Google’s November Android Security Bulletin, released Monday, patched 15 critical vulnerabilities and addressed 85 CVEs overall. But conspicuously absent is a fix for the Linux race condition vulnerability known as Dirty Cow (Copy-on-Write) that also impacts Android.
While Google didn’t issue an official fix for the Dirty Cow vulnerability (CVE-2016-5195), it did release “supplemental” firmware updates for its Nexus and Pixel handsets. According to Michael Cherny, head of security research at Aqua Security, Samsung also released the fix for Dirty Cow this month (SMR-NOV-2016), while other handset makers have not.
According to Google, patches for Dirty Cow will be formally introduced for other Android handset makers in its December Android Security Bulletin.
It should be noted, starting with this month’s Android Security Bulletin, Google introduced new categories for patches and fixes that include, partial, complete and supplemental. The new patch levels, Google said, are meant to “provide Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices.”
While “partial” and “complete” designations are self evident “supplemental security patch levels are provided to identify devices that contain fixes for issues that were publicly disclosed after the patch level was defined.” Google said.
Dirty Cow was the only “supplemental” security patch level issued for this bulletin.
Google patched 12 critical elevation of privileges vulnerabilities, nine of those tied to flaws found within the Android subsystem kernels. Some of those flaws, according to Google, are related to the Android SCSI driver (CVE-2015-8962), media driver (CVE-2016-7913) and Android’s memory manager called ION (CVE-2016-6737).
The ION vulnerability (AKA Drammer) was reported last month by VUSec Lab. The flaw is tied to a problem with Android hardware and DRAM memory modules that can allow attackers to get root-level access to target devices. The vulnerability could give an attacker root access to millions of Android handsets including Nexus, Samsung, LG and Motorola.
Particularly problematic, according to Google, is NVIDIA’s GPU driver that Google said had seven elevation of privilege vulnerabilities. “An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device,” Google wrote in its security bulletin.
Google also patched five critical remote code execution vulnerabilities tied to Android device components such as the problem-plagued Mediaserver (CVE-2016-6699) component. The vulnerability, found by researcher Weichao Sun of Alibaba, could enable an attacker using a specially crafted media file to cause memory corruption within the Mediaserver component and execute remote code.
Three critical patches were also reported for Qualcomm components just a month after Google issued the last patch for its high-profile QuadRooter vulnerability putting 900 million Android handsets at risk. The new Qualcomm risks, according to Google, are tied to a Qualcomm crypto driver flaw (CVE-2016-6725) and an elevation of privilege vulnerability in Qualcomm’s bootloader (CVE-2016-6729).
“We have had no reports of active customer exploitation or abuse of these newly reported issues,” Google said of its security bulletins.
A number of security researchers are acknowledged by Google for discovering the vulnerabilities. Among the most prolific is Gengjia Chen and “Pif” of IceSword Lab that reported twelve vulnerabilities followed by five researchers that make up the CORE Team, with eight reported November vulnerabilities.
