Berkshire Hathaway is trading at more than $421,000 per Class A share, and the market is optimistic. That's a problem. From a report: The price has grown so high, it has nearly hit the maximum number that can be stored in one common way exchange computers handle digits. On Tuesday, Nasdaq temporarily suspended broadcasting prices for Class A shares of Berkshire over several popular data feeds. Such feeds provide real-time price updates for a number of online brokerages and finance websites. Nasdaq's computers can only count so high because of the compact digital format they use for communicating prices. The biggest number they can handle is $429,496.7295. Nasdaq is rushing to finish an upgrade later this month that would fix the problem. It isn't just Nasdaq.

Another exchange operator, IEX Group Inc., said in March that it would stop accepting investors' orders in Class A shares of Berkshire Hathaway "due to an internal price limitation within the trading system." It's the stock-market version of the Y2K bug. And it's becoming an increasingly urgent issue as shares of Warren Buffett's company have risen more than 20% this year, buoyed by a rising market and a return to profitability after fallout from the Covid-19 pandemic in 2020. Here's the trouble: Nasdaq and some other market operators record stock prices in a compact computer format that uses 32 bits, or ones and zeros. The biggest number possible is two to the 32nd power minus one, or 4,294,967,295. Stock prices are frequently stored using four decimal places, so the highest possible price is $429,496.7295. No other stock is anywhere near Berkshire Class A's stratospheric price levels, so it is understandable why the engineers behind Nasdaq's and IEX's systems chose the number format, which programmers call a four-byte unsigned integer.

A biotechnology firm has released genetically modified mosquitoes into the United States for the first time. Long-time Slashdot reader clovis shares the report via Nature: The experiment, launched this week in the Florida Keys -- over the objections of some local critics -- tests a method for suppressing populations of wild Aedes aegypti mosquitoes, which can carry diseases such as Zika, dengue, chikungunya and yellow fever. [...] Aedes aegypti makes up about 4% of the mosquito population in the Keys, a chain of tropical islands off the southern tip of Florida. But it is responsible for practically all mosquito-borne disease transmitted to humans in the region, according to the Florida Keys Mosquito Control District (FKMCD), which is working closely with Oxitec on the project. [...] In late April of this year, project researchers placed boxes containing Oxitec's mosquito eggs at six locations in three areas of the Keys. The first males are expected to emerge within the first two weeks of May. About 12,000 males will exit the boxes each week over the next 12 weeks. In a second phase later this year, intended to collect even more data, nearly 20 million mosquitoes will emerge over a period of about 16 weeks, according to Oxitec. "There is the usual opposition of the 'It's GMO, so it should not be done' variety," adds clovis. "As for ecological food chain considerations, one should know that aedes aegypti is not native to the western hemisphere. It is believed to have been imported from Africa during the slave trade era."

Hundreds of millions of Dell desktops, laptops, notebooks, and tablets will need to update their Dell DBUtil driver to fix a 12-year-old vulnerability that exposes systems to attacks. From a report: The bug, tracked as CVE-2021-21551, impacts version 2.3 of DBUtil, a Dell BIOS driver that allows the OS and system apps to interact with the computer's BIOS and hardware. In a report published today and shared with The Record, security firm SentinelOne said it found a vulnerability in this driver that could be abused to allow threat actors access driver functions and execute malicious code with SYSTEM and kernel-level privileges. Researchers said the DBUtil vulnerability cannot be exploited over the internet to gain access to unpatched systems remotely. Instead, threat actors who gained initial access to a computer, even to a low-level account, could abuse this bug to take full control over the compromised PC -- in what the security community typically describes as a privilege escalation vulnerability.

destinyland writes: LWN has a terrific update what's happened since the discovery of University of Minnesota researchers intentionally submitting buggy code to the Linux kernel:

The writing of a paper on this research [PDF] was not the immediate cause of the recent events; instead, it was the posting of a buggy patch originating from an experimental static-analysis tool run by another developer at UMN. That led developers in the kernel community to suspect that the effort to submit intentionally malicious patches was still ongoing. Since then, it has become apparent that this is not the case, but by the time the full story became clear, the discussion was already running at full speed.

The old saying still holds true: one should not attribute to malice that which can be adequately explained by incompetence.

On April 22, a brief statement was issued by the Linux Foundation technical advisory board (TAB) stating that, among other things, the recent patches appeared to have been submitted in good faith.

