Google released an Android patch to take care of the Dirty COW vulnerability, but timing issues kept it from being...
part of the full November security update.
The November security update for Android includes patches for 82 flaws, but the patch for Dirty COW is listed as supplemental, meaning the issue has been resolved, but the patch is currently optional. Android OEMs have the option to push a partial update, including the Android patch for Dirty COW, but it won't be a required part of a monthly Android security update until December.
Dirty COW is a Linux vulnerability that can allow privilege escalation and root access if exploited. The flaw was publicly disclosed in mid-October, and experts said Google didn't have time to coordinate with OEMs to include the Android patch in the November security update.
Tod Beardsley, senior security research manager at Boston-based Rapid7, said the absence of the Android patch in the November update "appears to have simply been a timing issue -- the complete patch level was already released to OEM vendors a month ago, and the patch for Dirty COW was not available at that time."
Mike Pittenger, vice president of security strategy at Black Duck Software Inc., based in Boston, noted that even though the patch is supplemental, some users may still be receiving it.
"Google has a process for coordinating releases with OEMs so that all vendors can issue an update at roughly the same time the bugs are made public," Pittenger told SearchSecurity. "While a supplemental patch was issued for Nexus and Pixel handsets, and Samsung has generated its own patch, other vendors remain vulnerable."
Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, said there may have been delays in users receiving the update even if Google had the time to coordinate with OEMs.
"There will still be a large number of users [who] will still not receive the fix, as we've already seen OEMs not pushing security updates for older generations [of] Android devices. This means they'll possibly be exposed indefinitely, even if a fix exists," Arsene told SearchSecurity. "While not having a full-fledged patch for Dirty COW does add more risk to Android users, it's highly recommend that for the time being, users should stick to downloading applications [from] the official store, as they're less likely to include the malicious code."
Learn more about how Android Nougat has improved security.
Find out why Google's Android patch policy has generated controversy.