Last month, Linux security researcher Phil Oester discovered that a nine-year-old Linux kernel flaw (CVE-2016-5195) dubbed ‘Dirty COW’ is seeing active exploits in the wild. Google was expected to patch this flaw – after all, Android uses the Linux kernel – with its latest security update but as it turns out, the search giant has left out this dated flaw with its security update for November.
The November Android security update fixes 15 critical vulnerabilities associated with the platform, but surprisingly, this vulnerability discovered by Oester has still not found a fix. The extent of the danger posed by this vulnerability can be understood from the fact that Oester claims that on exploitation, it can give root access of a device to the attacker within five seconds.
“The exploit in the wild is trivial to execute, never fails and has probably been around for years – the version I obtained was compiled with gcc 4.8,” Oester said last month. The bug was initially patched 11 years ago but the fix was later undone in another code commit.
Kaspersky Lab’s Threatpost reports that while the main Android security update for the month of November did not contain a fix for the Dirty COW flaw, Google released a supplemental fix for Pixel and Nexus devices. It adds that Samsung also released a fix for its mobile devices. Google will introduce the Android-wide patch for Dirty COW in the December Android security update, the company told Threatpost.
As per the dedicated page for this flaw, exploitation of this bug doesn’t leave any traces behind. This nature of the flaw makes it even more dangerous as the users will not be made aware even when their security has been compromised.
Further details about the latest Android security update can be found over here.