Meanwhile, the Linux Foundation and the TAB sent a letter to the UMN researchers outlining how the situation should be addressed; that letter has not been publicly posted, but ZDNet apparently got a copy from somewhere. Among other things, the letter asked for a complete disclosure of the buggy patches sent as part of the UMN project and the withdrawal of the paper resulting from this work.

In response, the UMN researchers posted an open letter apologizing to the community, followed a few days later by a summary of the work they did [PDF] as part of the "hypocrite commits" project. Five patches were submitted overall from two sock-puppet accounts, but one of those was an ordinary bug fix that was sent from the wrong account by mistake. Of the remaining four, one of them was an attempt to insert a bug that was, itself, buggy, so the patch was actually valid; the other three (1, 2, 3) contained real bugs. None of those three were accepted by maintainers, though the reasons for rejection were not always the bugs in question.

The paper itself has been withdrawn and will not be presented in May as was planned...

One of the first things that happened when this whole affair exploded was the posting by Greg Kroah-Hartman of a 190-part patch series reverting as many patches from UMN as he could find... As it happens, these "easy reverts" also needed manual review; once the initial anger passed there was little desire to revert patches that were not actually buggy. That review process has been ongoing over the course of the last week and has involved the efforts of a number of developers. Most of the suspect patches have turned out to be acceptable, if not great, and have been removed from the revert list; if your editor's count is correct, 42 patches are still set to be pulled out of the kernel...

A look at the full set of UMN patches reinforces some early impressions, though. First is that almost all of them do address some sort of real (if obscure and hard to hit) problem...

Apple has spent years reinforcing macOS with new security features to make it tougher for malware to break in. But a newly discovered vulnerability broke through most of macOS' newer security protections with a double-click of a malicious app, a feat not meant to be allowed under Apple's watch. From a report: Worse, evidence shows a notorious family of Mac malware has already been exploiting this vulnerability for months before it was subsequently patched by Apple this week. Over the years, Macs have adapted to catch the most common types of malware by putting technical obstacles in their way. macOS flags potentially malicious apps masquerading as documents that have been downloaded from the internet. And if macOS hasn't reviewed the app -- a process Apple calls notarization -- or if it doesn't recognize its developer, the app won't be allowed to run without user intervention.

But security researcher Cedric Owens said the bug he found in mid-March bypasses those checks and allows a malicious app to run. Owens told TechCrunch that the bug allowed him to build a potentially malicious app to look like a harmless document, which when opened bypasses macOS' built-in defenses when opened. "All the user would need to do is double click -- and no macOS prompts or warnings are generated," he told TechCrunch. Owens built a proof-of-concept app disguised as a harmless document that exploits the bug to launch the Calculator app, a way of demonstrating that the bug works without dropping malware. But a malicious attacker could exploit this vulnerability to remotely access a user's sensitive data simply by tricking a victim into opening a spoofed document, he explained.

The Associated Press reports: In a ruling that reversed one of the biggest miscarriages of justice in British legal history, 39 people who ran local post offices had their convictions for theft, fraud and false accounting overturned Friday because of what an appeals court said was clear evidence of "bugs, errors or defects" in an IT system.

The decision follows a years-long, complex legal battle that could see Britain's Post Office face a huge compensation bill for its failures following the installation, from 1999, of what turned out to be the defective Horizon computerized accounting system in local branches. Dozens of staff were convicted after the Fujitsu-supplied system pointed to an array of financial misdemeanors that bewildered the postal workers. Six others had their convictions quashed previously, while another 700 or so workers also are believed to have been prosecuted between 2000 and 2014... Jobs, homes and marriages were lost as a result of wrongful convictions, and some did not live long enough to see their names cleared by Britain's Court of Appeals.

Confirmation that the convictions were quashed was met with cheers and tears. A few bottles of bubbly were also popped.
Martin S. (Slashdot reader #98,249) writes, "As a software geek, the part I find most troubling is that blind faith that those in authority placed in the software without proper accounting..." The BBC reports some desperate sub-postmasters even "attempted to plug the gap with their own money, even remortgaging their homes, in an (often fruitless) attempt to correct an error."

