"Earlier this month, the California Department of Food and Agriculture quarantined 69 square miles of metro L.A. after invasive and destructive Mediterranean fruit flies were found at a home in the Leimert Park neighborhood," notes The Hill. Officials are now planning to use small planes to drop millions of fruit flies over Los Angeles in an effort to eradicate an invasive and destructive species of the insects. From the report: Jay Van Rein, a spokesperson for the CDFA, told SFGATE that officials plan to drop approximately 250,000 sterile male fruit flies per square mile in the quarantine area every week for six months, or perhaps longer. The sterile males mate with the females, which fail to produce offspring, reducing the population over time. Van Rein says the Preventative Release Program (PRP), as it's called, has been used effectively to manage invasive species since 1996.

The quarantine radius includes parts of downtown and South L.A., Hyde Park, Baldwin Hills, Culver City, Inglewood, Pico-Robertson and Mid-Wilshire. Those who live within the zone are urged not to transport any fruits or vegetables from their property and to double-bag them in plastic before tossing them in the trash. The Mediterranean fruit fly is very tiny -- only about 1/4 inch in length -- but they can potentially cause hundreds of millions of dollars in damage to crops if left unchecked, officials said. When a female lays eggs in a fruit or vegetable, they hatch into maggots that tunnel through it and cause rot.

Richard Speed reports via The Register: Asahi Linux, a project to port Linux to Apple Silicon Macs, has reported a combination of bugs in Apple's macOS that could leave users with hardware in a difficult-to-recover state. The issues revolve around how recent versions of macOS handle refresh rates, and MacBook Pro models with ProMotion displays (the 14 and 16-inch versions) are affected. According to the Asahi team, the bugs lurk in the upgrade and boot process and, when combined, can create a condition where a machine always boots to a black screen, and a Device Firmware Update (DFU) recovery is needed.

Asahi Linux's techies have looked into the issue, having first suspected it had something to do with either having an Asahi Linux installation on a Mac and then upgrading to macOS Sonoma or installing Asahi Linux after a Sonoma upgrade. However, the issue appears to be unconnected to the project. The team said: "As far as we can tell, ALL users who upgraded to Sonoma the normal way have an out-of-date or even broken System RecoveryOS, and in particular MacBook Pro 14" and 16" owners are vulnerable to ending up with a completely unbootable system." While this might sound alarming, the team was at pains to assure users that data was not at risk and only certain versions of macOS were affected -- Sonoma 14.0+ and Ventura 13.6+.

The first bug is related to macOS Sonoma using the previously installed version as System Recovery, which can cause problems when an older RecoveryOS runs into newer firmware. The second occurs if a display is configured to a refresh rate other than ProMotion. According to the Asahi Linux team, the system will no longer be able to boot into old macOS installs or Asahi Linux. "This includes recovery mode when those systems are set as the default boot OS, and also System Recovery at least until the next subsequent OS upgrade." The team noted: "Even users with just 13.6 installed single-boot are affected by this issue (no Asahi Linux needed).

"We do not understand how Apple managed to release an OS update that, when upgraded to normally, leaves machines unbootable if their display refresh rate is not the default. This seems to have been a major QA oversight by Apple."

Google says it'll issue a system update to fix a major storage bug in Android 14 that has caused some users to be locked out of their devices. Ars Technica reports: Apparently one more round of news reports was enough to get the gears moving at Google. Over the weekend the Issue tracker bug has been kicked up from a mid-level "P2" priority to "P0," the highest priority on the issue tracker. The bug has been assigned to someone now, and Googlers have jumped into the thread to make official statements that Google is looking into the matter. Here's the big post from Google on the bug tracker [...]. The highlights here are that Google says the bug affects devices with multiple Android users, not multiple Google accounts or (something we thought originally) users with work profiles. Setting up multiple users means going to the system settings, then "Multiple users," then "Allow multiple users," and you can add a user other than the default one. If you do this, you'll have a user switcher at the bottom of the quick settings. Multiple users all have separate data, separate apps, and separate Google accounts. Child users are probably the most popular reason to use this feature since you can lock kids out of things, like purchasing apps.

