Version 9.4 of the GNU Compiler Collection "encompasses more than 190 bug fixes for GCC 9.3, which has been available since March 2020," reports DevClass.

But they add that in addition, "Developers who want to contribute to the GNU Compiler Collection but don't feel like signing over copyright to the Free Software Foundation can get busy committing now." GCC Steering Committee member David Edelsohn informed contributors via the mailing list that the committee "decided to relax the requirement to assign copyright for all changes" to the FSF. Speaking for the committee, he wrote that the GCC project "will now accept contributions with or without an FSF copyright assignment", a practice thought of as consistent with that "of many other major Free Software projects, such as the Linux kernel". GCC "will continue to be developed, distributed and licensed" under the GPLv3, so nothing should change for those adding to the project under the old assumptions.

There are those who have had troubles with that arrangement before, with Apple often cited as a popular example. They are now free to contribute utilising the Developer Certificate of Origin instead of agreeing to an FSF Copyright Assignment.

A reason was not given, though the last sentence of the statement, which affirms the principles of Free Software, might give a clue. In March 2021, the committee commented on the removal of Richard Stallman from the project's steering committee website with a similar declaration... [T]hey felt like an association with Stallman was not serving the best interests of the GCC developers and user community, given that the "GCC Steering Committee is committed to providing a friendly, safe and welcoming environment for all."
The Register notes that Red Hat senior principal engineer Mark Wielaard asked why there was no public discussion before making the change.

"Just days after violent conflict erupted in Israel and the Palestinian territories, both Facebook and Twitter copped to major faux pas: The companies had wrongly blocked or restricted millions of mostly pro-Palestinian posts and accounts related to the crisis," reports the Washington Post: Activists around the world charged the companies with failing a critical test: whether their services would enable the world to watch an important global event unfold unfettered through the eyes of those affected. The companies blamed the errors on glitches in artificial intelligence software.

In Twitter's case, the company said its service mistakenly identified the rapid-firing tweeting during the confrontations as spam, resulting in hundreds of accounts being temporarily locked and the tweets not showing up when searched for. Facebook-owned Instagram gave several explanations for its problems, including a software bug that temporarily blocked video-sharing and saying its hate speech detection software misidentified a key hashtag as associated with a terrorist group.

The companies said the problems were quickly resolved and the accounts restored. But some activists say many posts are still being censored. Experts in free speech and technology said that's because the issues are connected to a broader problem: overzealous software algorithms that are designed to protect but end up wrongly penalizing marginalized groups that rely on social media to build support... Despite years of investment, many of the automated systems built by social media companies to stop spam, disinformation and terrorism are still not sophisticated enough to detect the difference between desirable forms of expression and harmful ones. They often overcorrect, as in the most recent errors during the Israeli-Palestinian conflict, or they under-enforce, allowing harmful misinformation and violent and hateful language to proliferate...

Jillian York, a director at the Electronic Frontier Foundation, an advocacy group that opposes government surveillance, has researched tech company practices in the Middle East. She said she doesn't believe that content moderation — human or algorithmic — can work at scale... Palestinian activists and experts who study social movements say it was another watershed historical moment in which social media helped alter the course of events...

Payment app Venmo also mistakenly suspended transactions of humanitarian aid to Palestinians during the war. The company said it was trying to comply with U.S. sanctions and had resolved the issues.

After 17 years underground, the Brood X periodical cicadas are slowly emerging in 15 states across the East Coast and Midwest. From a report: They'll shed their skins and spend four to six weeks mating before the females lay eggs and they all die. But some of them are getting wilder in their short lives above ground. A fungus called Massospora, which can produce compounds of cathinone -- an amphetamine -- infects a small number of them and makes them lose control. The fungus takes over their bodies, causing them to lose their lower abdomen and genitals. And it pushes their mating into hyperdrive.

"This is stranger than fiction," Matt Kasson, an associate professor of forest pathology and mycology at West Virginia University, tells NPR's All Things Considered. "To have something that's being manipulated by a fungus, to be hypersexual and to have prolonged stamina and just mate like crazy." Kasson, who has been studying Massospora for about five years, says just before the cicadas rise from the ground, the spores of the fungus start to infect the bug. Once it's above ground and starts to shed its skin to become an adult, its butt falls off. Then a "white plug of fungus" starts to grow in its place.