The judge in the case complains that for years the Post Office had "consistently asserted that Horizon was robust and reliable" and "effectively steamrolled over any subpostmaster who sought to challenge its accuracy," according to an article in The Scotsman: Nick Read, Post Office chief executive said: "I am in no doubt about the human cost of the Post Office's past failures and the deep pain that has been caused to people affected. Many of those postmasters involved have been fighting for justice for a considerable length of time and sadly there are some who are not here to see the outcome today and whose families have taken forward appeals in their memory. I am very moved by their courage."

There were 73 convictions in Scotland caused by the failure. Although a total of 47 postmasters in England and Wales have had their cases referred to the Appeal Court, there has never been similar action in Scotland.

However, now the Scottish Criminal Cases Review Commission has written to the people it believes may also have been the victims of possible miscarriages of justice in Scotland relating to the Horizon computer system.

Still smarting from last month's dump of phone numbers belonging to 500 million Facebook users, the social media giant has a new privacy crisis to contend with: a tool that, on a massive scale, links Facebook accounts with their associated email addresses, even when users choose settings to keep them from being public. Wired reports: A video circulating on Tuesday showed a researcher demonstrating a tool named Facebook Email Search v1.0, which he said could link Facebook accounts to as many as 5 million email addresses per day. The researcher -- who said he went public after Facebook said it didn't think the weakness he found was "important" enough to be fixed -- fed the tool a list of 65,000 email addresses and watched what happened next. "As you can see from the output log here, I'm getting a significant amount of results from them," the researcher said as the video showed the tool crunching the address list. "I've spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts."

The researcher [...] said that Facebook Email Search exploited a front-end vulnerability that he reported to Facebook recently but that "they [Facebook] do not consider to be important enough to be patched." Earlier this year, Facebook had a similar vulnerability that was ultimately fixed. "This is essentially the exact same vulnerability," the researcher says. "And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it."

In a statement, Facebook said: "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings." A Facebook representative didn't respond to a question asking if the company told the researcher it didn't consider the vulnerability important enough to warrant a fix. The representative said Facebook engineers believe they have mitigated the leak by disabling the technique shown in the video.

An anonymous reader quotes a report from Ars Technica: Hackers backed by nation-states are exploiting critical vulnerabilities in the Pulse Secure VPN to bypass two-factor authentication protections and gain stealthy access to networks belonging to a raft of organizations in the US Defense industry and elsewhere, researchers said. At least one of the security flaws is a zero-day, meaning it was unknown to Pulse Secure developers and most of the research world when hackers began actively exploiting it, security firm Mandiant said in a blog post published Tuesday. Besides CVE-2021-22893, as the zero-day is tracked, multiple hacking groups -- at least one of which likely works on behalf of the Chinese government -- are also exploiting several Pulse Secure vulnerabilities fixed in 2019 and 2020.

Used alone or in concert, the security flaws allow the hackers to bypass both single-factor and multifactor authentication protecting the VPN devices. From there, the hackers can install malware that persists across software upgrades and maintain access through webshells, which are browser-based interfaces that allow hackers to remotely control infected devices. Multiple intrusions over the past six months have hit defense, government, and financial organizations around the world, Tuesday's post reported. Separately, the US Cybersecurity and Infrastructure Security Agency said that targets also include US government agencies, critical infrastructure entities, and other private sector organizations." Mandiant said that it has uncovered "limited evidence" that tied one of the hacker groups to the Chinese government. Dubbed UNC2630, this previously unknown team is one of at least two hacking groups known to be actively exploiting the vulnerabilities. Tuesday's blog post also referred to another previously unseen group that Mandiant is calling UNC2717. In March, the group used malware Mandiant identifies as RADIALPULSE, PULSEJUMP, and HARDPULSE against Pulse Secure systems at a European organization. Pulse Secure on Tuesday published an advisory instructing users how to mitigate the currently unpatched security bug.

Geico, the second-largest auto insurer in the U.S., has fixed a security bug that let fraudsters steal customers' driver's license numbers from its website. From a report: In a data breach notice filed with the California attorney general's office, Geico said information gathered from other sources was used to "obtain unauthorized access to your driver's license number through the online sales system on our website." The insurance giant did not say how many customers were affected by the breach but said the fraudsters accessed customer driver's license numbers between January 21 and March 1. Companies are required to alert the state's attorney general's office when more than 500 state residents are affected by a security incident. Geico said it had "reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name." Many financially driven criminals target government agencies using stolen identities or data. But many U.S. states require a government ID -- like a driver's license -- to file for unemployment benefits. To get a driver's license number, fraudsters take public or previously breached data and exploit weaknesses in auto insurance websites to obtain a customer's driver's license number. That allows the fraudsters to obtain unemployment benefits in another person's name.