Shipping a Google Play system update as a quick Band-Aid is an interesting solution, but as Google's post suggests, this doesn't mean the problem is fixed. Play system updates (these are alternatively called Project Mainline or APEX modules) allow Google to update core system components via the Play Store, but they are really not meant for critical fixes. The big problem is that the Play system updates don't aggressively apply themselves or even let you know they have been downloaded. They just passively, silently wait for a reboot to happen so they can apply. For Pixel users, it feels like the horse has already left the barn anyway -- like most Pixel phones have automatically applied the nearly 13-day-old update by now. Users can force Play system updates to happen themselves by going to the system settings, then "Security & Privacy," then "System & updates," then "Google Play system update." If you have an update, you'll be prompted to reboot the phone. Also note that this differs from the usual OS update checker location, which is in system settings, then "System," then "System update." The system update screen will happily tell you "Your system is up to date" even if you have a pending Google Play system update. It would be great to have a single location for OS updates, Google Play System/Mainline updates, and app updates, but they are scattered everywhere and give conflicting "up to date" messages.

An anonymous reader quotes a report from OPP.Today: Android 14, the latest operating system from Google, is facing a major storage bug that is causing users to be locked out of their devices. This issue is particularly affecting users who utilize the "multiple profiles" feature. Reports suggest that the bug is comparable to being hit with "ransomware," as users are unable to access their device storage. Initially, it was believed that this bug was limited to the Pixel 6, but it has since been discovered that it impacts a wider range of devices upgrading to Android 14. This includes the Pixel 6, 6a, 7, 7a, Pixel Fold, and Pixel Tablet. The Google issue tracker for this bug has garnered over 350 replies, but there has been no response from Google so far. The bug has been assigned the medium priority level of "P2" and remains unassigned, indicating that no one is actively investigating it.

Users who have encountered this storage bug have shared log files containing concerning messages such as "Failed to open directory /data/media/0: Structure needs cleaning." This issue leads to various problematic situations, with some users experiencing boot loops, others stuck on a "Pixel is starting..." message, and some unable to take screenshots or access their camera app due to the lack of storage. Users are also unable to view files on their devices from a PC over USB, and the System UI and Settings repeatedly crash. Essentially, without storage, the device becomes practically unusable.

Android's user-profile system, designed to accommodate multiple users and separate work and personal profiles, appears to be the cause of this rarely encountered bug. Users have reported that the primary profile, which is typically the most important one, becomes locked out.

Dan Goodin reports via Ars Technica: Three years ago, Apple introduced a privacy-enhancing feature that hid the Wi-Fi address of iPhones and iPads when they joined a network. On Wednesday, the world learned that the feature has never worked as advertised. Despite promises that this never-changing address would be hidden and replaced with a private one that was unique to each SSID, Apple devices have continued to display the real one, which in turn got broadcast to every other connected device on the network. [...]

In 2020, Apple released iOS 14 with a feature that, by default, hid Wi-Fi MACs when devices connected to a network. Instead, the device displayed what Apple called a "private Wi-Fi address" that was different for each SSID. Over time, Apple has enhanced the feature, for instance, by allowing users to assign a new private Wi-Fi address for a given SSID. On Wednesday, Apple released iOS 17.1. Among the various fixes was a patch for a vulnerability, tracked as CVE-2023-42846, which prevented the privacy feature from working. Tommy Mysk, one of the two security researchers Apple credited with discovering and reporting the vulnerability (Talal Haj Bakry was the other), told Ars that he tested all recent iOS releases and found the flaw dates back to version 14, released in September 2020. "From the get-go, this feature was useless because of this bug," he said. "We couldn't stop the devices from sending these discovery requests, even with a VPN. Even in the Lockdown Mode."

When an iPhone or any other device joins a network, it triggers a multicast message that is sent to all other devices on the network. By necessity, this message must include a MAC. Beginning with iOS 14, this value was, by default, different for each SSID. To the casual observer, the feature appeared to work as advertised. The "source" listed in the request was the private Wi-Fi address. Digging in a little further, however, it became clear that the real, permanent MAC was still broadcast to all other connected devices, just in a different field of the request. Mysk published a short video showing a Mac using the Wireshark packet sniffer to monitor traffic on the local network the Mac is connected to. When an iPhone running iOS prior to version 17.1 joins, it shares its real Wi-Fi MAC on port 5353/UDP.

