Android Patch For High-Severity 'Dirty COW' Linux Kernel Flaw Delayed For At Least Another Month

[Lucian Armasu]

A patch to the high-severity "Dirty COW" vulnerability in the Linux kernel, that also affects all Android devices, missed the November deadline for Google's monthly security updates. This means the patch may not arrive at least until December.

Android Patch For High-Severity 'Dirty COW' Linux Kernel Flaw Delayed For At Least Another Month : Read more

 

[alextheblue]

Just like I said in the article where Google gave MS 7 days before going public. They've known about this since May and it's just being talked about, and still not patched. Oh and when they do patch it 90% of Android devices will remain vulnerable for an unknown amount of time, many will never get patched.

Oh and if you look around it IS being exploited in the wild and has been for some time. It's actually quite an old bug (years old), and the people exploiting it sure aren't talking about it. So who knows how far back abuse of the flaw goes. But I think 7 days should be enough, right Google?

 

[ZolaIII]

It's fair to say we made a RAM stakes from this one long time ago on Android. The ports of original Linus patch for variety of kernel versions used on Android (from 3.4 up) is available for quite some time. I know for sure it's officially merged in CM 14 along with various costume kernel builds. At least to say that a this one will be patched on most Android devices that still have running development thank to its popularity. For a devices that come DOA or didn't have maintenance for long periods of time answer is simple don't buy from that brand ever again.

Thing that passes me most is that their is a lot of similar security flaws that don't get any press attention. On open platform with such a much eye's put on it (code) at least flaws are quickly spotted & patched & that is something we simply can't say for any other closed source one.

 

[extremepenguin]

7 Days Google, that was your limit you have now had 7 Months and there is still no patch. Hippocrite much?

 

[Deleted member 1353997]

What I'd like to know is how this bug is exploitable.
Do attackers simply need to discover my device on the network?
Do they need me to install an app?
Is physical access necessary?

 

[mxttie]

My nvidia shield was patched for dirty cow last week

 

[techy1966]

Dirty Cow who names these? Also was it not Google that says 7 days is enough time so where is the patch Google and are you going to force Phone makers release it to both new and older phones so they are not exposed to the exploit after all you were quick to fault MS for taking 7 days for not posting a patch for the flaw you exposed to the world with Windows.

Also what is wrong with Toms Hardware page? I use Firefox and on 3 different systems with different hardware spec the Toms hardware page seems to make Firefox stop responding on those 3 systems I use after being on the page for a bit. I would think it has something to do with one of the ad's on the page not playing nice with either your page code or Firefox itself it probably is time to take a look at it. This has been happening for about 2 weeks now so there is the time frame as to where to look at what has changed on these pages. Thanks

 

[chicofehr]

I'm a Blackberry 10 user and curios about side loading the OS or updates for unsupported devices. Is that possible? I'm just used to getting perpetual support for old devices sort of similar to the iphone. I'll have to switch to Android eventually as BB10 will cease to get updates in about a year but want to continue to get updates for 3-5 years like before.

 

[ddpruitt]

it may also be under active exploitation (or if it hasn't been so far, it certainly will be now that it's public)

The bug was first discovered in May,

Jesus Christ, don't you guys actually do any journalism anymore before posting stuff? Both of these statements are wrong and misleading. The bug was found because it was under active exploitation. and it was not discovered in May. CVEs (like Hurricane names) are allocated in batches ahead of time May was when the CVE was first reserved

Phil Oester discovered the flaw on October 13th and it was patched upstream by October 21st. The patch hasn't made it downstream to Android yet. Due to the kernel version that it was discovered in its likely that most older devices will never receive the patch since it would require changes on older kernels where the fix will be different and it might break things.

Giving out bad information is far worse than giving out no information. 30 seconds of reading would have prevented this dangerously inaccurate information from being published.

 

[alextheblue]

Looks like Torvalds discovered it years ago, actually.

https://lkml.org/lkml/2016/10/19/860

 

[bit_user]

What I'd like to know is how this bug is exploitable.

It's a privilege escalation bug. So, they'd either need to login to your box/device as a non-root user, or they'd have to remotely exploit a bug in a program (such as a web browser or media player) to execute code which can then get root and do whatever it wants.

So, if your box or device is otherwise well-secured, then the risk isn't terribly high. But security holes in Java, web browsers, and the libraries they use are being discovered all the time. So, I think it's fair to say there's some risk to client devices like phones and desktops.

Of course, if you install & run untrusted apps, they might be trojans/malware that can more easily exploit this to take over your device and add it to a bot net, etc.

Dirty Cow who names these?

The article says:

Dirty COW has been so named because the bug affects the Copy On Write (COW) resource management mechanism.

The word "dirty" refers to the way the virtual memory management system tags memory pages as being "dirty", when they contain modifications.

I don't know if this is any sort of official name, or just how the kernel developer community is informally referring to it.