Android's Latest Update Doesn't Patch Major Security Flaw 'Dirty COW'

The November Android security update is live and it fixes 15 critical vulnerabilities, but it doesn't patch a major Linux kernel exploit that can give hackers quick and complete access to devices running on Google's OS. From a report on Engadget: Researcher Phil Oester discovered the flaw (CVE-2016-5195) in October, though he believes it's existed since 2007. The exploit is known as "Dirty COW" because of its basis in copy-on-write systems (and maybe because that name is adorable). With this month's security update, Google did roll out a "supplemental" firmware fix for Dirty COW across Nexus and Pixel devices. Plus, Samsung released a patch for its devices this month, according to Threatpost. An official Android patch for the Dirty COW issue is expected to land in December.

My Grandma asked if she should be worried.

I told her to root her phone, get the source code and fix it herself.

Problem solved.

Re:My Grandma asked if she should be worried.

[just+another+AC]

I told her to root her phone,

In Australia when you use root as a verb it means to procreate. (yes this is a problem given how "gaining root access" is a more common discussion)

I now cannot get that image out of my head. Thanks for ruining my day.

Re:My Grandma asked if she should be worried.

[antdude]

What did she say and did she do it? :P

Re:My Grandma asked if she should be worried.

[Big+Hairy+Ian]

What's the point only about 1% of devices will actually get the patch

and maybe because that name is adorable

i like to lick it and stick it

Re:and maybe because that name is adorable

You can just grab women by the pussy, our president-elect says it's perfectly OK. No problem at all, it's totally acceptable to walk up to random women and grab them by their vaginas. HOW COOL IS THAT? Welcome to America!

Re:and maybe because that name is adorable

You can only do that if you're a star. And you don't do it to random women, only the hot ones. Way cool.

Fixed it is ... so why say it is not?

So it is fixed but it is not fixed is this clickbait or what?

Re:Fixed it is ... so why say it is not?

It's a partial fix, with the full patch coming in December. Saw only two sites report this correctly until now.

Is there an open source app utilizing it to root?

Is there an open source app utilizing it to root?
Since this exploit is in basically all android devices since the beginning (as well as many other embedded linux devices!) shouldn't it be straightforward to make a 'rootkit' using it to help people unlock/reflash the majority of devices out there, at least for userspace purposes (anything with trustzone or locked bootloaders would still be restricted on reboot/above supervisor level privileges.)

RedHat patches

[emil]

RedHat released backported Dirty Cow patches for the 2.6.18 kernel in EL5 last Friday.

Why isn't Google using a RedHat kernel in Android, and applying the backported updates to /boot and /system, around OEM drivers?

Why is the kernel "untouchable" by Google on non-Nexus devices? It didn't have to be this way. RedHat certainly makes kernel updates work with 3rd-party drivers. Oracle ksplice can even apply them without a reboot.

butthurt much?

get off the butthurt bandwagon. like you never said anything perverted, that wasn't true, when hanging with your same sex friends? these people so outraged over dirty talk, it's insane. grow up. watch an edgy stand-up comic, you'll hear the same type of stuff, it's called being funny. people say things all the time to be funny, very little of what is said is based in reality.

Re:butthurt much?

[Curtman]

For sure, we've all been there on the access Hollywood bus and said ridiculous things about having molested women.. WTF is wrong with your country?

The Cow Meme

[Calydor]

All you Dirty COWs go moo.

Dear /. moderators

Dear /. moderators. If the article has four paragraphs, it's probably written by someone that has no clue. There are links to four other publications in that article, and Endgadget brings zero value to this report.

e mail marketing

[Disparo+Digital]

e mail marketing Turbine suas vendas com e-mail marketing e potencialize suas oportunidades de negócio!

Non-story

[The+MAZZTer]

The flaw was discovered AFTER the patch was finalized. Until they invent time travel, there isn't much Google can do at that point. The next patch, which is the first one which will be finalized after the discovery of this flaw, will have the fix. That's really the best anyone can expect I'd think.

Re:Non-story

considering google have vastly harsher expectations for Apple and Microsoft when it comes to patching it is not unreasonable to expect google to at least be as fast as what they are demanding from their competitors. It just goes to show what hypocrites they are.

Re:Non-story

Waiting a month (or more) for a critical security patch is not good. I switched to Android from iOS recently, and I'm not impressed with security so far. I knew this could be a problem, but the lack of vendors caring is astonishing.

Google choose linux and now it's time to keep up with it.