
This kind of headline leaves me with a smug smile on my face.......
A Metasploit module has been developed to easily exploit a dangerous flaw in 75 percent of Android devices that allows attackers to hijack a users' open websites. The exploit targets vulnerability (CVE-2014-6041) in Android versions 4.2.1 and below and was disclosed without fanfare on 1 September, but had since gathered dust, …
1. AOSP has not been killed off, and I've never heard anyone suggest that it would be. They're talking about the AOSP *browser* which has been replaced by Chrome.
2. 4.2.1 is not 75% of phones. The entire 4.2.x series is only 20%, and 4.2.2 would be the majority of that - and 4.2.2 was released 18 months ago. Note the CVE relates specifically to 4.2.1. You can't even get close to 75% by adding all the previous versions together (which would be bogus anyway unless you could prove it existed right back to froyo/gingerbread).
So bug exists in a small % of old phones. Other than saying 'time to upgrade' what are people expected to do?
This post has been deleted by its author
Mainly because I prefer FireFox as there's AdBlock for it as well as being able to change the User Agent to view desktop versions of websites.
But there are one or two websites I've visited that will only ever display the mobile version, which I detest, despite changing the user agent in FF and selecting the "Request desktop version" option there appears to be no way so make FF only ever display desktop versions of websites.
With the stock Android browser, you can get into an extra settings page and set any user-agent that you want, including NCA Mosaic. Sorry, from here can't remember how, but istr you enter a specific non-URL string and then select something weird in settings or somesuch.
I actually run Firefox because I also run it on one of my boxes too, so have access to open tabs, and bookmarks. However it doesn't do a good job with the "request desktop site" imho.
To borrow a neologism from Portlandia: Mr Pauli seems to be a "linkalist" and a bad one at that. Even based on the page he linked to 4.2.x has a distribution of 20 %. The article claims the exploit targets 4.2.1 but I suspect it might also work on earlier versions, too. Whatever, a journalist might research this, a linkalist just adds something racy to the headline. Obviously confusing JellyBean with KitKat doesn't matter.
It's a pity because adding value would be easy: alternative stats could be obtained from The Register's own statistics which would add credence to or detract from the numbers quoted; and a demonstration page could be set up for users to test, or linked to assuming someone else has already done this.
@El Reg can we start blacklisting some of the more futtocky linkalists you have? It's nice to be able to avoid the crap if possible.
Charlie, and TonyHoyle, I think the 75% figure comes from a few things: the sentence on Rafay site under "Affected Versions" says "The initial tests were carried out on android browser 4.2.1 (Qmobile) and below"; the "update" on the same site that says "Other folks have verified this issue to work under Android browser < 4.4" (presumably meaning 4.3 and earlier); and the androidcentral stat that 24.5% of Android phones are running 4.4.x (or adding up all the prior versions -> 75.5%). I think the key bit of info that is still unclear is whether the bug existed prior to 4.2.1, as Rafay isn't clear about what "and below" means (did he test at least version 2.2?).
If there's an easy way to test, I could do so with my version 2.1 which Sprint will never update...
Google are moving away from the AOSP Browser towards bundling Chrome Mobile on their Nexus handsets, which of course is updateable via Google Play. The other alternative would be to release an update package to the AOSP Browser in the Play Store like they do for the News and Weather app.
Of course they're not doing the latter and the former isn't much help to those with this security problem.
The majority of phones I've seen ship Chrome, which will auto-update happily.
Some phones (particularly older ones) ship an AOSP based browser, usually also customised by the phone manufacturer, which has this issue.
Android does allow such applications to be updated in the Play store, and some manufacturers have started to do this, e.g. manufacturers putting cameras, etc. in the Play store so they can be updated easily. Unfortunately, this has only started to happen fairly recently and I haven't yet seen a manufacturer customised browser updated via the store.
So -- it's not an Android issue, it's a manufacturer issue that reflects badly on Android.
If you exclude 4.4 it's three-quarters, but if you correctly exclude both 4.3 & 4.4, it's two-thirds.
Mind you, I'd be interested in whether Google plans to release a browser fix for 2.3 upwards (98.7%) via it's Google Play Services versions-are-irrelevant system updater launched late last year.
http://www.trustedreviews.com/opinions/why-google-play-services-is-more-important-than-the-nexus-5