Ubuntu Core Snaps door shut on Linux's new Dirty COWs
When did Linux start becoming like Windows?
Posted in Security, 3rd November 2016 15:43 GMT
Canonical has released Ubuntu Core 16 for IoT, featuring Linux self-patching for a generation of users against future Bash or Dirty COWs.
Ubuntu Core 16 features Snaps, a zip file concept Canonical says will streamline IoT device updates protecting against hackers and data loss. Snaps shipped in Ubuntu 16.10 but Ubuntu Core is the 70Mb edition for devices.
Alas, this won't work on existing devices running Linux – just new ones.
It comes as Linux reels from the unearthing of the latest hidden code bomb to have put users at risk.
Dirty COW has surfaced after nine years in Linux, since kernel 2.6.22, permitting malicious code access to Linux systems including Android smart phones.
Before that, the headline grabber was Shellshock, which exploited a decades-old vulnerability that attacked the program used to execute command lines and scripts in Unix-based systems.
Mark Shuttleworth, Canonical founder and Ubuntu daddy, told The Reg: "We always saw Windows as the vulnerable platform but now old Linux devices are seen as the real vulnerability."
Snaps targets IoT from items like cameras to network routers.
They contain code from the Linux kernel maker, Canonical for the Ubuntu distro, and the device maker and ISVs whose code might be resident onboard.
Canonical will aggregate updates in Snaps with code downloaded to a device.
The idea is that should another Bash or Dirty COW-style or other vulnerability be discovered, an update can be pushed down via Ubuntu Core 16’s Snaps.
Shuttleworth claimed a surge of interest from "brands". Initial backers are IBM, Dell, Intel, Linaro and Open Source Robotics Foundation. Dell had beta Ubuntu Core 16 on its Dell Edge Gateways.
Endorsements are expected from other consumer electronics makers, Shuttleworth said. He pointed to the case of ASUS, brought to book by the US Federal Trade Commission in 2016 over a vulnerability discovered in its AiCloud service in 2015 that exposed personal details of 12,900 consumers connected to the internet via its routers.
ASUS agreed to establish and maintain a comprehensive security program subject to independent audits for 20 years.
"Everybody feels this pain, nobody wants a device with their brand on where they can't deliver an update or if they do, nobody updates it," Shuttleworth added. "Everybody is moving to a view they are responsible for anything they have sold." ®