​Fix for critical Android rooting bug is a no-show in November patch release

    Android users waiting for a fix for a newly discovered flaw that allows apps to bypass key operating-system security protections will have to wait at least another month. The just released patch batch for November, inexplicably, won't include it.

       The so-called escalation-of-privilege vulnerability, dubbed Dirty Cow, was introduced into the core of the Linux kernel in 2007, shortly before Google engineers incorporated the open source operating system into Android. That means the bug, formally indexed as CVE-2016-5195, affects every version of Android since its inception. The flaw remained hidden from public view until October 19, when it was disclosed under a coordinated release that was designed to ensure a fix was ready before most people knew about it. The Android Security Bulletin scheduled to be automatically pushed to select handsets sometime this month, however, won't fix the flaw.

         "It's a pretty big deal because it's very easy to exploit," Daniel Micay, a developer of the Android-based CopperheadOS for mobile phones, told Ars. "Unlike a memory corruption bug, there are not really any mitigations for it. [Google] can't claim that mitigations stand in the way of easy exploitation for this bug (that's a dubious claim when they do make it, but for this they can't do it)."