A software bug that's now been fixed allowed some Eufycam owners to stream video from strangers' homes instead of their own. The Register reports: These 1080p Wi-Fi-connected devices are made by Anker, and are designed to be used indoors and outdoors. They can record to microSD cards and/or the cloud, and viewable via a mobile app. On Monday, some users found themselves staring at feeds from other people's homes -- even those in other countries -- and feared they were being watched, too. The privacy breakdown sparked an eruption of complaints on Reddit and Anker's support forum.

A spokesperson for Anker told us just a small number of customers were affected: "Due to a software bug during our latest server upgrade at 4:50 AM EST today, a limited number (0.001 per cent) of our users were able to access video feeds from other users' cameras. Our engineering team recognized this issue at around 5:30 AM EST, and quickly got it fixed by 6:30AM EST." We're told customers in the US, New Zealand, Australia, Cuba, Mexico, Brazil, and Argentina were affected though not GDPR-armed Europe. "We realize that as a security company we didn't do good enough," the spokesperson added. "We are sorry we fell short here and are working on new security protocols and measures to make sure that this never happens again." Eufy recommends users unplug and then reconnect their devices, log out of the Eufy security app, and log in again to fix the issue.

New submitter imcdona writes: VideoLan has released VLC Media Player 3.0.14 to fix an issue affecting Window users and causing the widely-used software's auto-updater not to launch the new version's installer automatically. "VLC users on Windows might encounter issues when trying to auto update VLC from version 3.0.12 and 3.0.13," VideoLan explained."We are publishing version 3.0.14 to address this problem for future updates."

This issue is caused by a bug introduced in the automatic updater code of VLC 3.0.12 and fixed with the release of VLC 3.0.14. Because of this bug, VLC updates are downloaded to the users' computers, verified for integrity, but will not be installed as the auto-updater fails to launch the VLC 3.0.14 installer.

Around a third of all smartphones in the world are believed to be affected by a new vulnerability in a Qualcomm modem component that can grant attackers access to the device's call and SMS history and even audio conversations. From a report: The vulnerability -- tracked as CVE-2020-11292 -- resides in the Qualcomm mobile station modem (MSM), a chip that allows devices to connect to mobile networks. First designed in the early 90s, the chip has been updated across the years to support 2G, 3G, 4G, and 5G cellular communications and has slowly become one of the world's most ubiquitous technologies, especially with smartphone vendors.

Devices that use Qualcomm MSM chips today include high-end smartphone models sold by Google, Samsung, LG, Xiaomi, and OnePlus, just to name a few. But in a report published today by Israeli security firm Check Point, the company said its researchers found a vulnerability in Qualcomm MSM Interface (QMI), the protocol that allows the chip to communicate with the smartphone's operating system. Researches said that malformed Type-Length-Value (TLV) packets received by the MSM component via the QMI interface could trigger a memory corruption (buffer overflow) that can allow attackers to run their own code.

A Windows Defender bug creates thousands of small files that waste gigabytes of storage space on Windows 10 hard drives. BleepingComputer reports: The bug started with Windows Defender antivirus engine 1.1.18100.5 and will cause the C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store folder to be filled up with thousands of files with names that appear to be MD5 hashes. From a system seen by BleepingComputer, the created files range in size from 600 bytes to a little over 1KB. While the system we looked at only had approximately 1MB of files, other Windows 10 users report that their systems have been filled up with hundreds of thousands of files, which in one case, used up 30GB of storage space. On smaller SSD system drives (C:), this can be a considerable amount of storage space to waste on unnecessary files. According to Deskmodder, who first reported on this issue, the bug has now been fixed in the latest Windows Defender engine, version 1.1.18100.6.

Zack Whittaker, reporting for TechCrunch: Halfway through my Monday afternoon workout last week, I got a message from a security researcher with a screenshot of my Peloton account data. My Peloton profile is set to private and my friend's list is deliberately zero, so nobody can view my profile, age, city, or workout history. But a bug allowed anyone to pull users' private account data directly from Peloton's servers, even with their profile set to private. Peloton, the at-home fitness brand synonymous with its indoor stationary bike and beleaguered treadmills, has more than three million subscribers. Even President Biden is said to own one. The exercise bike alone costs upwards of $1,800, but anyone can sign up for a monthly subscription to join a broad variety of classes.