The Google Project Zero security team has updated its vulnerability disclosure guidelines to add a cushion of 30 days to some security bug disclosures, so end-users have enough time to patch software and prevent attackers from weaponizing bugs. From a report: This week's changes are of particular importance because a large part of the cybersecurity community has adopted Project Zero's rules as the unofficial methodology for disclosing a security bug to software vendors and then to the general public. Prior to today, Google Project Zero researchers would give software vendors 90 days to fix a security bug. When the bug was patched, or at the end of the 90 days time window, Google researchers would publish details about the bug online (on their bug tracker). Starting this week, Project Zero says it will wait 30 days before publishing any details about the bug. The reasoning behind the extra time window is to allow users of the affected products time to update their software, an operation that can usually take days or weeks in some complex corporate networks.

Hackers could take control of victims' computers just by tricking them into clicking on a Steam invite to play Counter Strike: Global Offensive, Motherboard reports, citing a bug filing review. From a report: A bug in the game engine used in Counter Strike: Global Offensive could be exploited by hackers to take full control of a target's machine. A security researcher alerted Valve about the bug in June of 2019. Valve is the maker of Source Engine, which is used by CS:GO, Team Fortress 2, and several other games. The researcher, who goes by the name Florian, said that while that the bug has been fixed in some games that use the Source engine, it is still present in CS:GO, and he demonstrated it in a call with Motherboard. Florian's correspondence with Valve occurred on HackerOne, the bug bounty platform used by the company to get reports about vulnerabilities. Valve admitted that it was being slow to respond, even though it classified the bug as "critical" in the thread with the researchers, which Motherboard reviewed. "I am honestly very disappointed because they straight up ignored me most of the time," Florian said in an online chat.

An Indian security researcher has published today proof-of-concept exploit code for a recently discovered vulnerability impacting Google Chrome, Microsoft Edge, and other Chromium-based browsers like Opera and Brave. From a report: The researcher, Rajvardhan Agarwal, told The Record today that the exploit code is for a Chromium bug that was used during the Pwn2Own hacking contest that took place last week. During the contest, security researchers Bruno Keith (@bkth_) & Niklas Baumstark (@_niklasb) of Dataflow Security used a vulnerability to run malicious code inside Chrome and Edge, for which they received $100,000. Per contest rules, details about this bug were handed over to the Chrome security team so the bug could be patched as soon as possible. While details about the exact nature of the bug were never publicly disclosed, Agarwal told The Record he spotted the patches for this bug by looking at the source code commits to the V8 JavaScript engine, a component of the Chromium open-source browser project, which allowed him to recreate the Pwn2Own exploit, which he uploaded earlier today on GitHub, and shared on Twitter. However, while Chromium developers have patched the V8 bug last week, the patch has not yet been integrated into official releases of downstream Chromium-based browsers such as Chrome, Edge, and others, which are still vulnerable to attacks.

A software mistake caused a flight on Tui airlines "to take off heavier than expected," according to The Guardian, citing an investigation by the UK's Air Accidents Investigation Branch An update to the airline's reservation system while its planes were grounded due to the coronavirus pandemic led to 38 passengers on the flight being allocated a child's "standard weight" of 35kg [77 pounds] as opposed to the adult figure of 69kg [152 pounds]. This caused the load sheet — produced for the captain to calculate what inputs are needed for take-off — to state that the Boeing 737 was more than 1,200kg lighter [2,645 pounds] than it actually was.

Investigators described the glitch as "a simple flaw" in an IT system. It was programmed in an unnamed foreign country where the title "Miss" is used for a child and "Ms" for an adult female.

Despite the issue, the thrust used for the departure from Birmingham on 21 July 2020 was only "marginally less" than it should have been, and the "safe operation of the aircraft was not compromised", the AAIB said.
They're still classifying it as a "serious incident" — and also note that because of the same software glitch, two more UK flights also took off on the same day with inaccurate load sheets.

