Android's security update for November 2016 - good news and bad moos

Has your smartphone or tablet been protected yet against the Dirty COW vulnerability?

Android's security update for November 2016 - good news and bad news

It's good to see Google push out a security update for its Android operating system, fixing a number of serious security holes - including a critical vulnerability that could allow a hacker to remotely execute malicious code on your device just by tricking you into opening an email or browse a website containing a boobytrapped media file.

It's bad news, however, for anyone hoping to see a fix for the high profile Dirty COW vulnerability - as no fix for that appears to have made it into Google's update this time around.

(Update: See below - Google has released a supplemental Dirty COW fix for its Pixel and Nexus devices.)

Dirty COW has been fixed in the Linux kernel, but clearly that fix hasn't trickled down to Android yet.

And even when it does - depending on what Android device you happen to have, it's far from a certainty that you will either see hide nor hair of the security update. Google and Samsung devices tend to get their security updates reasonably quickly, but for purchasers of some of the other Android devices things are much more of a lottery.

Dirtycow htc

All of this means, of course, that Android users are vulnerable. Which - depending on your point of view - might be a good or bad thing.

That's because, somewhat ironically, Dirty COW could be used by Android owners to add additional features (such as tethering) that their manufacturers and carriers have denied to them. But it could also be used with malicious intentions against unsuspecting Android users.

It's not really in anyone's interest for Dirty COW to remain a vulnerability in Android. But, even when it is finally patched in the operating system, I do wonder how many people will ever get to see the update.

Android security really is a bit of a mess if you're not buying your device directly from the likes of Google.

Update: Mea culpa. As regular commenter Bob describes below, although Google's November security bulletin does not include a fix for Dirty COW, supplemental security updates *have* been issued for Google's Nexus and Pixel devices.

As ThreatPost reports, Samsung has also released a fix for Dirty COW this month:

While Google didn’t issue an official fix for the Dirty Cow vulnerability (CVE-2016-5195), it did release "supplemental" firmware updates for its Nexus and Pixel handsets. According to Michael Cherny, head of security research at Aqua Security, Samsung also released the fix for Dirty Cow this month (SMR-NOV-2016), while other handset makers have not.

Apologies for the confusion. It really is hard to get one's head around the tangled web of Android security.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

3 Responses

  1. Bob

    November 8, 2016 at 9:11 pm #

    Graham, take a look at this story.

    TL;DR – Google (Nexus & Pixel) and Samsung have both fixed the Dirty Cow vulnerability in their own handsets.

    "While Google didn’t issue an official fix for the Dirty Cow vulnerability (CVE-2016-5195), it did release “supplemental” firmware updates for its Nexus and Pixel handsets. According to Michael Cherny, head of security research at Aqua Security, Samsung also released the fix for Dirty Cow this month (SMR-NOV-2016), while other handset makers have not."

    https://threatpost.com/google-releases-supplemental-patch-for-dirty-cow-vulnerability/121843/

  2. Matthew Parkes

    November 9, 2016 at 10:18 am #

    I have an s7 edge and I haven't seen any sign of any primary or supplemental updates to Android or is this in the US thing and the UK might get it in 6 months?

    • Bob in reply to Matthew Parkes.

      November 9, 2016 at 11:39 am #

      Samsung have released it worldwide.

      http://security.samsungmobile.com/smrupdate.html#SMR-NOV-2016

Leave a Reply