Google released an Android security update that resolved 83 flaws on Monday. The security update patched 23 critical and 37 high-risk flaws, but notably did not resolve a privilege-escalation flaw (CVE-2016-5195) known as ‘Dirty COW’ that was discovered more than two weeks ago.
The Linux kernel security flaw causes a race condition. Phil Oester, the researcher who discovered the vulnerability, noted that the flaw allows a malicious app to gain root-level access to an Android device and has been exploited in the wild.
The November 2016 Android security update resolved a critical remote code execution vulnerability (CVE-2016-6699) that affects Mediaserver processing, which have been a recurring problem for Android since researchers discovered the Stagefright vulnerability last July. A malicious attacker could exploit the critical flaw using a specially crafted file to cause memory corruption. The vulnerability affects Android 7.0 devices, the advisory stated.
Qualys Director of Engineering Amol Sarwate noted the critical rating for the flaw, stressing that the vulnerability “allows attackers to take control of a device through multiple methods, including email, web browsing and MMS.” In an email to SC Media, he wrote that it is “easier to trick users into clicking links to malicious web pages and images on smartphones.”
The security bulletin included a patch for a critical flaw (CVE-2016-6700) affecting libzipfile, the C library used by Android devices for modifying zip archives. The flaw could allow malicious applications could execute arbitrary code and gain elevated privileges. The flaw affects Android 4.4.4, 5.0.2, and 5.1.1 devices.
The security update’s kernel level elevation of privilege vulnerabilities “can lead to hackers getting broad access to data on affected devices,” noted Bitglass Senior Vice President of Products Rich Campagna. “For IT security staff, this reinforces the need to protect corporate data as it’s downloaded with encryption, rights management or similar technologies,” he wrote in an email to SC Media.
Security is “still not being approached in a holistic fashion,” wrote Covata Delta Vice President and Business Head Pavan Singh to SC Media. As applications, cloud services, and devices increasingly exchange real-time data, developers must be “more proactive about the security of their applications rather than being reactive,” he added.