, but I really like this one because the collector has taken the time to write a useful note for each add-on featured. The selected security add-ons are said to be “relatively passive and produce minimal disturbance in typical day-to-day browsing.”

Top Add-ons: Adblock Plus, NoScript, LastPass, User Agent Switcher, BetterPrivacy, Lightbeam.

Online Shopping

This collection will really come in handy for any special holiday when shopping deals are at their best. Whether you’re a shopaholic or just like saving money when shopping, these add-ons can help you to do just that. Now you’ll never miss out on those great sales!

Top Add-ons: CouponsHelper, Ciuvo – Price check in your Browser, PriceBlink, Boo.ly Shopping, The Amazon 1Button App, InvisibleHand.

Add-ons for Google Products

Do you use all or most of Google’s products like YouTube, Gmail, Google Calendar and Google search? If so, this collection can help make using these tools even easier. The add-ons on this list can extend the functionality of Google’s most popular services.

Top Add-ons: Video DownloadHelper, Feedly (a Google Reader replacement), Gmail Manager, SearchPreview, Google Shortcuts, Shareaholic.

Social Circuit

Are you a social networking addict or just like sharing cool things on to your social networking accounts? Then this collection is for you. It includes social networking add-ons to help make sharing easier, and to give you easy access to the most popular social sites.

Top Add-ons: ChatZilla, StumbleUpon, Facebook Toolbar, Yoono, Thumbnail Zoom, Shareaholic.

Sports Fanatic

The name says it all. If you’re a sports fanatic, the add-ons in the collection are sure to help cater to your sports addiction. These add-ons can help you get the latest scores, highlights and news for your favorite sports team.

Top Add-ons: FootieFox, Are You Watching This?! Sports, Pickemfirst Fantasy Sports.

Privacy

In case The Paranoid Kit collection doesn’t meet your needs, this is another privacy collection that is also useful. The add-ons listed are more geared toward making you anonymous on the Web as well as covering and erasing your tracks.

Top Add-ons: Adblock Plus, anonymoX, NoScript, Ghostery, Web Of Trust, BetterPrivacy.

Gmail Add-ons You Must Have

Gmail is a great online email service, but you can make it even better with the add-ons in this collection. Whether you want to get notifications of new email messages, bring all your favorite Google services to Gmail or add a cool email signature, this collection is perfect for the job.

Top Add-ons: X-notifier, Gmail Manager, Integrated Inbox, WiseStamp.

Web Application Security Penetration Testing

This is definitely an interesting collection; it is said to include “Web hacking tools” for Firefox. Besides the usuals like Firebug, Greasemonkey and User Agent Switcher, you’ll find add-ons on the list to help you debug JavaScript, view and modify HTTP/HTTPS, view JSON documents, test for SQL injection vulnerabilities and much more.

Top Add-ons: Firebug, Greasemonkey, iMacros, User Agent Switcher, Web Developer, FoxyProxy.

Web Pro

The earlier mentioned Web Developer’s Toolbox is a collection just for Web developers, but this Web Pro collection is for Web developers and designers. Some of the add-ons listed may overlap, but you’ll find a lot of useful add-ons for designers and even some different ones for developers.

Top Add-ons: Video DownloadHelper, Firebug, DownThemAll!, Greasemonkey, iMacros, Flagfox.

Firefox Accessibility Add-ons

This is a really thoughtful collection to say the least. The add-ons listed have been tested by the Collector and are found to be very helpful for people with visual impairments. The collection has a focus on “a user’s interactions with sites and Firefox.”

So if you have some type of visual impairment (partially sighted, low vision, legally blind), or just have a hard time seeing specific Web pages, these add-ons should be able to help you see better in Firefox.

Top Add-ons: Adblock Plus, Stylish, Tab Mix Plus, Web Developer, FireGestures, ColorfulTabs.

Now that you know more about Firefox Collections and the best ones to check out and/or follow, let us know which collections you’re following or plan to follow.

Browser Add-Ons To Enhance Your YouTube Viewing Experience

Controls

YouTube is a much-loved source of entertainment; some might think it’s taking over TV due to the sheer amount and types of entertainment: mini web series, tech and tutorial channels, lyric videos and covers etc. It’s no surprise that some of us can spend hours watching YouTube videos on our subscribed list while others can binge-watch recommended videos for the whole day.

Controls

However, there are minor annoyances with the viewing experience that even these YouTube tricks can’t fix. The common complaints (basically First World Problems) are like the layout being distracting, too much white space, and annoying (or awesome) advertisements that eats into your video-viewing time.

To conquer these problems, I am going to introduce to you the Tube Enhancer Plus for Firefox and YouTube Options for Google Chrome.

Awesome “Hidden” YouTube Settings

Both Tube Enhancer Plus and Youtube Options have some pretty cool features, ideal for the serial YouTuber. With them you can:

1. Remove advertisements – Both can let you skip the ads at the start of the video.

2. Enlarge player size – You can also enlarge the ‘video box’ size so that it fills up the space of your browser window for a closer and clearer view.

3. “Dim the lights” – This feature greys out the areas around the video box. This along with #2 maximizes the real estate of your large, high-resolution monitor.

YouTube Resize

4. Set default viewing quality – If changing the video quality often irks you, then worry no more, you now need not manually change it.

5. Set autoplay settings – You can also set the autoplay settings so videos won’t automatically start playing when you open multiple videos in new tabs.

More From Tube Enhancer Plus (Firefox)

Installing Tube Enhancer Plus gives you a few controls at the bottom of your browser window to download or loop the current video on top of the other features mentioned earlier.

Controls

The coolest feature about this add-on is the ability to watch a video on the Firefox Sidebar. This allows (in)effective multitasking as you can surf the Web while watching all your videos.

YouTube Firefox Sidebar

More From YouTube Options (Chrome)

YouTube Options for Chrome has more customizable features. You can hide elements of YouTube like the comments section, video suggestions, video description, title, header and footer from the settings or its keyboard shortcuts. This gives you a super-clean YouTube player.

YouTube Options

Using the mouse scroll wheel while hovering the mouse cursor above the ‘video box’ lets you change the ‘video box’ size, forward/rewind the video, or change the volume level.

Certain features of YouTube Options can also be used on any embedded videos or on sites like Vimeo, Hulu and DailyMotion.