Google recently released a very interesting security patch for November.
The security bulletin includes many critical vulnerabilities, with the most notable ones being the Dirty COW, Drammer and several more driver vulnerabilities for Pixel and Pixel XL devices that were recently released by Google.
The patch divides into 3 parts:
- The first part, marked as 2016-11-01, relates, as usual, to more software oriented vulnerabilities affecting almost all of the Android devices.
- The second part, marked as 2016-11-05, relates to more hardware oriented vulnerabilities and applicability is subject to the specific device hardware.
- The third part, 2016-11-06, is the most irregular and addresses the Dirty COW vulnerability (described below), which was added into this patch after the former 2 parts had already been developed, yet it is too urgent to postpone to next month’s release.
The most notable vulnerabilities include one related to another security flaw (below) that leads to a remote code execution in the Mediaserver, and one that is a privilege escalation in the Libzipfile. The latter one is related to older versions of Android- 4.4.4, 5.0.1, 5.1.1, but those are still very popular in the wild (Almost 60% at the time of this post).
As referenced above, the most notable vulnerability in this patch is the Drammer vulnerability. Drammer is a new attack taking advantage of the Rowhammer hardware vulnerability. The Rowhammer is a bug where bits occasionally flip, after reading many times from a specific memory location (like hammering on an object). The Drammer exploit is the first of its kind for mobile devices and impacts devices running an ARM processor.
It allows the exploit to gain root permission without any software vulnerability, meaning a 3rd party app requesting zero permissions might still gain root access using Drammer. As this is a hardware bug, it is very difficult to patch it through a software update. Google has updated their device drivers, but the solution is still not publicly announced.
The infamous Dirty COW vulnerability, discovered last month as a Linux kernel vulnerability, allows remote access to the device. It is a race condition in the Copy-on-Write (COW) mechanism. It has been discovered due to a http packet capture containing an exploit of the malicious code.
Google claims that there has not been any reported exploitation of any of the above, including Dirty COW. Although the third part seems to be the most critical one, the vast majority of the vendors do not release more than one security patch a month. Most Android devices will stay vulnerable to Dirty COW at least until the next security patch, which should include all the patches by then.