Android users waiting for a fix for a newly discovered flaw that allows apps to bypass key operating-system security protections will have to wait at least another month. The just released patch batch for November, inexplicably, won’t include it.
The so-called escalation-of-privilege vulnerability, dubbed Dirty Cow, was introduced into the core of the Linux kernel in 2007, shortly before Google engineers incorporated the open source operating system into Android. That means the bug, formally indexed as CVE-2016-5195, affects every version of Android since its inception. The flaw remained hidden from public view until October 19, when it was disclosed under a coordinated release that was designed to ensure a fix was ready before most people knew about it. The Android Security Bulletin scheduled to be automatically pushed to select handsets sometime this month, however, won’t fix the flaw.
“It’s a pretty big deal because it’s very easy to exploit,” Daniel Micay, a developer of the Android-based CopperheadOS for mobile phones, told Ars. “Unlike a memory corruption bug, there are not really any mitigations for it. [Google] can’t claim that mitigations stand in the way of easy exploitation for this bug (that’s a dubious claim when they do make it, but for this they can’t do it).”
The vulnerability is already being exploited maliciously in the wild against Linux servers so that untrusted users can gain unfettered “root” privileges. Attackers are also combining the exploit with attacks that trigger separate Linux vulnerabilities to make them much more potent than they’d otherwise be. Micay said Dirty Cow—so named because the underlying race condition bug resides in a memory management technique known as copy on write—is being actively used by Android users who want to root their phones so they bypass limitations imposed by manufacturers and carriers. He said it’s also possible exploits are being surreptitiously folded into malicious apps so that they can circumvent application sandboxing and similar Android security protections.