As Biden was inaugurated (and his Peloton moved to the White House -- assuming the Secret Service let him), Jan Masters, a security researcher at Pen Test Partners, found he could make unauthenticated requests to Peloton's API for user account data without it checking to make sure the person was allowed to request it. (An API allows two things to talk to each other over the internet, like a Peloton bike and the company's servers storing user data.) But the exposed API let him -- and anyone else on the internet -- access a Peloton user's age, gender, city, weight, workout statistics and, if it was the user's birthday, details that are hidden when users' profile pages are set to private. Masters reported the leaky API to Peloton on January 20 with a 90-day deadline to fix the bug, the standard window time that security researchers give to companies to fix bugs before details are made public. But that deadline came and went, the bug wasn't fixed and Masters hadn't heard back from the company, aside from an initial email acknowledging receipt of the bug report. In some other Peloton news: Peloton recalls all treadmills after reported injuries, death.

Berkshire Hathaway is trading at more than $421,000 per Class A share, and the market is optimistic. That's a problem. From a report: The price has grown so high, it has nearly hit the maximum number that can be stored in one common way exchange computers handle digits. On Tuesday, Nasdaq temporarily suspended broadcasting prices for Class A shares of Berkshire over several popular data feeds. Such feeds provide real-time price updates for a number of online brokerages and finance websites. Nasdaq's computers can only count so high because of the compact digital format they use for communicating prices. The biggest number they can handle is $429,496.7295. Nasdaq is rushing to finish an upgrade later this month that would fix the problem. It isn't just Nasdaq.

Another exchange operator, IEX Group Inc., said in March that it would stop accepting investors' orders in Class A shares of Berkshire Hathaway "due to an internal price limitation within the trading system." It's the stock-market version of the Y2K bug. And it's becoming an increasingly urgent issue as shares of Warren Buffett's company have risen more than 20% this year, buoyed by a rising market and a return to profitability after fallout from the Covid-19 pandemic in 2020. Here's the trouble: Nasdaq and some other market operators record stock prices in a compact computer format that uses 32 bits, or ones and zeros. The biggest number possible is two to the 32nd power minus one, or 4,294,967,295. Stock prices are frequently stored using four decimal places, so the highest possible price is $429,496.7295. No other stock is anywhere near Berkshire Class A's stratospheric price levels, so it is understandable why the engineers behind Nasdaq's and IEX's systems chose the number format, which programmers call a four-byte unsigned integer.

A biotechnology firm has released genetically modified mosquitoes into the United States for the first time. Long-time Slashdot reader clovis shares the report via Nature: The experiment, launched this week in the Florida Keys -- over the objections of some local critics -- tests a method for suppressing populations of wild Aedes aegypti mosquitoes, which can carry diseases such as Zika, dengue, chikungunya and yellow fever. [...] Aedes aegypti makes up about 4% of the mosquito population in the Keys, a chain of tropical islands off the southern tip of Florida. But it is responsible for practically all mosquito-borne disease transmitted to humans in the region, according to the Florida Keys Mosquito Control District (FKMCD), which is working closely with Oxitec on the project. [...] In late April of this year, project researchers placed boxes containing Oxitec's mosquito eggs at six locations in three areas of the Keys. The first males are expected to emerge within the first two weeks of May. About 12,000 males will exit the boxes each week over the next 12 weeks. In a second phase later this year, intended to collect even more data, nearly 20 million mosquitoes will emerge over a period of about 16 weeks, according to Oxitec. "There is the usual opposition of the 'It's GMO, so it should not be done' variety," adds clovis. "As for ecological food chain considerations, one should know that aedes aegypti is not native to the western hemisphere. It is believed to have been imported from Africa during the slave trade era."

Hundreds of millions of Dell desktops, laptops, notebooks, and tablets will need to update their Dell DBUtil driver to fix a 12-year-old vulnerability that exposes systems to attacks. From a report: The bug, tracked as CVE-2021-21551, impacts version 2.3 of DBUtil, a Dell BIOS driver that allows the OS and system apps to interact with the computer's BIOS and hardware. In a report published today and shared with The Record, security firm SentinelOne said it found a vulnerability in this driver that could be abused to allow threat actors access driver functions and execute malicious code with SYSTEM and kernel-level privileges. Researchers said the DBUtil vulnerability cannot be exploited over the internet to gain access to unpatched systems remotely. Instead, threat actors who gained initial access to a computer, even to a low-level account, could abuse this bug to take full control over the compromised PC -- in what the security community typically describes as a privilege escalation vulnerability.

destinyland writes: LWN has a terrific update what's happened since the discovery of University of Minnesota researchers intentionally submitting buggy code to the Linux kernel:

The writing of a paper on this research [PDF] was not the immediate cause of the recent events; instead, it was the posting of a buggy patch originating from an experimental static-analysis tool run by another developer at UMN. That led developers in the kernel community to suspect that the effort to submit intentionally malicious patches was still ongoing. Since then, it has become apparent that this is not the case, but by the time the full story became clear, the discussion was already running at full speed.

The old saying still holds true: one should not attribute to malice that which can be adequately explained by incompetence.

On April 22, a brief statement was issued by the Linux Foundation technical advisory board (TAB) stating that, among other things, the recent patches appeared to have been submitted in good faith.

Meanwhile, the Linux Foundation and the TAB sent a letter to the UMN researchers outlining how the situation should be addressed; that letter has not been publicly posted, but ZDNet apparently got a copy from somewhere. Among other things, the letter asked for a complete disclosure of the buggy patches sent as part of the UMN project and the withdrawal of the paper resulting from this work.

In response, the UMN researchers posted an open letter apologizing to the community, followed a few days later by a summary of the work they did [PDF] as part of the "hypocrite commits" project. Five patches were submitted overall from two sock-puppet accounts, but one of those was an ordinary bug fix that was sent from the wrong account by mistake. Of the remaining four, one of them was an attempt to insert a bug that was, itself, buggy, so the patch was actually valid; the other three (1, 2, 3) contained real bugs. None of those three were accepted by maintainers, though the reasons for rejection were not always the bugs in question.

The paper itself has been withdrawn and will not be presented in May as was planned...

One of the first things that happened when this whole affair exploded was the posting by Greg Kroah-Hartman of a 190-part patch series reverting as many patches from UMN as he could find... As it happens, these "easy reverts" also needed manual review; once the initial anger passed there was little desire to revert patches that were not actually buggy. That review process has been ongoing over the course of the last week and has involved the efforts of a number of developers. Most of the suspect patches have turned out to be acceptable, if not great, and have been removed from the revert list; if your editor's count is correct, 42 patches are still set to be pulled out of the kernel...

A look at the full set of UMN patches reinforces some early impressions, though. First is that almost all of them do address some sort of real (if obscure and hard to hit) problem...

Apple has spent years reinforcing macOS with new security features to make it tougher for malware to break in. But a newly discovered vulnerability broke through most of macOS' newer security protections with a double-click of a malicious app, a feat not meant to be allowed under Apple's watch. From a report: Worse, evidence shows a notorious family of Mac malware has already been exploiting this vulnerability for months before it was subsequently patched by Apple this week. Over the years, Macs have adapted to catch the most common types of malware by putting technical obstacles in their way. macOS flags potentially malicious apps masquerading as documents that have been downloaded from the internet. And if macOS hasn't reviewed the app -- a process Apple calls notarization -- or if it doesn't recognize its developer, the app won't be allowed to run without user intervention.

But security researcher Cedric Owens said the bug he found in mid-March bypasses those checks and allows a malicious app to run. Owens told TechCrunch that the bug allowed him to build a potentially malicious app to look like a harmless document, which when opened bypasses macOS' built-in defenses when opened. "All the user would need to do is double click -- and no macOS prompts or warnings are generated," he told TechCrunch. Owens built a proof-of-concept app disguised as a harmless document that exploits the bug to launch the Calculator app, a way of demonstrating that the bug works without dropping malware. But a malicious attacker could exploit this vulnerability to remotely access a user's sensitive data simply by tricking a victim into opening a spoofed document, he explained.

The Associated Press reports: In a ruling that reversed one of the biggest miscarriages of justice in British legal history, 39 people who ran local post offices had their convictions for theft, fraud and false accounting overturned Friday because of what an appeals court said was clear evidence of "bugs, errors or defects" in an IT system.

The decision follows a years-long, complex legal battle that could see Britain's Post Office face a huge compensation bill for its failures following the installation, from 1999, of what turned out to be the defective Horizon computerized accounting system in local branches. Dozens of staff were convicted after the Fujitsu-supplied system pointed to an array of financial misdemeanors that bewildered the postal workers. Six others had their convictions quashed previously, while another 700 or so workers also are believed to have been prosecuted between 2000 and 2014... Jobs, homes and marriages were lost as a result of wrongful convictions, and some did not live long enough to see their names cleared by Britain's Court of Appeals.

Confirmation that the convictions were quashed was met with cheers and tears. A few bottles of bubbly were also popped.
Martin S. (Slashdot reader #98,249) writes, "As a software geek, the part I find most troubling is that blind faith that those in authority placed in the software without proper accounting..." The BBC reports some desperate sub-postmasters even "attempted to plug the gap with their own money, even remortgaging their homes, in an (often fruitless) attempt to correct an error."

The judge in the case complains that for years the Post Office had "consistently asserted that Horizon was robust and reliable" and "effectively steamrolled over any subpostmaster who sought to challenge its accuracy," according to an article in The Scotsman: Nick Read, Post Office chief executive said: "I am in no doubt about the human cost of the Post Office's past failures and the deep pain that has been caused to people affected. Many of those postmasters involved have been fighting for justice for a considerable length of time and sadly there are some who are not here to see the outcome today and whose families have taken forward appeals in their memory. I am very moved by their courage."

There were 73 convictions in Scotland caused by the failure. Although a total of 47 postmasters in England and Wales have had their cases referred to the Appeal Court, there has never been similar action in Scotland.

However, now the Scottish Criminal Cases Review Commission has written to the people it believes may also have been the victims of possible miscarriages of justice in Scotland relating to the Horizon computer system.

Still smarting from last month's dump of phone numbers belonging to 500 million Facebook users, the social media giant has a new privacy crisis to contend with: a tool that, on a massive scale, links Facebook accounts with their associated email addresses, even when users choose settings to keep them from being public. Wired reports: A video circulating on Tuesday showed a researcher demonstrating a tool named Facebook Email Search v1.0, which he said could link Facebook accounts to as many as 5 million email addresses per day. The researcher -- who said he went public after Facebook said it didn't think the weakness he found was "important" enough to be fixed -- fed the tool a list of 65,000 email addresses and watched what happened next. "As you can see from the output log here, I'm getting a significant amount of results from them," the researcher said as the video showed the tool crunching the address list. "I've spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts."

The researcher [...] said that Facebook Email Search exploited a front-end vulnerability that he reported to Facebook recently but that "they [Facebook] do not consider to be important enough to be patched." Earlier this year, Facebook had a similar vulnerability that was ultimately fixed. "This is essentially the exact same vulnerability," the researcher says. "And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it."

In a statement, Facebook said: "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings." A Facebook representative didn't respond to a question asking if the company told the researcher it didn't consider the vulnerability important enough to warrant a fix. The representative said Facebook engineers believe they have mitigated the leak by disabling the technique shown in the video.

An anonymous reader quotes a report from Ars Technica: Hackers backed by nation-states are exploiting critical vulnerabilities in the Pulse Secure VPN to bypass two-factor authentication protections and gain stealthy access to networks belonging to a raft of organizations in the US Defense industry and elsewhere, researchers said. At least one of the security flaws is a zero-day, meaning it was unknown to Pulse Secure developers and most of the research world when hackers began actively exploiting it, security firm Mandiant said in a blog post published Tuesday. Besides CVE-2021-22893, as the zero-day is tracked, multiple hacking groups -- at least one of which likely works on behalf of the Chinese government -- are also exploiting several Pulse Secure vulnerabilities fixed in 2019 and 2020.

