Ubuntu Core Snaps door shut on Linux's new Dirty COWs

When did Linux start becoming like Windows?

By Gavin Clarke

Posted in Security, 3rd November 2016 15:43 GMT

Canonical has released Ubuntu Core 16 for IoT, featuring Linux self-patching for a generation of users against future Bash or Dirty COWs.

Ubuntu Core 16 features Snaps, a zip file concept Canonical says will streamline IoT device updates protecting against hackers and data loss. Snaps shipped in Ubuntu 16.10 but Ubuntu Core is the 70Mb edition for devices.

Alas, this won't work on existing devices running Linux – just new ones.

It comes as Linux reels from the unearthing of the latest hidden code bomb to have put users at risk.

Dirty COW has surfaced after nine years in Linux, since kernel 2.6.22, permitting malicious code access to Linux systems including Android smart phones.

Before that, the headline grabber was Shellshock, which exploited a decades-old vulnerability that attacked the program used to execute command lines and scripts in Unix-based systems.

Mark Shuttleworth, Canonical founder and Ubuntu daddy, told The Reg: "We always saw Windows as the vulnerable platform but now old Linux devices are seen as the real vulnerability."

Snaps targets IoT from items like cameras to network routers.

They contain code from the Linux kernel maker, Canonical for the Ubuntu distro, and the device maker and ISVs whose code might be resident onboard.

Canonical will aggregate updates in Snaps with code downloaded to a device.

The idea is that should another Bash or Dirty COW-style or other vulnerability be discovered, an update can be pushed down via Ubuntu Core 16’s Snaps.

Shuttleworth claimed a surge of interest from "brands". Initial backers are IBM, Dell, Intel, Linaro and Open Source Robotics Foundation. Dell had beta Ubuntu Core 16 on its Dell Edge Gateways.

Endorsements are expected from other consumer electronics makers, Shuttleworth said. He pointed to the case of ASUS, brought to book by the US Federal Trade Commission in 2016 over a vulnerability discovered in its AiCloud service in 2015 that exposed personal details of 12,900 consumers connected to the internet via its routers.

ASUS agreed to establish and maintain a comprehensive security program subject to independent audits for 20 years.

"Everybody feels this pain, nobody wants a device with their brand on where they can't deliver an update or if they do, nobody updates it," Shuttleworth added. "Everybody is moving to a view they are responsible for anything they have sold." ®

Sign up to our NewsletterGet IT in your inbox daily

50 Comments

More from The Register

'Urgent data corruption issue' destroys filesystems in Linux 4.14

Using bcache to speed Linux 4.14? Stop if you want your data to live

Linux 4.15 becomes slowest release since 2011

It needs a ninth release candidate, thanks in part to Meltdown and Spectre

Until last week, you could pwn KDE Linux desktop with a USB stick

Tweak VFAT volume to execute arbitrary code

Samsung to let proper Linux distros run on Galaxy smartmobes

Even penguintastic desktops when lodged in DeX dock

Samsung shows off Linux desktops on Galaxy smartmobes

Video Ubuntu – all of it – running Eclipse on a phone, and a DeX dock

Windows Subsystem for Linux is coming to Windows Server

CMD, PowerShell and Bash. Three command line interfaces should be enough for anyone?

PowerShell comes to MacOS and Linux. Oh and Windows too

PowerShell Core 6.0 arrives for your CLI-wielding pleasure

Linux-using mates gone AWOL? Netflix just added Linux support

Brace yourselves, netadmins, streamer's promising more and chunkier vids everywhere

What's that fresh, zesty fragrance? Oh, Linux Mint 18.3 has landed

System reports, snapshots, improved app store, backups

SQL Server 2017's first rc lands and – yes! – it runs on Linux

Penguinistas knock, Redmond lowers the Drawbridge