Google has expanded its vulnerability rewards program (VRP) to include attack scenarios specific to generative AI. From a report: In an announcement shared with TechCrunch ahead of publication, Google said: "We believe expanding the VRP will incentivize research around AI safety and security and bring potential issues to light that will ultimately make AI safer for everyone." Google's vulnerability rewards program (or bug bounty) pays ethical hackers for finding and responsibly disclosing security flaws.

Given that generative AI brings to light new security issues, such as the potential for unfair bias or model manipulation, Google said it sought to rethink how bugs it receives should be categorized and reported. The tech giant says it's doing this by using findings from its newly formed AI Red Team, a group of hackers that simulate a variety of adversaries, ranging from nation-states and government-backed groups to hacktivists and malicious insiders to hunt down security weaknesses in technology. The team recently conducted an exercise to determine the biggest threats to the technology behind generative AI products like ChatGPT and Google Bard.

An anonymous reader shares a report: Most Android users have probably never seen Google Play Protect in action. The malware-scanning service is built into every Android device and is supposed to flag malware that users have installed. Recently it flagged some popular apps that are very much not malware: Samsung Wallet and Samsung Messages.

As spotted by 9to5Google, Samsung users have been getting hit with Play Protect warnings since earlier this month. Users on the Google Support forum have posted screenshots of Play Protect flagging the Samsung system apps, and even Samsung responded to the issue, explaining (in Korean) how to fix any damage caused by the bug. Samsung says (through translation) the issue was caused by "a temporary failure of the Google server" and should now be fixed.

Long-time Slashdot reader Noryungi writes: OpenBSD 7.4 has been officially released. The 55th release of this BSD operating system, known for being security oriented, brings a lot of new things, including dynamic tracer, pfsync improvements, loads of security goodies and virtualization improvements. Grab your copy today! As mentioned by Phoronix's Michael Larabel, some of the key highlights include:

- Dynamic Tracer (DT) and Utrace support on AMD64 and i386 OpenBSD
- Power savings for those running OpenBSD 7.4 on Apple Silicon M1/M2 CPUs by allowing deep idle states when available for the idle loop and suspend
- Support for the PCIe controller found on Apple M2 Pro/Max SoCs
- Allow updating AMD CPU Microcode updating when a newer patch is available
- A workaround for the AMD Zenbleed CPU bug
- Various SMP improvements
- Updating the Direct Rendering Manager (DRM) graphics driver support against the upstream Linux 6.1.55 state
- New drivers for supporting various Qualcomm SoC features
- Support for soft RAID disks was improved for the OpenBSD installer
- Enabling of Indirect Branch Tracking (IBT) on x86_64 and Branch Target Identifier (BTI) on ARM64 for capable processors

You can download and view all the new changes via OpenBSD.org.

An anonymous reader shares a report: In 2015, researchers reported a surprising discovery that stoked industry-wide security concerns -- an attack called RowHammer that could corrupt, modify, or steal sensitive data when a simple user-level application repeatedly accessed certain regions of DDR memory chips. In the coming years, memory chipmakers scrambled to develop defenses that prevented the attack, mainly by limiting the number of times programs could open and close the targeted chip regions in a given time. Recently, researchers devised a new method for creating the same types of RowHammer-induced bitflips even on a newer generation of chips, known as DDR4, that have the RowHammer mitigations built into them. Known as RowPress, the new attack works not by "hammering" carefully selected regions repeatedly, but instead by leaving them open for longer periods than normal. Bitflips refer to the phenomenon of bits represented as ones change to zeros and vice versa.

Further amplifying the vulnerability of DDR4 chips to read-disturbance attacks -- the generic term for inducing bitflips through abnormal accesses to memory chips -- RowPress bitflips can be enhanced by combining them with RowHammer accesses. Curiously, raising the temperature of the chip also intensifies the effect. "We demonstrate a proof of concept RowPress program that can cause bitflips in a real system that already employs protections against RowHammer," Onur Mutlu, a professor at ETH Zurich and a co-author of a recently published paper titled RowPress: Amplifying Read Disturbance in Modern DRAM Chips [PDF], wrote in an email. "Note that this is not in itself an attack. It simply shows that bitflips are possible and plenty, which can easily form the basis of an attack. As many prior works in security have shown, once you can induce a bitflip, you can use that bitflip for various attacks."

