Google patches Dirty Cow vulnerability in latest Android security update
Google's latest Android security update includes a fix for the Dirty Cow security flaw as one of 11 critical issues now resolved in the mobile operating system.
The latest Android security bulletin, posted on Monday, fixes over 50 security flaws, 11 of which are deemed critical. A separate round of patches from December 1 also fixes an additional 10 bugs of high importance.
"The most severe of these issues are critical security vulnerabilities in device-specific code that could enable arbitrary code execution within the context of the kernel, leading to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device," Google says.
The Dirty Cow vulnerability, CVE-2016-5195, has been present in the kernel and Linux distributions for almost a decade. As noted by Threat Post, the security flaw, which allows attackers to escalate to root privileges through a race condition bug and gain write-access to read-only memory, was patched in the kernel and Linux in October.
Android users have had to wait for a solution to the problem, of which exploit kits utilizing the security issue have been found in the wild.
Google also patched a separate critical kernel memory flaw, CVE-2016-4794, which also permits attackers to gain root privileges.
The December 5 patch string fixes privilege escalation flaws found in the kernel and the kernel's ION driver, alongside the HTC sound codec driver and MediaTek driver. The kernel security subsystem, kernel performance subsystem, MediaTek I2C driver, Synaptics touchscreen driver, and Broadcom Wi-Fi driver were also impacted by privilege escalation flaws.
Google has also fixed a denial of service bug in the Android GPS system and information disclosure vulnerabilities in various kernel components.
Nvidia GPU drivers, video and camera drivers, and Nvidia libraries have also received attention in the December security update. Google has resolved a number of problems relating to these elements including critical privilege escalation flaws in the GPU and video driver, a dangerous privilege escalation flaw in the libomx library and a set of information disclosure issues.
Security
A range of Qualcomm component bugs, including privilege escalation flaws and information leaks were also patched.
The December 1 patch string includes fixes for a remote code execution vulnerability in CURL/LIBCURL alongside privilege escalation flaws in libziparchive, Smart Lock, Framework APIs, Telephony, Mediaserver, Wi-Fi services, and Package Manager.
Google has also dealt with a Telephony denial of service bug and a remote execution flaw in the Android Framesequence library. Android devices running Android 7.0 with all updates are not affected by the privilege escalation vulnerability in Smart Lock.
Google says there are no current reports of these issues being exploited in the wild.
The tech giant thanked researchers from companies including Alibaba Mobile Security Group, Qihoo 360, Tencent, Baidu X-Lab, and Trend Micro for reporting bugs now fixed in the last update of the year.
Updates will be sent over the air to Android products including Pixel and Nexus devices, of which Android 7.1.1. was released this week. The security patch has also been uploaded to the Google Developer website.