Critical "Dirty Cow" Android exploit not fixed by November Android security patch

Critical "Dirty Cow" Android exploit not fixed by November Android security patch
Google has put off closing a rather prominent exploit called "Dirty Cow" in the November Android security patch. Named after the "copy on write" memory management technique it's based on, the hole has existed in virtually all versions of Android since Google incorporated the Linux kernel in it. It was only publicly disclosed last October, though, as part of a coordinated release that was supposed to ensure a fix was created before more regular users or potential attackers were aware of the flaw. But this month's security update doesn't close the loophole, which came somewhat unexpected.

The technique is popular among apps for rooting Android devices, as it lets developers circumvent manufacturer and operating system limitations in order to gain root access. However, the exploit can be incorporated into malicious apps so that they sidestep existing Android security measures. In January this year, security researchers reported at least 13 apps in the Google Play store that exploit rooting vulnerabilities, including Dirty Cow.

Google claims a patch for the loophole will be released in December. Unfortunately, the security updates that Google releases only reach Nexus/Pixel devices and a small number of phones by companies such as Samsung. This means the overwhelming majority of Android smartphones out in the wild will remain vulnerable possibly forever.



Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless