[TimTheTinker]

It also introduces potentially significant new attack surface.

[laumars]

No more so than any of the shells that's already available on Windows (batch scripts, WSH, Powershell). If one was to exploit scripting on Windows, it would make more sense to target the existing shells rather than Bash as they're more widespread on Windows.

Plus Bash on Windows isn't a new thing: we already have Cygwin, MinGW and I believe there was also some native Windows PE ports too. This is just a better implementation than the aforementioned three.

[dragonwriter]

Yes, insofar as anything that allows you to do anything with your computer expands the attack surface.

Like nearly everything, it's a context-dependent cost-benefit consideration.

[dspillett]

Any more so than, say, using bash and friends via cygwin or similar?

[criddell]

Maybe. Cygwin is old code and sometimes that's better than new code from a security point of view.

[flukus]

Does it expose any network service by default?