A new exploit, using a nine-year-old bug, can allow anyone to root an Android device in as little as five seconds.
The bug is being referred to as "dirty cow" and was introduced into the core Linux kernel in 2007. The bug is said to be easy to exploit.
The flaw was discovered by Phil Oester, who has been capturing all inbound HTTP traffic. In an interview with V3, he said that the attack is easy to execute and it never fails. He also said that the flaw might have been "around for years." The kernel involved in the exploit is named CVE-2016-5195 and has been around for 11 years. The flaw was reportedly patched by Linus Tovalds. However, a later update undid the patch created by Tovalds.
Exploiting this bug is relatively simple as it requires uploading a file to the target system. The execution of the file can provide the hacker with privileged access to the system. While the exploit has now been patched, it is believed that it is not a permanent solution. The patch works by disabling some functions of virus scanners which are used for inspecting other processes.
PCMag quoted a researcher highlighting the long lifecycle of Linux bugs. It is said to take, on an average, five years to fix bug flaws on Linux. This is worrisome due to the large number of devices using the operating system. The Android operating system is based on a Linux kernel.