Android users left exposed to 'Dirty COW' flaw

Google's latest collection of Android security patches has failed to address an actively and easily exploited privilege escalation security flaw known as 'Dirty COW'.

The flaw - with Common Vulnerabilities and Exposures tag CVE-2016-5195 - was discovered last month and affects the Linux kernel used in Android to take advantage of a bug in the copy on write performance optimisation feature.

Dirty COW has been patched in the mainstream Linux kernel.

But it is thought to have existed for some nine years, so affects every version of Android.

Google has issued a supplemental update to its November patches, but won't require Android partners to implement the Dirty COW fix until December. The company insisted it has had no reports of active customer exploitation or abuse of the issues.

The November patch level does fix the critical deterministic Rowhammer memory attack known as DRAMMER, that could be used to gain root superuser privileges on Android devices.

It also plugs a critical flaw in the troublesome Android Mediaserver component, that Google said "could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files".

The flaw in Mediaserver could be exploited by sending a specially crafted attachment, or luring people to visit a malicious web page, with no user interaction needed.

A further 16 high-risk flaws are patched in the main November bunch of fixes. Google also issued a second, 2016-11-05 patch level that includes fixes for 21 critical flaws in kernel hardware drivers and file systems, Android networking and sound, and the USB subsystem.