While Google said in a blog post on April 9 that all versions of Android were immune to the flaw, it added the "limited exception" was one version dubbed 4.1.1, released in 2012.
Security researchers said that version of Android was still used in millions of smartphones and tablets, including the popular models made by Samsung, HTC and other manufacturers. Google statistics show 34 per cent of Android devices use variations of the 4.1 software. The company said less than 10 per cent of active devices were vulnerable. More than 900 million Android devices have been activated worldwide.
More From This Section
MAKING YOUR DEVICE BLEED |
|
The Heartbleed vulnerability, made public earlier this week, can expose people to hacking of their passwords and other sensitive information. While a fix was simultaneously made available and quickly implemented by a majority of internet properties that were vulnerable to the bug, there is no easy solution for Android gadgets that carry the flaw, security experts say. Though Google has provided a patch, the company says it is up to handset makers and wireless carriers to update the devices.
Long cycle
"One of the major issues with Android is that the update cycle is really long," said Michael Shaulov, chief executive officer and co-founder of Lacoon Security Ltd, a cyber-security company focused on advanced mobile threats. "The device manufacturers and the carriers need to do something with the patch; that's usually a really long process."
Christopher Katsaros, a spokesman for Mountain View, California-based Google, confirmed there were millions of Android 4.1.1 devices. He pointed to an earlier statement by the company, in which it said it had "assessed the SSL vulnerability and applied patches to key Google services."
Microsoft Corp on Friday said the Windows and Windows Phone operating systems and most services weren't impacted.
"A few services continue to be reviewed and updated with further protections," Tracey Pretorius, director of Microsoft Trustworthy Computing, wrote in an emailed statement.
Apple Inc didn't respond to messages for comment.
Mobile risk
Verizon Wireless, the biggest US mobile-phone company, said on Friday no other devices were impacted.
"Verizon is aware of the OpenSSL security vulnerability referred to as 'Heartbleed', and we are working with our device manufacturers to test and deploy patches to any affected device on our network running Android 4.1.1," spokesman Albert Aydin wrote in an email. "Other mobile operating systems we offer are not affected by this vulnerability and we have no reason to believe the issue has resulted in any compromise of Verizon customer accounts, websites, or data."
The Heartbleed bug, discovered by researchers from Google and a Finnish company called Codenomicon, affects OpenSSL, a type of open-source encryption used by as many as 66 per cent of all active internet sites. The bug, which lets hackers silently extract data from computers' memory, and a fix for it were announced simultaneously on April 7.
Broad fallout
The reach of the vulnerability continued to widen as Cisco Systems Inc and Juniper Networks Inc said earlier this week that some of their networking-gear products were affected and would be patched.
The Canadian government has ordered websites operated by the federal government that use the vulnerable version of OpenSSL to be taken offline until they can be fixed.
A vast majority of large companies protected their systems immediately and the push was now on to make smaller companies do the same, said Robert Hansen, a specialist in web application security and vice-president of the advanced technologies group of WhiteHat Security Inc.
Hackers had been detected scanning the internet looking for vulnerable servers, especially in traffic coming from China, though it was difficult to know how many had been successful, said Jaime Blasco, director of AlienVault Labs, part of AlienVault LLC. Many attempts had hit dead ends, Blasco said.
More than 80 per cent of people running Android 4.1.1 who had shared data with mobile security firm Lookout Inc were affected, said Marc Rogers, principal security researcher at the San Francisco-based company. Users in Germany were nearly five times as likely as those in the US to be affected, probably because the vulnerable version of Android was popular there, Rogers wrote in an email.
Still, there were no signs hackers were trying to attack Android devices through the vulnerability, as it would be complicated to set up and the success rate would be low, Rogers said. Individual devices were less attractive to go after because they needed to be targeted one by one, he said.
"Given that the server attack affects such a larger number of devices and is so much easier to carry out, we don't expect to see any attack against devices until after the server attacks have been completely exhausted," Rogers wrote in an email.