Dirty Cow Vulnerability is Still Possible After November’s Security Update
Toward the end of last month, we reported on a very critical Linux vulnerability that made it possible to gain root access on every single Android device. It turns out, this privilege-escalation exploit has been present in the Linux kernel for 9 years. However, it hit public awareness last month. This vulnerability has been given the name Dirty Cow, and it was assigned as CVE-2016-5195 in the Linux bug tracker system.
By exploiting the Dirty Cow vulnerability, the user can take advantage of a bug that involves a race condition of the copy on write Linux memory duplication technique. The bug allows the user to actually have write-access on memory mappings that are normally read-only. When we wrote about the issue, it was already patched within the Linux kernel, however, Android users who want their device to be secure have not been so fortunate with the November security update.
Android OEMs have the control to patch anything they want on any of the phones they sell. For instance, BlackBerry actually patched the QuadRooter vulnerability before Google included it in their monthly Android security update. However, most OEMs will wait on Google to send out patches, and then a few (like LG and Samsung) will include some patches that are unique to their custom software.
Android’s Senior Vice President, Hiroshi Lockheimer, has confirmed in an interview that Google generally patches Android exploits a month after they are made available to manufacturers. Lockheimer continues by telling us security patches go out to Android OEMs first, and then a month later they will be pushed out to Nexus and Pixel devices. This makes things fair for the Android OEMs as it gives them time to implement and test these patches, but it can leave users open to security vulnerability for an entire month (or more).
So we will likely see this Dirty Cow exploit patched in the December security update for Android, and a Google spokesman confirmed such schedule with ArsTechnica.Source: Ars Technica