Microsoft And Google Release Security Patches, Dirty Cow Remains Unfixed On Android

Image: Supplied

Both Microsoft and Google have pushed out their security patches for the month that covers swathe of critical vulnerabilities on Windows operating systems, Office, Edge and Android. Microsoft has patched the zero-day bug reported by Google that caused the two companies to butt heads. Google, however, has yet to fix the serious vulnerability called Dirty Cow, one of the worse Linux privilege escalation bug that has ever been discovered, for Android. Here's what you need to know.

For Microsoft

Microsoft has rolled out 14 cumulative patches this month. Here are the list of patches that have been rated critical:

  • MS16-129: For Microsoft Edge and fixes 17 security holes that would allow for remote code execution. Also fixes a browser spoofing vulnerability.
  • MS16-130: Addresses remote code execution and elevation of privileges flaws in Windows. Includes three CVE-listed bugs.
  • MS16-131: For Microsoft Video Control for Windows. Patches remote code execution vulnerability through media files embedded on webpages.
  • MS16-132: For Microsoft Graphics Component. Involves remote code execution that is enabled by Windows font library improperly handling specially crafted embedded fonts. Includes four CVE-listed bugs.
  • MS16-133: Fixes 12 CVE-listed bugs in Office, most of which involves remote code execution, denial of service and information disclosure.
  • MS16-142: For Internet explorer. Bugs involved memory corruption flaws that could lead to remote code execution. There are also information disclosure bugs involved
  • MS16-141: Addresses remote code execution flaws in Adobe Flash.

Microsoft also patched the zero-day bug flagged by Google with the MS16-135 cumulative patch. You can find all the details of the security updates over at the Microsoft Security Bulletin.

For Google

For the Android operating system, Google issued patches that covered a number of security flaws, 15 of which were rated critical:

  • Remote code execution vulnerability in Mediaserver
  • Elevation of privilege vulnerability in libzipfile
  • Remote code execution vulnerability in Qualcomm crypto driver
  • Elevation of privilege vulnerability in kernel file system
  • Elevation of privilege vulnerability in kernel SCSI driver
  • Elevation of privilege vulnerability in kernel media driver
  • Elevation of privilege vulnerability in kernel USB driver
  • Elevation of privilege vulnerability in kernel ION subsystem
  • Elevation of privilege vulnerability in Qualcomm bootloader
  • Elevation of privilege vulnerability in NVIDIA GPU driver
  • Elevation of privilege vulnerability in kernel networking subsystem
  • Elevation of privilege vulnerability in kernel sound subsystem
  • Elevation of privilege vulnerability in kernel ION subsystem
  • Vulnerabilities in Qualcomm components
  • Elevation of privilege vulnerability in kernel memory subsystem (supplementary patch)

The last one is for Dirty Cow and there is currently only a supplementary update for Nexus and Pixel phones. As Google explains:

"Supplemental security patch levels are provided to identify devices that contain fixes for issues that were publicly disclosed after the patch level was defined. Addressing these recently disclosed vulnerabilities is not required until the 2016-12-01 security patch level."

Google said it will be issuing a full patch in its next security update.


Comments

    I'm always surprised to see Google is sometimes quick to point out security faults of other OSes but never about their own or are slower than other software companies to release a fix. I think they still have a security hole in Android that is something like a year or more old.

    Last edited 09/11/16 10:33 am

Join the discussion!

Trending Stories Right Now