Google Finally Patches Dirty COW in Android
In November when Google released its security bulletin for Android, it omitted a patch for the Dirty COW vulnerability in Linux. The company has released the last security bulletin for 2016, which now patches CVE-2016-5195. Dirty COW is just one of 11 critical vulnerabilities that Google is patching with this update.
In the November update, Google skipped the patch, although the company did release a supplemental update for its own Pixel and Nexus devices that patched the bug. Samsung was the only other Android vendor that patched the bug on its devices.
The Linux kernel community usually is very aggressive when it comes to patching security bugs. Google’s Security Bulletin mentions that Dirty COW was discovered on 12 October, and the vulnerability was patched in October. All major Linux distros then released their own patches. Google, however, only released an Android patch two months later. Although the patch exists, many Android users might not see it for another few months, and some vendors may never patch their devices.
Threatpost, The Kaspersky Lab security news service, reported, “the 5 Dec patch level also includes patches for vulnerabilities rated high severity in the kernel, kernel file system, HTC sound code, MediaTek drivers, Qualcomm codecs and drivers, and NVIDIA drivers among others. Most of the flaws are elevation of privilege issues.”