Google's November Android Security Bulletin fixes dozens of critical flaws, but not the recently disclosed copy-on-write, or CoW, Linux flaw dubbed 'Dirty Cow'.
Dirty Cow, tracked as CVE-2016-5195, is an old bug affecting Linux systems, which could also be used to gain root on Android devices. Notably, when it was disclosed in October, there was already an exploit in the wild for it. Since then, as Ars Technica reported recently, it's been adapted as a rooting tool for multiple versions of Android and could be used for malicious purposes.
The update going out to Nexus and Pixel devices in coming days will be the Android security patch level 2016-11-05. This level carries the complete set of fixes for the November bulletin, excluding Dirty Cow, which instead is allocated to a 'supplemental' security patch level 2016-11-06.
However, that supplemental patch is intended for release with the December update for Pixel and Nexus devices and Google won't require it to be fixed by Android partners until security patch level 2016-12-01.
The supplemental security level is a third tier in Google's November patch, behind the 'partial' patch level and the 'complete' patch level.
Google notes that all Android partners were notified of all issues in the November bulletin on October 20, or one day after Dirty Cow was revealed under a coordinated disclosure.
"Supplemental security patch levels are provided to identify devices that contain fixes for issues that were publicly disclosed after the patch level was defined," Google explained in a memo.
"Addressing these recently-disclosed vulnerabilities is not required until the 2016-12-01 security patch level."
As Kaspersky Lab's news service Threat Post highlights, this early disclosure to vendors allowed, for example, Samsung to patch Dirty Cow in its November update for select Galaxy devices.
Overall, the November update going out to Nexus Pixel devices will fix 21 critical flaws, 23 high-severity flaws, and eight moderate flaws.