Used alone or in concert, the security flaws allow the hackers to bypass both single-factor and multifactor authentication protecting the VPN devices. From there, the hackers can install malware that persists across software upgrades and maintain access through webshells, which are browser-based interfaces that allow hackers to remotely control infected devices. Multiple intrusions over the past six months have hit defense, government, and financial organizations around the world, Tuesday's post reported. Separately, the US Cybersecurity and Infrastructure Security Agency said that targets also include US government agencies, critical infrastructure entities, and other private sector organizations." Mandiant said that it has uncovered "limited evidence" that tied one of the hacker groups to the Chinese government. Dubbed UNC2630, this previously unknown team is one of at least two hacking groups known to be actively exploiting the vulnerabilities. Tuesday's blog post also referred to another previously unseen group that Mandiant is calling UNC2717. In March, the group used malware Mandiant identifies as RADIALPULSE, PULSEJUMP, and HARDPULSE against Pulse Secure systems at a European organization. Pulse Secure on Tuesday published an advisory instructing users how to mitigate the currently unpatched security bug.

Geico, the second-largest auto insurer in the U.S., has fixed a security bug that let fraudsters steal customers' driver's license numbers from its website. From a report: In a data breach notice filed with the California attorney general's office, Geico said information gathered from other sources was used to "obtain unauthorized access to your driver's license number through the online sales system on our website." The insurance giant did not say how many customers were affected by the breach but said the fraudsters accessed customer driver's license numbers between January 21 and March 1. Companies are required to alert the state's attorney general's office when more than 500 state residents are affected by a security incident. Geico said it had "reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name." Many financially driven criminals target government agencies using stolen identities or data. But many U.S. states require a government ID -- like a driver's license -- to file for unemployment benefits. To get a driver's license number, fraudsters take public or previously breached data and exploit weaknesses in auto insurance websites to obtain a customer's driver's license number. That allows the fraudsters to obtain unemployment benefits in another person's name.

The Google Project Zero security team has updated its vulnerability disclosure guidelines to add a cushion of 30 days to some security bug disclosures, so end-users have enough time to patch software and prevent attackers from weaponizing bugs. From a report: This week's changes are of particular importance because a large part of the cybersecurity community has adopted Project Zero's rules as the unofficial methodology for disclosing a security bug to software vendors and then to the general public. Prior to today, Google Project Zero researchers would give software vendors 90 days to fix a security bug. When the bug was patched, or at the end of the 90 days time window, Google researchers would publish details about the bug online (on their bug tracker). Starting this week, Project Zero says it will wait 30 days before publishing any details about the bug. The reasoning behind the extra time window is to allow users of the affected products time to update their software, an operation that can usually take days or weeks in some complex corporate networks.

Hackers could take control of victims' computers just by tricking them into clicking on a Steam invite to play Counter Strike: Global Offensive, Motherboard reports, citing a bug filing review. From a report: A bug in the game engine used in Counter Strike: Global Offensive could be exploited by hackers to take full control of a target's machine. A security researcher alerted Valve about the bug in June of 2019. Valve is the maker of Source Engine, which is used by CS:GO, Team Fortress 2, and several other games. The researcher, who goes by the name Florian, said that while that the bug has been fixed in some games that use the Source engine, it is still present in CS:GO, and he demonstrated it in a call with Motherboard. Florian's correspondence with Valve occurred on HackerOne, the bug bounty platform used by the company to get reports about vulnerabilities. Valve admitted that it was being slow to respond, even though it classified the bug as "critical" in the thread with the researchers, which Motherboard reviewed. "I am honestly very disappointed because they straight up ignored me most of the time," Florian said in an online chat.

An Indian security researcher has published today proof-of-concept exploit code for a recently discovered vulnerability impacting Google Chrome, Microsoft Edge, and other Chromium-based browsers like Opera and Brave. From a report: The researcher, Rajvardhan Agarwal, told The Record today that the exploit code is for a Chromium bug that was used during the Pwn2Own hacking contest that took place last week. During the contest, security researchers Bruno Keith (@bkth_) & Niklas Baumstark (@_niklasb) of Dataflow Security used a vulnerability to run malicious code inside Chrome and Edge, for which they received $100,000. Per contest rules, details about this bug were handed over to the Chrome security team so the bug could be patched as soon as possible. While details about the exact nature of the bug were never publicly disclosed, Agarwal told The Record he spotted the patches for this bug by looking at the source code commits to the V8 JavaScript engine, a component of the Chromium open-source browser project, which allowed him to recreate the Pwn2Own exploit, which he uploaded earlier today on GitHub, and shared on Twitter. However, while Chromium developers have patched the V8 bug last week, the patch has not yet been integrated into official releases of downstream Chromium-based browsers such as Chrome, Edge, and others, which are still vulnerable to attacks.