AlmaLinux is creating a Red Hat Enterprise Linux (RHEL) without any Red Hat code. Instead, AlmaLinux OS will aim to be Application Binary Interface (ABI) compatible and use the CentOS Stream source code that Red Hat continues to offer. Additional code is pulled from Red Hat Universal Base Images, and upstream Linux code. Benny Vasquez, chairperson of the AlmaLinux OF Foundation, explained how all this works at the open-source community convention All Things Open. ZDNet's Steven Vaughan-Nichols reports: The hardest part is Red Hat's Linux kernel updates because, added Vasquez, "you can't get those kernel updates without violating Red Hat's licensing agreements." Therefore, she continued, "What we do is we pull the security patches from various other sources, and, if nothing else, we can find them when Oracle releases them." Vasquez did note one blessing from this change in production: "AlmaLinux, no longer bound to Red Hat's releases, has been able to release upstream security fixes faster than Red Hat. "For example, the AMD microcode exploits were patched before Red Hat because they took a little bit of extra time to get out the door. We then pulled in, tested, and out the door about a week ahead of them." The overall goal remains to maintain RHEL compatibility. "Any breaking changes between RHEL and AlmaLinux, any application that stops working, is a bug and must be fixed."

That's not to say AlmaLinux will be simply an excellent RHEL clone going forward. It plans to add features of its own. For instance, Red Hat users who want programs not bundled in RHEL often turn to Extra Packages for Enterprise Linux (EPEL). These typically are programs included in Fedora Linux. Besides supporting EPEL software, AlmaLinux has its own extra software package -- called Synergy -- which holds programs that the AlmaLinux community wants but are not available in either EPEL or RHEL. If one such program is subsequently added to EPEL or RHEL, AlmaLinux drops it from Synergy to prevent confusion and duplication of effort.

This has not been an easy road for AlmaLinux. Even a 1% code difference is a lot to write and maintain. For example, when AlmaLinux tried to patch CentOS Stream code to fix a problem, Red Hat was downright grumpy about AlmaLinux's attempt to fix a security hole. Vasquez acknowledged it was tough sledding at first, but noted: "The good news is that they have been improving the process, and things will look a little bit smoother." AlmaLinux, she noted, is also not so much worried as aware that Red Hat may throw a monkey wrench into their efforts. Vasquez added: "Internally, we're working on stopgap things we'd need to do to anticipate Red Hat changing everything terribly." She doesn't think Red Hat will do it, but "we want to be as prepared as possible."

Google security researchers say they have found evidence that government-backed hackers linked to Russia and China are exploiting a since-patched vulnerability in WinRAR, the popular shareware archiving tool for Windows. From a report: The WinRAR vulnerability, first discovered by cybersecurity company Group-IB earlier this year and tracked as CVE-2023-38831, allows attackers to hide malicious scripts in archive files that masquerade as seemingly innocuous images or text documents. Group-IB said the flaw was exploited as a zero-day -- since the developer had zero time to fix the bug before it was exploited -- as far back as April to compromise the devices of at least 130 traders.

Rarlab, which makes the archiving tool, released an updated version of WinRAR (version 6.23) on August 2 to patch the vulnerability. Despite this, Google's Threat Analysis Group (TAG) said this week that its researchers have observed multiple government-backed hacking groups exploiting the security flaw, noting that "many users" who have not updated the app remain vulnerable. In research shared with TechCrunch ahead of its publication, TAG says it has observed multiple campaigns exploiting the WinRAR zero-day bug, which it has tied to state-backed hacking groups with links to Russia and China.

ZDNet's senior contributing editor also maintains software, and recently tested ChatGPT on two fixes for bugs reported by users, and a new piece of code to add a new feature, It's a "real-world" coding test, "about pulling another customer support ticket off the stack and working through what made the user's experience go south." First...

please rewrite the following code to change it from allowing only integers to allowing dollars and cents (in other words, a decimal point and up to two digits after the decimal point). ChatGPT responded by explaining a two-step fix, posting the modified code, and then explaining the changes. "I dropped ChatGPT's code into my function, and it worked. Instead of about two-to-four hours of hair-pulling, it took about five minutes to come up with the prompt and get an answer from ChatGPT." Next up was reformatting an array. I like doing array code, but it's also tedious. So, I once again tried ChatGPT. This time the result was a total failure. By the time I was done, I probably fed it 10 different prompts. Some responses looked promising, but when I tried to run the code, it errored out. Some code crashed; some code generated error codes. And some code ran, but didn't do what I wanted. After about an hour, I gave up and went back to my normal technique of digging through GitHub and StackExchange to see if there were any examples of what I was trying to do, and then writing my own code.
Then he posted the code for a function handling a Wordpress filter, along with the question: "I get the following error. Why?" Within seconds, ChatGPT responded... Just as it suggested, I updated the fourth parameter of the add_filter() function to 2, and it worked!

