November's Android Security Bulletin Patches Drammer and Dirty COW Exploits

Google released today Android's Security Bulletin for the month of November, which among a total of 83 security vulnerabilities has also patched two high profile bugs identified as Drammer and Dirty COW.

Drammer is a variation of the Rowhammer attack, which consists of bombarding a row of RAM memory cells with constant data in order to trigger electromagnetic changes in nearby cells and alter a computer's memory.

The Rowhammer attack was discovered in 2014, and through time, researchers have created attacks that can be carried out on DDR3 and DDR4 memory cards, via JavaScript, against Microsoft Edge to take over Windows 10 PCs, and against Linux virtual machines to take over data center servers.

The latest variation of the Rowhammer attack that targets Android devices came to light in October and was called Drammer. The researchers that created the Drammer attack said that millions of devices may be vulnerable, including high-end Android smartphone models such as LG Nexus, LG G4, Motorola Moto G, Samsung Galaxy, Lenovo K3 Note, HTC Desire 510, OnePlus One, and more.

Researchers said they told Google about the issue back in July, and that a patch had been sent to Android smartphone vendors for weeks by the time their research became public.

Dirty COW exploit fixed in last minute Android patch

The second high-profile Android bug patched this month is called Dirty COW and is an issue that affected all Linux Kernels released in the past nine years.

Since several Android versions employed Linux kernels vulnerable to this flaw, Google was on tight schedule to put out a fix for this exploit, which only came to light on October 24.

In fact, the Dirty COW exploit was far more dangerous that the Drammer attack because it affected all Android versions released since Android 1.0, which includes almost all Android devices on the market today.

Making sense of the Android November security patch levels

If you're not familiar with how Google delivers Android security patches nowadays, the company doesn't provide all fixes in one go.

Each Android Security Bulletin is split into different patch levels. Usually, the first patch level addresses issues that affect all Android systems. The second patch level is destined to issues that affect only certain OEMs or drivers specific to a limited number of devices. Once in a while, Google also puts out a third security patch level, destined for emergency last-minute fixes.

For the month of November, Google has put out the following patch levels:

Referring to the Dirty COW fix, Google said:

This means the 2016-11-06 patch level includes only a basic fix for the Dirty COW exploit, with a full patch being expected next month in December.

Users can check their latest "Android security patch level" by visiting their phone's "About" or "About device" settings section.

Among the regular fixes included in the 2016-11-01 basic patch level, Google fixed a Stagefright-like bug that allowed attackers to take overa device via multimedia files, and a DoS issue caused by oversized Proxy Auto Config (PAC) files that caused Android devices to hang or reboot.