Google Patches 83 Android Flaws in November Update
Vulnerabilities related to Qualcomm and the Android mediaserver continue to account for many flaws. Google fixed dozens of vulnerabilities in its November update.Google on Nov. 7 released its November Android patches, which provide 83 fixes for vulnerabilities across three patch levels. Across the patch levels—a complete patch level identified as 2016-11-05, a partial patch level identified as 2016-11-01 and the 2016-11-06 supplementary patch level—Google is patching a total of 13 vulnerabilities rated as having critical impact. Among the critical flaws being patched is CVE-2016-5195, also known as the so-called "Dirty COW" vulnerability in Linux. The Dirty COW flaw is a privilege escalation that abuses the Copy On Write (COW) capabilities in the upstream Linux kernel. The issue was first fixed in Linux on Oct. 19. Google has included the fix for CVE-2016-5195 in its supplementary patch-level grouping. "Supplemental security patch levels are provided to identify devices that contain fixes for issues that were publicly disclosed after the patch level was defined," Google stated in its November security bulletin."Addressing these recently disclosed vulnerabilities is not required until the 2016-12-01 security patch level."
The Dirty COW issue is only one of 16 critical privilege escalation vulnerabilities that Google patched in November. Seven of the critical privilege escalation issues were found in the Nvidia GPU driver. The kernel file system is responsible for three of the privilege escalation flaws with CVE-2015-8961, CVE-2016-7910 and CVE-2016-7911.Three additional privilege escalation flaws were found in other parts of the Android kernel, including the SCSI driver (CVE-2015-8962), kernel media driver (CVE-2016-7913), kernel USB driver (CVE-2016-7912) and the kernel ION subsystem (CVE-2016-6728).