A flaw called Dirty Cow was recently discovered that allows the security of the Android bootloader to be bypassed. Most Linux distros have patched the bug but it seems that Google are yet to do so with Android with the bug still present after the November security updates.
Dirty Cow is an escalation-of-privilege vulnerability that was introcuded to the Linux kernel in 2007 and was made public in mid October of this year. The fact that it was made public led everyone to believe that it would be fixed in the November security update. Dirty Cow is the vulnerability used by developers to unlock the bootloader of the “unlockable” Verizon Pixel phones. Warnings were tweeted out by noted hackers for those with Verizon Pixel phones regarding the then-upcoming security updates:
Heads up, dePixel8 will stop working with the November updates, get it now
— Jon Sawyer (@jcase) October 28, 2016
Bootloader unlock for the Verizon PIxels released (not my work). Will be patched in November. I'd better get SuperSU released as well… 🙂 https://t.co/1SdneWTRD8
— Chainfire (@ChainfireXDA) October 28, 2016
However, after the security update OTA arrived, it seems that the Verizon Pixel bootloader unlock was still functional:
um unexpected, dePixel8 still works on the NDE63X Pixel update …. @firewaterdevs
— Jon Sawyer (@jcase) November 7, 2016
While the November security update did bring some important bug fixes, such as yet more Stagefright-style vulnerability fixes, it did not fix Dirty Cow.
According to Hiroshi Lockheimer, SVP of Android, Chrome OS, and Google Play, monthly Android security patches are released to the public a month after they have been released to manufacturers. The idea behind this is that OEMs can, in theory, roll out their security patches at the same time as Google does to Nexus and Pixel devices. A Google spokesperson told Ars Technica that the Dirty Cow patch would arrive with the December security update.
In the meantime, those who used Dirty Cow to root their devices can continue to do enjoy full control over their device. How the patch will affect bootloaders etc that are already unlocked when it arrives in December is unknown. It is good to see security updates every month, but you would expect more urgent patches to arrive as soon as possible after public announcement of the vulnerability.