Google published its November security bulletin describing all the recent patches for vulnerabilities in Android, but a major one seems to be missing. The Linux kernel vulnerability, called “Dirty COW,” affects all Linux and Android devices that use kernel version 2.6.22 or newer and is a "High-Severity" bug that allows remote privilege escalation and can’t be mitigated by existing OS protections.
Linux Bug Of The Decade
Dirty COW has been considered one of the most serious Linux bugs of recent years, not just because it allows privilege escalation (something many bugs are capable of doing), but also because it affects all Linux and Android devices from the past decade. Worse yet, because it's such an old bug, it may also be under active exploitation (or if it hasn't been so far, it certainly will be now that it's public). This bug gives attackers around a billion and a half targets, unless those devices are patched soon, something that's much easier said than done for Android.
Dirty COW has been so named because the bug affects the Copy On Write (COW) resource management mechanism. An unprivileged local user could gain write access to what would otherwise be read-only memory and then increase their privilege on the system.
The bug was first discovered in May, but it was revealed to the public just last month after a coordinated effort by security researchers to create a fix before everyone, including potential attackers, learned about it.
Why A Dirty COW Patch Isn’t Yet Available For Android
Linux users have already started applying the Dirty COW patch to their systems, but Android users won’t be as fortunate. As Google makes new patches for Android vulnerabilities a month after they’ve been given to the OEMs, the Dirty COW patch couldn’t land in the November security update. This process exists so Google can coordinate with OEMs, so they can release the patches for their own devices roughly around the same time as Google makes them public.
The coordinated release also ensures that at least some devices get fixed for the vulnerabilities that are made public. However, those that get no updates (or won't get any for some time) may still remain exposed to new attacks that take advantage of the new software flaws.
Other Serious Flaws Fixed In The November Update
The Android team found only two critical vulnerabilities in the latest version of Android itself, which is an improvement from the previous two months. However, one of those flaws is related to the mediaserver library once again. Despite the sandboxing of various mediaserver library components in Android 7.0, the team is still able to find more critical or high-severity bugs in it almost every month.
Other high-severity and moderate flaws were also found in this library, as well as in the graphics, Bluetooth, OpenJDK, System UI, Android Runtime, and even the BoringSSL crypto components of the operating system. Google also found multiple critical and high-severity bugs in Qualcomm’s crypto and camera drivers, as well as in Nvidia’s GPU drivers.
Google’s monthly security bulletins and patches have been a step forward for the security of the Android ecosystem, but it also showed just how vulnerable unpatched Android devices could be--Google finds dozens of new critical-, high-, and moderate-severity Android bugs every month.
Google may still be able to protect the majority of users against these attacks through its anti-malware service (“Verify Apps”), but this likely doesn’t work as well for targeted attacks against individuals or even against small-scale (sub-100,000 users) infections that may harder to identify quickly in the wild.