It’s good to see Google push out a security update for its Android operating system, fixing a number of serious security holes – including a critical vulnerability that could allow a hacker to remotely execute malicious code on your device just by tricking you into opening an email or browse a website containing a boobytrapped media file.
It’s bad news, however, for anyone hoping to see a fix for the high profile Dirty COW vulnerability – as no fix for that appears to have made it into Google’s update this time around.
(Update: See below – Google has released a supplemental Dirty COW fix for its Pixel and Nexus devices.)
Dirty COW has been fixed in the Linux kernel, but clearly that fix hasn’t trickled down to Android yet.
And even when it does – depending on what Android device you happen to have, it’s far from a certainty that you will either see hide nor hair of the security update. Google and Samsung devices tend to get their security updates reasonably quickly, but for purchasers of some of the other Android devices things are much more of a lottery.
All of this means, of course, that Android users are vulnerable. Which – depending on your point of view – might be a good or bad thing.
That’s because, somewhat ironically, Dirty COW could be used by Android owners to add additional features (such as tethering) that their manufacturers and carriers have denied to them. But it could also be used with malicious intentions against unsuspecting Android users.
It’s not really in anyone’s interest for Dirty COW to remain a vulnerability in Android. But, even when it is finally patched in the operating system, I do wonder how many people will ever get to see the update.
Android security really is a bit of a mess if you’re not buying your device directly from the likes of Google.
Update: Mea culpa. As regular commenter Bob describes below, although Google’s November security bulletin does not include a fix for Dirty COW, supplemental security updates *have* been issued for Google’s Nexus and Pixel devices.
As ThreatPost reports, Samsung has also released a fix for Dirty COW this month:
While Google didn’t issue an official fix for the Dirty Cow vulnerability (CVE-2016-5195), it did release “supplemental” firmware updates for its Nexus and Pixel handsets. According to Michael Cherny, head of security research at Aqua Security, Samsung also released the fix for Dirty Cow this month (SMR-NOV-2016), while other handset makers have not.
Apologies for the confusion. It really is hard to get one’s head around the tangled web of Android security.