This article is more than 1 year old
Don't have a Dirty COW, man: Android gets full kernel hijack patch
Meanwhile, another nasty Linux bug surfaces
Google has posted an update for Android that, among other fixes, officially closes the Dirty COW vulnerability.
The December 2016 update covers a total of 74 CVE-listed security vulnerabilities in Android devices. These fixes should be landing on Nexus handsets devices very soon, if not already, and installed as soon as possible; other devices should be getting the updates shortly, depending on how on-the-ball your manufacturer and cell network is – you may never, sadly, see the updates at all if your gadget is too old.
As an aside, Google has also fixed up six security holes present in Android-powered gadgets such as smart locks. Again, how these software updates end up being pushed to people's devices is down to the manufacturers.
Six of the patches in the batch address elevation of privilege vulnerabilities Google has rated as "critical" security risks as they allow installed applications, or hijacked apps, to take over devices.
Also fixed in the December update is CVE-2016-5195, the elevation of privilege flaw known as Dirty COW. The programming blunder can be exploited by a malicious installed program to gain root privileges via the copy-on-write mechanism in Android's Linux kernel.
The fix for Dirty COW was optional in the November patch batch: Google tagged it as a "supplemental" fix. Now, this month, it's in the core set of fixes for everyone to pick up.
Dirty COW was found to be in Linux kernel builds as far back as 2007, making the flaw present in not only servers and mobile devices, but in Linux-based appliances and connected devices as well.
Meanwhile, as one major Linux kernel hole is fixed, another is being discovered and publicized.
CVE-2016-8655 is a privilege escalation flaw that could allow an unprivileged process to gain root-level execution on a local machine.
Researchers note that the flaw can be exploited to get total control over Linux distros as well as containers. The vulnerability has been present in the Linux kernel since 2011 and a fix was posted on November 30.
Users and administrators should patch their Linux systems as soon as an update for their distro becomes available. A fix for the flaw was not included in this month's Android update. ®