Last month, Google took the bold steps to release the details of a security vulnerability ahead of Microsoft’s Patch Tuesday. Microsoft said that the patch was set to be released two days after Google went live with the details and that they refused to wait an extra 48 hours so that the patch would have been released along with the details of the exploit.
Recently, an exploit has been uncovered in Android 4.3 (Jelly Bean) – which covers roughly 60% of Android’s install base, according to the Android Developer dashboard – and Google is saying that they will not patch the flaw.
In response to Security Street questioning Google over the flaw and if they would patch it, the Android security team responded by saying:
If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.
The flaw, which exists in WebView (a core component used to render web pages on an Android device) impacts nearly 1 billion users, when using Google’s own numbers as a base along with Gartner figures.
Industry reports say that there are roughly 1.56 billion phones with Android on them, and if 60% are running the now non-supported version of Android, that means roughly 930 million phones are now vulnerable.