Security

Ubuntu Core Snaps door shut on Linux's new Dirty COWs

When did Linux start becoming like Windows?

By Gavin Clarke

50 SHARE

Canonical has released Ubuntu Core 16 for IoT, featuring Linux self-patching for a generation of users against future Bash or Dirty COWs.

Ubuntu Core 16 features Snaps, a zip file concept Canonical says will streamline IoT device updates protecting against hackers and data loss. Snaps shipped in Ubuntu 16.10 but Ubuntu Core is the 70Mb edition for devices.

Alas, this won't work on existing devices running Linux – just new ones.

It comes as Linux reels from the unearthing of the latest hidden code bomb to have put users at risk.

Dirty COW has surfaced after nine years in Linux, since kernel 2.6.22, permitting malicious code access to Linux systems including Android smart phones.

Before that, the headline grabber was Shellshock, which exploited a decades-old vulnerability that attacked the program used to execute command lines and scripts in Unix-based systems.

Mark Shuttleworth, Canonical founder and Ubuntu daddy, told The Reg: "We always saw Windows as the vulnerable platform but now old Linux devices are seen as the real vulnerability."

Snaps targets IoT from items like cameras to network routers.

They contain code from the Linux kernel maker, Canonical for the Ubuntu distro, and the device maker and ISVs whose code might be resident onboard.

Canonical will aggregate updates in Snaps with code downloaded to a device.

The idea is that should another Bash or Dirty COW-style or other vulnerability be discovered, an update can be pushed down via Ubuntu Core 16’s Snaps.

Shuttleworth claimed a surge of interest from "brands". Initial backers are IBM, Dell, Intel, Linaro and Open Source Robotics Foundation. Dell had beta Ubuntu Core 16 on its Dell Edge Gateways.

Endorsements are expected from other consumer electronics makers, Shuttleworth said. He pointed to the case of ASUS, brought to book by the US Federal Trade Commission in 2016 over a vulnerability discovered in its AiCloud service in 2015 that exposed personal details of 12,900 consumers connected to the internet via its routers.

ASUS agreed to establish and maintain a comprehensive security program subject to independent audits for 20 years.

"Everybody feels this pain, nobody wants a device with their brand on where they can't deliver an update or if they do, nobody updates it," Shuttleworth added. "Everybody is moving to a view they are responsible for anything they have sold." ®

Sign up to our NewsletterGet IT in your inbox daily

50 Comments

More from The Register

Linux kernel 'give me root, now' security hole sighted, dubbed 'Mutagen Astronomy'

Red Hat Enterprise and CentOS users at risk

Love Microsoft Teams? Love Linux? Then you won't love this

Updated Learn to love the browser instead

Linux 4.19 lets you declare your trust in AMD, IBM and Intel

Wave the CPU trust flag if you're feeling safe enough

SUSE and Microsoft give enterprise Linux an Azure tune-up

Veteran penguin botherer feels the need. For speed

The D in Systemd stands for 'Dammmmit!' A nasty DHCPv6 packet can pwn a vulnerable Linux box

Hole opens up remote-code execution to miscreants – or a crash, if you're lucky

Amazon adds cloudy Linux desktops to encourage developers to code for EC2

Running Amazon Linux 2, which just scored long-term support

App-y, app-y, joy, joy: Pain-free software installer Flatpak (kinda) works on Windows Subsystem for Linux

'This is just a bit of fun to see if it can work' says dev

Malware scum want to build a Linux botnet using Mirai

Hadoop YARN is the attack vector, so lock it away

make all relocate... Linux kernel dev summit shifts to Scotland – to fit Torvald's holiday plans

Edinburgh's in Canada, right? No? Oh … umm … sorry?

Arm cozies up to Intel for second time in a week – this time to borrow tools from Yocto Project for Mbed Linux

Aww, ain't that sweet