Google on Nov. 7 released its November Android patches, which provide 83 fixes for vulnerabilities across three patch levels.
Across the patch levels—a complete patch level identified as 2016-11-05, a partial patch level identified as 2016-11-01 and the 2016-11-06 supplementary patch level—Google is patching a total of 13 vulnerabilities rated as having critical impact. Among the critical flaws being patched is CVE-2016-5195, also known as the so-called “Dirty COW” vulnerability in Linux.
The Dirty COW flaw is a privilege escalation that abuses the Copy On Write (COW) capabilities in the upstream Linux kernel. The issue was first fixed in Linux on Oct. 19. Google has included the fix for CVE-2016-5195 in its supplementary patch-level grouping.
“Supplemental security patch levels are provided to identify devices that contain fixes for issues that were publicly disclosed after the patch level was defined,” Google stated in its November security bulletin.”Addressing these recently disclosed vulnerabilities is not required until the 2016-12-01 security patch level.”
The Dirty COW issue is only one of 16 critical privilege escalation vulnerabilities that Google patched in November. Seven of the critical privilege escalation issues were found in the Nvidia GPU driver. The kernel file system is responsible for three of the privilege escalation flaws with CVE-2015-8961, CVE-2016-7910 and CVE-2016-7911.Three additional privilege escalation flaws were found in other parts of the Android kernel, including the SCSI driver (CVE-2015-8962), kernel media driver (CVE-2016-7913), kernel USB driver (CVE-2016-7912) and the kernel ION subsystem (CVE-2016-6728).
There is also a critical privilege escalation flaw in the Qualcomm bootloader. Qualcomm overall has been a source of many patched vulnerabilities in Android in recent months. In the October update, Qualcomm was the leading source of vulnerabilities with 30 patched flaws. For the November update, Qualcomm components account for 17 flaws in total, including four critical flaws (CVE-2016-6726, CVE-2016-6727, CVE-2016-6728 and CVE-2016-6725), five high-impact flaws and eight issues identified as having moderate impact.
Android’s mediaserver component once again is also part of Google’s patch update. There are a total of 13 patches in the November update for mediaserver-related flaws, though only one of them is rated as critical (CVE-2016-6699). Android’s media server and related libraries have been under scrutiny from security researchers since June 2015, when the first Stagefright flaw was revealed.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.