Connect with us

Hi, what are you looking for?



Google Washes Dirty COW From Android

Google’s Android Security Bulletin for November 2016 patched a total of 83 vulnerabilities in the operating system, one of which was the Dirty COW flaw in Linux kernel that was disclosed a few weeks back.

Google’s Android Security Bulletin for November 2016 patched a total of 83 vulnerabilities in the operating system, one of which was the Dirty COW flaw in Linux kernel that was disclosed a few weeks back.

Discovered by Phil Oester, the flaw was dubbed Dirty COW because it relies on a race condition in the Linux kernel, which could result in the kernel writing data to read-only memory mapping, instead of making a private copy first. The issue is caused by the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings and it can even escape containers.

Tracked as CVE-2016-5195, the bug was found to impact Android devices as well, and security researchers even published exploit codes to prove that. The Dirty COW vulnerability could be exploited to gain root access on affected Android products, and all devices running a Linux kernel higher than 2.6.22 are believed to be affected by the issue, especially with many of them not being patched in due time.

Only a few weeks after the flaw was publicly disclosed, Google released a patch for it as part of the Android Security Bulletin for November 2016, which came out on Monday. According to Google, the vulnerability is resolved on devices running the security patch level of 2016-11-06, which was the third security patch level in the new set of updates.

In its advisory, Google described the vulnerability as an elevation of privilege vulnerability in the kernel memory subsystem, explaining that it could be leveraged by a local malicious application to execute arbitrary code within the context of the kernel. The bug was rated Critical because it could lead to a local permanent device compromise, supposedly requiring a reflash of the operating system to repair the device.

All devices running Android with security patch level of 2016-11-06 include a fix for this issue. In fact, Google underlines that they also have fixes for the issues associated with the 2016-11-01 and 2016-11-05 patch levels.

One of these flaws was a Denial of service vulnerability in Proxy Auto Config (CVE-2016-6723), which could enable a remote attacker to use a specially crafted file to cause a device hang or reboot. Considered only of Moderate severity, the bug was found to affect devices running Android 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, and 7.0.

According to Nightwatch Cybersecurity researchers, the flaw can be triggered to crash a device by downloading a large Proxy Auto Config (PAC) file when adjusting the Android networking settings. The PAC files can be used as part of the network settings configuration to define the proxy servers that should be used for different types of requests.

Advertisement. Scroll to continue reading.

These text files usually contain a JavaScript function that the web browser can call to determine the proxy server to use, and Android users can indicate a PAC URL to be used to download the file. Because Android doesn’t check whether the PAC file may be too large to load into memory, a Man-in-the-Middle attacker who can intercept the file could replace it with a large one of their own and crash the Android phone.

If the served file is larger than the memory available on the device, all memory is exhausted and the phone halts and then soft reboots. No data should be lost during the soft reboot, but the researchers believe that attackers could leverage the flaw to achieve remote code execution.

However, because the Denial of service bug is mitigated by multiple factors, the likelihood of exploitation is low, the researchers explain. The attack requires the user to configure a PAC file, an attacker to know about that file, and for the file to be served without SSL. Moreover, because Android doesn’t support Web Proxy Auto-Discovery Protocol (WPAD) to retrieve PAC files automatically, the flaw can’t be exploited using a rogue access point or network.

Related: Google Patches 23 Critical Vulnerabilities in Android

Related: Android Root Exploits Abuse Dirty COW Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.