Android users waiting for a fix for a newly discovered flaw that allows apps to bypass key operating-system security protections will have to wait at least another month. The just released patch batch for November, inexplicably, won’t include it.
The so-called escalation-of-privilege vulnerability dubbed Dirty Cow was introduced into the core of the Linux kernel in 2007, shortly before Google engineers incorporated the open-source operating system into Android. That means the bug, formally indexed as CVE-2016-5195, affects every version of Android since its inception. The flaw remained hidden from public view until October 19, when it was disclosed under a coordinated release that was designed to ensure a fix was ready before most people knew about it. The Android Security Bulletin scheduled to be automatically pushed to select handsets sometime this month, however, won’t fix the flaw.
“It’s a pretty big deal because it’s very easy to exploit,” Daniel Micay, a developer of the Android-based CopperheadOS for mobile phones, told Ars. “Unlike a memory corruption bug, there are not really any mitigations for it. [Google] can’t claim that mitigations stand in the way of easy exploitation for this bug (that’s a dubious claim when they do make it, but for this they can’t do it).”