An anonymous reader quotes a report from ZDNet: A zero-day vulnerability in Zoom which can be used to launch remote code execution (RCE) attacks has been disclosed by researchers. The researchers from Computest demonstrated a three-bug attack chain that caused an RCE on a target machine, and all without any form of user interaction. As Zoom has not yet had time to patch the critical security issue, the specific technical details of the vulnerability are being kept under wraps. However, an animation of the attack in action demonstrates how an attacker was able to open the calculator program of a machine running Zoom following its exploit. As noted by Malwarebytes, the attack works on both Windows and Mac versions of Zoom, but it has not -- yet -- been tested on iOS or Android. The browser version of the videoconferencing software is not impacted. Computest researchers Daan Keuper and Thijs Alkemade earned themselves $200,000 for this Zoom discovery, as it was part of the Pwn2Own contest.

In a statement to Tom's Guide, Zoom thanked the Computest researchers and said the company was "working to mitigate this issue with respect to Zoom Chat." In-session Zoom Meetings and Zoom Video Webinars are not affected. "The attack must also originate from an accepted external contact or be a part of the target's same organizational account," Zoom added. "As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust."

Ashkan Soltani was the Chief Technologist of America's Federal Trade Commission in 2014 — and earlier was a staff technologist in its Division of Privacy and Identity Protection helping investigate tech companies including Google and Facebook

Friday on Twitter he accused another group of privacy violations: the nonprofit rights organization, the American Civil Liberties Union. Yesterday, the ACLU updated their privacy statement to finally disclose that they share constituent information with 'service providers' like Facebook for targeted advertising, flying in the face of the org's public advocacy and statements.

In fact, I was retained by the ACLU last summer to perform a privacy audit after concerns were raised internally regarding their data sharing practices. I only agreed to do this work on the promisee by ACLU's Executive Director that the findings would be made public. Unfortunately, after reviewing my findings, the ACLU decided against publishing my report and instead sat on it for ~6 months before quietly updating their terms of service and privacy policy without explanation for the context or motivations for doing so. While I'm bound by a nondisclosure agreement to not disclose the information I uncovered or my specific findings, I can say with confidence that the ACLU's updated privacy statements do not reflect the full picture of their practices.

For example, public transparency data from Google shows that the ACLU has paid Google nearly half a million dollars to deliver targeted advertisements since 2018 (when the data first was made public). The ACLU also opted to only disclose its advertising relationship with Facebook only began in 2021, when in truth, the relationship spans back years totaling over $5 million in ad-spend. These relationships fly against the principles and public statements of the ACLU regarding transparency, control, and disclosure before use, even as the organization claims to be a strong advocate for privacy rights at the federal and state level. In fact, the NY Attorney General conducted an inquiry into whether the ACLU had violated its promises to protect the privacy of donors and members in 2004. The results of which many aren't aware of. And to be clear, the practices described would very much constitute a 'sale' of members' PII under the California Privacy Rights Act (CPRA).

The irony is not lost on me that the ACLU vehemently opposed the CPRA — the toughest state privacy law in the country — when it was proposed. While I have tremendous respect for the work the ACLU and other NGOs do, it's important that nonprofits are bound by the same privacy standards they espouse for everyone else. (Full disclosure: I'm on the EFF advisory board and was recently invited to join EPIC's board.)

My experience with the ACLU further amplifies the need to have strong legal privacy protections that apply to nonprofits as well as businesses — partially since many of the underlying practices, particularly in the area of fundraising and advocacy, are similar if not worse.
Soltani also re-tweeted an interesting response from Alex Fowler, a former EFF VP who was also Mozilla's chief privacy officer for three years: I'm reminded of EFF co-founder John Gilmore telling me about the Coders' Code: If you find a bug or vulnerability, tell the coder. If coder ignores you or refuses to fix the issue, tell the users.

"OpenSSL, the most widely used software library for implementing website and email encryption, has patched a high-severity vulnerability that makes it easy for hackers to completely shut down huge numbers of servers," reports Ars Technica: On Thursday, OpenSSL maintainers disclosed and patched a vulnerability that causes servers to crash when they receive a maliciously crafted request from an unauthenticated end user. CVE-2021-3449, as the denial-of-server vulnerability is tracked, is the result of a null pointer dereference bug. Cryptographic engineer Filippo Valsorda said on Twitter that the flaw could probably have been discovered earlier than now.

"Anyway, sounds like you can crash most OpenSSL servers on the Internet today," he added.