ChatGPT took segments of code, analyzed those segments, and provided me with a diagnosis. To be clear, in order for it to make its recommendation, it needed to understand the internals of how WordPress handles hooks (that's what the add_filter function does), and how that functionality translates to the behavior of the calling and the execution of lines of code. I have to mark that achievement as incredible — undeniably 'living in the future' incredible...

As a test, I also tried asking ChatGPT to diagnose my problem in a prompt where I didn't include the handler line, and it wasn't able to help. So, there are very definite limitations to what ChatGPT can do for debugging right now, in 2023...

Could I have fixed the bug on my own? Of course. I've never had a bug I couldn't fix. But whether it would have taken two hours or two days (plus pizza, profanity, and lots of caffeine), while enduring many interruptions, that's something I don't know. I can tell you ChatGPT fixed it in minutes, saving me untold time and frustration.
The article does include a warning. "AI is essentially a black box, you're not able to see what process the AI undertakes to come to its conclusions. As such, you're not really able to check its work... If it turns out there is a problem in the AI-generated code, the cost and time it takes to fix may prove to be far greater than if a human coder had done the full task by hand."

But it also ends with this prediction. "I see a very interesting future, where it will be possible to feed ChatGPT all 153,000 lines of code and ask it to tell you what to fix... I can definitely see a future where programmers can simply ask ChatGPT (or a Microsoft-branded equivalent) to find and fix bugs in entire projects."

T2 SDE is not just a Linux distribution, but "a flexible Open Source System Development Environment or Distribution Build Kit," according to a 2022 announcement of its support for 25 CPU architectures, variants, and C libraries. ("Others might even name it Meta Distribution. T2 allows the creation of custom distributions with state of the art technology, up-to-date packages and integrated support for cross compilation.")

And while working on it, Berlin-based T2 Linux developer René Rebe (long-time Slashdot reader ReneR) discovered random illegal instruction speculation on AMD Ryzen 7000-Series and Epyc Zen 4 CPU.

ReneR writes: Merged to Linux 6.6 Git is a fix for the bug now known at AMD as Erratum 1485.

The discovery was possible through continued high CPU load cross-compiling the T2 Linux distribution with support for all CPU architectures from ARM, MIPS, PowerPC, RISC-V to x86 (and more) for 33 build variants. With sustained high CPU load and various instruction sequences being compiled, pseudo random illegal instruction errors were observed and subsequently analyzed.

ExactCODE Research GmbH CTO René Rebe is thrilled that working with AMD engineers lead to a timely mitigation to increase system stability of the still new and highest performance Zen4 platform.
"I found real-world code that might be similar or actually trigger the same bugs in the CPU that are also used for all the Spectre Meltdown and other side-channel security vulnerability mitigations," Rebe says in a video announcement on YouTube.

It took Rebe a tremendous amount of research, and he says now that "all the excessive work changed my mind. Mitigations equals considered harmful... If you want stable, reliable computational results — no, you can't do this. Because as Spectre Meltdown and all the other security issues have proven, the CPUs are nowadays as complex as complex software systems..."

Microsoft says Chinese state-backed hackers are exploiting a "critical"-rated zero-day vulnerability in Atlassian software to break into customer systems. From a report: The technology giant's threat intelligence team said in a post on X, formerly Twitter, that it has observed a nation-state threat actor it calls Storm-0062 exploiting a recently disclosed critical flaw in Atlassian Confluence Data Center and Server. Microsoft has previously identified Storm-0062 as a China-based state-sponsored hacker.

