As part of the Android 12 QPR3 Beta which previews the June Feature Drop, Google has included a fix for the major Dirty Pipe exploit affecting Pixel 6 and Pixel 6 Pro.
Last month, security researchers shared details of an exploit — dubbed “Dirty Pipe” — that would allow an attacker to gain full control of a Linux-based device, including Chromebooks and Android phones. Fortunately, the list of affected Android devices was quite small, limited only to those with a fairly recent version of the Linux kernel, but this meant that the latest flagships from Google and Samsung, the Pixel 6 and Galaxy S22 series respectively, were vulnerable.
The fix for Dirty Pipe was privately shared with Google in February and accepted into Android later that month. This led some to believe that the fix for Dirty Pipe would be included with either the March or April security patches for the Pixel series, but this was not the case. Meanwhile, Samsung has since claimed to have patched Dirty Pipe for the Galaxy S22 in its April update.
As Dirty Pipe is an issue in the core Linux kernel that Android is built upon, any fix for it will require an update to the Linux kernel. Conveniently, Google includes a date with their Linux kernel build names, which can be found in Settings > About Phone > Android version > Kernel version. While using the April 2022 update, you’ll see a listed date of January 21, 2022, over a month before Dirty Pipe was first reported to Google.
This morning, Google released its second beta release of the next Android 12 based Feature Drop — dubbed “QPR3” for “Quarterly Platform Release” — for Pixel phones, set to release in June. With this latest beta update installed on the Pixel 6 or 6 Pro, viewing the kernel version reveals that the new build is from March 15.
According to Android kernel developer Mile on Twitter, the latest QPR3 Beta does indeed include the necessary patch for Dirty Pipe. We’ve reached out to Google for confirmation of the fix, but they have not yet responded.
Another lingering question is whether Pixel 6 owners who aren’t enrolled in the beta will need to wait until the Feature Drop in June or if the May security patch will bring the fix. With any luck, it will be the latter, given the severity of the Dirty Pipe exploit and its potential for an attacker to take full control of a device without any special permissions.
This article was updated shortly after publication to reflect early confirmation of the fix.
More on Pixel:
- Google rolls out Android 12 QPR3 Beta 2 for Pixel
- Google Phone app starts rolling out Material You-inspired dialer to Pixels
- Google hardware gets unified security reward program that covers Pixel, Nest, and Fitbit
Author: Kyle Bradshaw
Source: 9TO5Google