Security Experts:

Connect with us

Hi, what are you looking for?



Google Washes Dirty COW From Android

Google’s Android Security Bulletin for November 2016 patched a total of 83 vulnerabilities in the operating system, one of which was the Dirty COW flaw in Linux kernel that was disclosed a few weeks back.

Google’s Android Security Bulletin for November 2016 patched a total of 83 vulnerabilities in the operating system, one of which was the Dirty COW flaw in Linux kernel that was disclosed a few weeks back.

Discovered by Phil Oester, the flaw was dubbed Dirty COW because it relies on a race condition in the Linux kernel, which could result in the kernel writing data to read-only memory mapping, instead of making a private copy first. The issue is caused by the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings and it can even escape containers.

Tracked as CVE-2016-5195, the bug was found to impact Android devices as well, and security researchers even published exploit codes to prove that. The Dirty COW vulnerability could be exploited to gain root access on affected Android products, and all devices running a Linux kernel higher than 2.6.22 are believed to be affected by the issue, especially with many of them not being patched in due time.

Only a few weeks after the flaw was publicly disclosed, Google released a patch for it as part of the Android Security Bulletin for November 2016, which came out on Monday. According to Google, the vulnerability is resolved on devices running the security patch level of 2016-11-06, which was the third security patch level in the new set of updates.

In its advisory, Google described the vulnerability as an elevation of privilege vulnerability in the kernel memory subsystem, explaining that it could be leveraged by a local malicious application to execute arbitrary code within the context of the kernel. The bug was rated Critical because it could lead to a local permanent device compromise, supposedly requiring a reflash of the operating system to repair the device.

All devices running Android with security patch level of 2016-11-06 include a fix for this issue. In fact, Google underlines that they also have fixes for the issues associated with the 2016-11-01 and 2016-11-05 patch levels.

One of these flaws was a Denial of service vulnerability in Proxy Auto Config (CVE-2016-6723), which could enable a remote attacker to use a specially crafted file to cause a device hang or reboot. Considered only of Moderate severity, the bug was found to affect devices running Android 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, and 7.0.

According to Nightwatch Cybersecurity researchers, the flaw can be triggered to crash a device by downloading a large Proxy Auto Config (PAC) file when adjusting the Android networking settings. The PAC files can be used as part of the network settings configuration to define the proxy servers that should be used for different types of requests.

These text files usually contain a JavaScript function that the web browser can call to determine the proxy server to use, and Android users can indicate a PAC URL to be used to download the file. Because Android doesn’t check whether the PAC file may be too large to load into memory, a Man-in-the-Middle attacker who can intercept the file could replace it with a large one of their own and crash the Android phone.

If the served file is larger than the memory available on the device, all memory is exhausted and the phone halts and then soft reboots. No data should be lost during the soft reboot, but the researchers believe that attackers could leverage the flaw to achieve remote code execution.

However, because the Denial of service bug is mitigated by multiple factors, the likelihood of exploitation is low, the researchers explain. The attack requires the user to configure a PAC file, an attacker to know about that file, and for the file to be served without SSL. Moreover, because Android doesn’t support Web Proxy Auto-Discovery Protocol (WPAD) to retrieve PAC files automatically, the flaw can’t be exploited using a rogue access point or network.

Related: Google Patches 23 Critical Vulnerabilities in Android

Related: Android Root Exploits Abuse Dirty COW Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.