Security

Ubuntu Core Snaps door shut on Linux's new Dirty COWs

When did Linux start becoming like Windows?

By Gavin Clarke

50 SHARE

Canonical has released Ubuntu Core 16 for IoT, featuring Linux self-patching for a generation of users against future Bash or Dirty COWs.

Ubuntu Core 16 features Snaps, a zip file concept Canonical says will streamline IoT device updates protecting against hackers and data loss. Snaps shipped in Ubuntu 16.10 but Ubuntu Core is the 70Mb edition for devices.

Alas, this won't work on existing devices running Linux – just new ones.

It comes as Linux reels from the unearthing of the latest hidden code bomb to have put users at risk.

Dirty COW has surfaced after nine years in Linux, since kernel 2.6.22, permitting malicious code access to Linux systems including Android smart phones.

Before that, the headline grabber was Shellshock, which exploited a decades-old vulnerability that attacked the program used to execute command lines and scripts in Unix-based systems.

Mark Shuttleworth, Canonical founder and Ubuntu daddy, told The Reg: "We always saw Windows as the vulnerable platform but now old Linux devices are seen as the real vulnerability."

Snaps targets IoT from items like cameras to network routers.

They contain code from the Linux kernel maker, Canonical for the Ubuntu distro, and the device maker and ISVs whose code might be resident onboard.

Canonical will aggregate updates in Snaps with code downloaded to a device.

The idea is that should another Bash or Dirty COW-style or other vulnerability be discovered, an update can be pushed down via Ubuntu Core 16’s Snaps.

Shuttleworth claimed a surge of interest from "brands". Initial backers are IBM, Dell, Intel, Linaro and Open Source Robotics Foundation. Dell had beta Ubuntu Core 16 on its Dell Edge Gateways.

Endorsements are expected from other consumer electronics makers, Shuttleworth said. He pointed to the case of ASUS, brought to book by the US Federal Trade Commission in 2016 over a vulnerability discovered in its AiCloud service in 2015 that exposed personal details of 12,900 consumers connected to the internet via its routers.

ASUS agreed to establish and maintain a comprehensive security program subject to independent audits for 20 years.

"Everybody feels this pain, nobody wants a device with their brand on where they can't deliver an update or if they do, nobody updates it," Shuttleworth added. "Everybody is moving to a view they are responsible for anything they have sold." ®

Sign up to our NewsletterGet IT in your inbox daily

50 Comments

More from The Register

Linux 4.19 lets you declare your trust in AMD, IBM and Intel

Wave the CPU trust flag if you're feeling safe enough

SUSE and Microsoft give enterprise Linux an Azure tune-up

Veteran penguin botherer feels the need. For speed

Amazon adds cloudy Linux desktops to encourage developers to code for EC2

Running Amazon Linux 2, which just scored long-term support

make all relocate... Linux kernel dev summit shifts to Scotland – to fit Torvald's holiday plans

Edinburgh's in Canada, right? No? Oh … umm … sorry?

Batten down the ports: Linux networking bug SegmentSmack could remotely crash systems

Patches incoming for kernel versions 4.9 and up

Penguins in a sandbox: Google nudges Linux apps toward Chrome OS

While keeping things safe

Dropbox plans to drop encrypted Linux filesystems in November

Updated Penguinistas mobilise against decision to support only EXT4

Linux 4.16 arrives, keeps melting Meltdown, preps to axe eight CPUs

Kernel team mulls ditching chip architectures nobody used

Another German state plans switch back from Linux to Windows

Lower Saxony says 'auf wiedersehen, pinguin'

Docker fave Alpine Linux suffers bug miscreants can exploit to poison containers

Now that's poetic, Justicz: Update apk and images now