Dirty Cow may sound like someone’s favorite insult but it’s actually Google’s latest Android vulnerability addressed in the corresponding security update. This particular fix comes along with 49 flaws, 11 of which are rated critical fixes.
The security bulletin, released on December 5, contains details of security flaws that endanger Android devices. In addition to the bulletin, Google has also released a security update through an “over-the-air” (OTA) update.
The Google device firmware images have also been released to the Google Developer site. Security patch levels of December 05, 2016 or later address all of these issues.
More about the December Security Bulletin for Android
Google says that the most severe of the issues are critical flaws in device-specific code that could lead to arbitrary code execution in the kernel. This could cause a local permanent device compromise, which may require reflashing the OS to fix the device.
Dirty Cow a.k.a. CVE-2016-5195
This particular flaw has been located in the kernel as well as Linux distributions for almost ten years. The security flaw could allow attackers to obtain root privileges via a race condition bug and then gain write-access to read-only memory. The vulnerability was patched in both the kernel and Linux in October. However, Android devices had to wait for a fix, and unfortunately there have been exploit kits leveraging the issue in the wild.
Besides Dirty Cow, another root privilege flaw was addressed – CVE-2016-4794.
Other privilege escalation flaws were also found and fixed in the kernel and the kernel’s ION driver, together with the HTC sound codec driver and MediaTek driver. Other components were also affected by privilege escalation issues: the kernel security and kernel performance subsystems, MediaTek I2C driver, Synaptics touchscreen driver and Broadcom Wi-Fi driver.
A denial-of-service flaw was also addressed in the Android GPS system, as well as several information disclosure flaws in kernel components.
Qualcomm Component Bugs Also Fixed
More particular, a privilege escalation bug and information leaks were addressed in the December bulletin. A Telephony denial of service (TDos) vulnerability and a remote execution flaw were also handled in the Android Framesequence library.
Google has thanked multiple researchers from different companies such as Alibaba Mobile Security Group, Qihoo 360, Tencent, Baidu X-Lab and TrendMicro. Apparently, no tech giant could survive on its own in the jungle of exploits.
For full technical disclosure of all the flaws addressed in the bulletin, go to Android’s page.