Critical "Dirty Cow" Android exploit not fixed by November Android security patch

Critical
Google has put off closing a rather prominent exploit called "Dirty Cow" in the November Android security patch. Named after the "copy on write" memory management technique it's based on, the hole has existed in virtually all versions of Android since Google incorporated the Linux kernel in it. It was only publicly disclosed last October, though, as part of a coordinated release that was supposed to ensure a fix was created before more regular users or potential attackers were aware of the flaw. But this month's security update doesn't close the loophole, which came somewhat unexpected.

The technique is popular among apps for rooting Android devices, as it lets developers circumvent manufacturer and operating system limitations in order to gain root access. However, the exploit can be incorporated into malicious apps so that they sidestep existing Android security measures. In January this year, security researchers reported at least 13 apps in the Google Play store that exploit rooting vulnerabilities, including Dirty Cow.

Google claims a patch for the loophole will be released in December. Unfortunately, the security updates that Google releases only reach Nexus/Pixel devices and a small number of phones by companies such as Samsung. This means the overwhelming majority of Android smartphones out in the wild will remain vulnerable possibly forever.

ALSO READ

FEATURED VIDEO

7 Comments

1. Macready

Posts: 1824; Member since: Dec 08, 2014

This is in conflict with other reports such as here:http://www.bleepingcomputer.com/news/security/novembers-android-security-bulletin-patches-drammer-and-dirty-cow-exploits/ And I wouldn't call the majority of lower mid tier to high end Samsung phones sold the past 3 years "a small number". Even the S4 is still receiving these monthly updates.

2. Macready

Posts: 1824; Member since: Dec 08, 2014

So the November patch did include a basic/crude fix for DirtyCOW, the December patch will contain a full fix. The Samsung November patch addressed it as well as can be seen here :http://security.samsungmobile.com/smrupdate.html

3. kiko007

Posts: 7518; Member since: Feb 17, 2016

"And I wouldn't call the majority of lower mid tier to high end Samsung phones sold the past 3 years "a small number"." That's a small number. There are hundreds of Android OEMs and thousands of models. Even if Samsung were responsible for 150 of said models......that would still be a relatively small sample.

4. Macready

Posts: 1824; Member since: Dec 08, 2014

This isn't about numbers of different models but numbers of phones. Likely hundreds of millions of Samsung phones are receiving (or have already received) these updates. That's not "a small number" by any stretch. S range since S4, Alpha and A range, J range, Note range since Note 3, etc. Alt least a third of all smartphones they sold the past 4 years (which is more than a billion).

6. sissy246

Posts: 7124; Member since: Mar 04, 2015

conflict, well those is iphonearena.

5. sukrith2194 unregistered

You are idiots aren't you! Google has the ay services to monitor these threats and also safety net! No malicious apps will pass through them!

16. piyath

Posts: 2445; Member since: Mar 23, 2012

WELCOME TO ANDROID.......LOL!

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.