Hackers can exploit the vulnerability by sending a server a maliciously formed renegotiating request during the initial handshake that establishes a secure connection between an end user and a server... The maintainers have rated the severity high. Researchers reported the vulnerability to OpenSSL on March 17. Nokia developers Peter Kästle and Samuel Sapalski provided the fix.
Ars Technica also reports that OpenSSL "fixed a separate vulnerability that, in edge cases, prevented apps from detecting and rejecting TLS certificates that aren't digitally signed by a browser-trusted certificate authority."

Microsoft has once again reiterated that VR support for Xbox was not a focus for the company, following reports earlier today that hinted it was working on a VR headset compatible with the Xbox Series X/S. The Verge reports: The rumor first surfaced after IGN Italy reported that some Italian Xbox users received messages, which translated to "[a]n update for the VR headset is available" and "[u]pdate VR headset," when connecting the recently released Xbox Wireless Headset to their Xbox Series X or Series S consoles. A Microsoft representative told The Verge that "the copy in this error message is inaccurate due to a localization bug," while again reiterating that "VR for console is not a focus for us at this time."

Microsoft has yet to explore the VR space for its Xbox consoles. In 2018, the company pulled back on plans to support virtual reality headsets for Xbox in 2018, explaining that it wanted to focus "primarily on experiences you would play on your TV." In late 2019, Xbox boss Phil Spencer tweeted out that although he played "some great VR games" such as Half-Life: Alyx, console VR was not Xbox's focus ahead of the Xbox Series X / S release.

Firefox's "Compact density" option, which reduces the size of the user interface, is set to disappear when Mozilla rolls out its Proton visual redesign for the browser later this year. PCMag reports: A bug was posted on Mozilla's bug tracking system entitled "Remove compact mode inside Density menu of customize palette." The reasons given for its removal include the fact it's "currently fairly hard to discover" and "we assume gets low engagement." The development team wants to "make sure that we design defaults that suit most users and we'll be retiring the compact mode for this reason." The Bugzilla thread highlights a desire for compact density to be retained as an option, but it doesn't seem likely to survive right now.

When Proton arrives, the Normal and Touch density options are expected to remain, with Touch increasing the size of the user interface to make it more finger-friendly. Meanwhile, the development team is optimizing the Normal density for displays that use 768 pixels for height, while most displays now use a higher resolution than that. Hopefully this doesn't mean the UI will be larger than it is now by default.

"If you want a 12 hour break from Twitter just tweet this city name and you will be immediately locked," Swift on Security tweeted today.

"A bug on Twitter is causing users to become temporarily suspended if they tweet the word 'Memphis,'" BleepingComputer has confirmed: This bug started today after users tweeting about the Tennessee city, sports teams, or players suddenly found that they were temporarily suspended for 12 hours after Tweeting the word Memphis.
Several tweets are already mocking the phenomenon...

"Three recently unearthed vulnerabilities in the Linux kernel, located in the iSCSI module used for accessing shared data storage facilities, could allow root privileges to anyone with a user account," reports SC Media: "If you already had execution on a box, either because you have a user account on the machine, or you've compromised some service that doesn't have repaired permissions, you can do whatever you want basically," said Adam Nichols, principal of the Software Security practice at GRIMM. While the vulnerabilities "are in code that is not remotely accessible, so this isn't like a remote exploit," said Nichols, they are still troublesome. They take "any existing threat that might be there. It just makes it that much worse," he explained. "And if you have users on the system that you don't really trust with root access it, it breaks them as well."

Referring to the theory that 'many eyes make all bugs shallow,' Linux code "is not getting many eyes or the eyes are looking at it and saying that seems fine," said Nichols. "But, [the bugs] have been in there since the code was first written, and they haven't really changed over the last 15 years...." That the flaws slipped detection for so long has a lot to do with the sprawl of the the Linux kernel. It "has gotten so big" and "there's so much code there," said Nichols. "The real strategy is make sure you're loading as little code as possible."

The bugs are in all Linux distributions, Nichols said, although the kernel driver is not loaded by default. Whether a normal user can load the vulnerable kernel module varies. They can, for instance, on all Red Hat based distros that GRIMM tested, he said. "Even though it's not loaded by default, you can get it loaded and then of course you can exploit it without any trouble...."

The bugs have been patched in the following kernel releases: 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260. All older kernels are end-of- life and will not receive patches.