Android 4.1.1 devices vulnerable to Heartbleed bug, says Google

Google has joined the ranks of companies which have issued public warnings about their products being vulnerable to exploitation thanks to the massively widespread Heartbleed bug. The company has now disclosed that users of all Android versions except specifically 4.1.1 are unaffected.

Buried at the bottom of a blog post titled Google Services Updated to Address OpenSSL CVE-2014-0160 (the Heartbleed bug), the search and online services giant added that 'patching information' for Android 4.1.1 is being distributed to device manufacturers and carriers, who are responsible for creating and issuing updates.

Android version fragmentation is a known problem within the ecosystem, and millions of users could still be running version 4.1.1, also known by the codename Jelly Bean. According to Google's own Android developer dashboard, up to 34.4 percent of all Android users are currently running 4.1 - 4.1.2, though the exact number or percentage of users running 4.1.1 is not known.

Version 4.1.1 was a minor update to 4.1 containing bug fixes related to specific devices. Version 4.1.2 was released less than three months later, potentially limiting the scope of the number of devices affected. However, Android manufacturers are frequently criticised for shipping devices built with older Android builds, and not issuing updates thereafter. A large number of budget devices are never updated once they are shipped.

Google has further disclosed that its Web services Search, Gmail, YouTube, Wallet, Play, Apps, App Engine, AdWords, DoubleClick, Maps, Maps Engine and Earth were affected by Heartbleed but have now been patched. Other vulnerable websites included Dropbox, Facebook, Twitter, Tumblr, Yahoo, GoDaddy, and Amazon Web Services.

By contrast, Apple has stated that iOS, OS X, and its widely used Web services including iTunes and iCloud were never affected.

Heartbleed is a bug in the OpenSSL encryption framework used by Web servers to secure communications between themselves and the outside world. In early April, it was reported that attackers were able to retrieve information including sensitive encryption keys, user account details and message contents, from servers running the vulnerable version of OpenSSL.

Security workers have since demonstrated hacks that have resulted in retrieval of working encryption keys. It is not knows whether attackers, including government-sponsored agencies, were aware of the existence of the Heartbleed bug and were exploiting it before it became widely known.