Less than three weeks after Google pushed out Android 4.4.3 to users of its Nexus smartphones and tablets, the technology giant has unexpectedly released factory images, binaries and source code for a new version – Android Kitkat 4.4.4 – patching a serious vulnerability in the OpenSSL cryptographic library.
Sascha Prüter, a Google Android program manager, said via his Google+ page that the Android 4.4.4 build version KTU84P update was “primarily addressing CVE-2014-0224“, a security vulnerability in the OpenSSL cryptographic library that could be used to spy on encrypted communications via a man-in-the-middle attack.
In addition, Prüter revealed that the Android 4.4.4 update addressed “some other (not quite as severe) security issues” that affect the the Android Compatibility Test Suite and Framework Classes and Services and the Chrome browser.
Although some might jump to the conclusion, because of the reference to OpenSSL and man-in-the-middle attacks, that the primary flaw addressed in Android 4.4.4 is related to the high profile Heartbleed vulnerability that isn’t the case: CVE-2014-0224 was made public in early June, two months after the Heartbleed scare.
And the risk is not just theoretical.
According to reports, approximately 14% of the world’s most visited HTTPS-enabled websites are vulnerable to this latest OpenSSL flaw.
In short, it’s the same old story.
New security vulnerabilities are always being found, developers scramble to fix them, and security updates are released.
Securing your Android devices can be something of a nightmare because of the difficulty involved in getting security updates.
Even if you *want* to upgrade the OS on your Android devices you might not be able to, because an Android update is only going to be available for those devices with the assistance and goodwill of Google, the device’s manufacturer and mobile phone carrier.
And often, history has shown us, older Android devices are left stranded without an easy path for OS updates.
Users of Google’s own Nexus smartphones and tablets are the ones in luck. Android Kitkat 4.4.4 is available for them to install.
But if you purchased a different Android device, you might find that it takes a long time for Kitkat 4.4.4 to be offered for your smartphone, if ever at all.
Meanwhile, it is being widely anticipated that in a month’s time Google will unveil Android 5.0 Lollipop at its developer conference. No doubt there will be many Android users at that point keen to jump onboard the update merry-go-round again.
In this world nothing can be said to be certain, except death, taxes and security updates.
This article originally appeared on the Lumension blog.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.