Microsoft said it observed in-the-wild abuse of the maximum rated 10.0 vulnerability, tracked as CVE-2023-22515, since September 14, some three weeks before Atlassian's public disclosure on October 4. A bug is considered a zero-day when the vendor -- in this case Atlassian -- has zero time to fix the bug before it is exploited. Atlassian updated its advisory this week to confirm it has "evidence to suggest that a known nation-state actor" is exploiting the bug, which the company says could allow a remote attacker to create unauthorized administrator accounts to access Confluence servers. Atlassian's Confluence is a widely popular collaborative wiki system used by corporations around the world to organize and share work.

Apple rolled out a software update Wednesday to address an overheating issue that plagued some early buyers of the iPhone 15 Pro line. From a report: The update, called iOS 17.0.3, is available as an over-the-air fix in the software update section of the iPhone settings app. The release notes say the update "provides important bug fixes, security updates, and addresses an issue that may cause iPhone to run warmer than expected." The update was also released for older iPhones as well as iPads. Some early iPhone 15 Pro owners reported that their iPhone could get hotter than normal. Apple on Saturday blamed bad code in apps including Uber, Instagram and the Asphalt 9 racing game, in addition to a bug in the device's software. The company said the new device set-up could overwork the processor and lead to overheating.

An anonymous reader shared this report from CNBC: Apple said on Saturday that it will issue a software update that would address customer complaints about the latest iPhone 15 models, released just over a week ago, running hot.

Apple said that the new iPhone models were running hot because of a combination of bugs in iOS 17, bugs in apps, and a temporary set-up period... After Apple released the new iPhone 15 models earlier this month, user complaints on Apple's forums, Reddit, and social media suggest that all four models can get hotter than expected during use. CNBC's review of the new iPhone Pros also noted the iPhone 15 Pro Max got hot. "I just got the iPhone 15 Pro today and it's so hot i can't even hold it for very long!" wrote one commenter on Apple's forums.

Apple's new high-end models, the $999 iPhone 15 Pro and $1,199 iPhone 15 Pro Max have a redesigned titanium enclosure with an aluminum frame to make them easier to repair. The problem with the new models overheating was not related to the titanium chassis design, Apple said. Instead, Apple points to bugs with specific apps and a bug in iOS that can be fixed with software updates.

Kyle Orland writes via Ars Technica: The "first official Unity user group in the world" has announced that it is dissolving after 13 years because "the trust we used to have in the company has been completely eroded." The move comes as many developers are saying they will continue to stay away from the company's products even after last week's partial rollback of some of the most controversial parts of its fee structure plans.

Since its founding in 2010, the Boston Unity Group (BUG) has attracted thousands of members to regular gatherings, talks, and networking events, including many technical lectures archived on YouTube. But the group says it will be hosting its last meeting Wednesday evening via Zoom because the Unity of today is very different from the Dave Helgason-led company that BUG says "enthusiastically sanctioned and supported" the group at its founding.

"Over the past few years, Unity has unfortunately shifted its focus away from the games industry and away from supporting developer communities," the group leadership wrote in a departure note. "Following the IPO, the company has seemingly put profit over all else, with several acquisitions and layoffs of core personnel. Many key systems that developers need are still left in a confusing and often incomplete state, with the messaging that advertising and revenue matter more to Unity than the functionality game developers care about."

BUG says the install-fee terms Unity first announced earlier this month were "unthinkably hostile" to users and that even the "new concessions" in an updated pricing model offered late last week "disproportionately affect the success of indie studios in our community." But it's the fact that such "resounding, unequivocal condemnation from the games industry" was necessary to get those changes in the first place that has really shaken the community to its core. "We've seen how easily and flippantly an executive-led business decision can risk bankrupting the studios we've worked so hard to build, threaten our livelihoods as professionals, and challenge the longevity of our industry," BUG wrote. "The Unity of today isn't the same company that it was when the group was founded, and the trust we used to have in the company has been completely eroded."

An exploit for a bug in Windows appears to increase the performance of File Explorer in Microsoft's flagship operating system. From a report: Spotted over the weekend by Xitter user @VivyVCCS, the hack is triggered by a swift jab of the F11 key to switch File Explorer in and out of full-screen mode. According to the post, load performance is improved markedly.

Slash_Account_Dot writes: Hackers are able to grab a target's IP address, potentially revealing their general physical location, by simply sending a link over the Skype mobile app. The target does not need to click the link or otherwise interact with the hacker beyond opening the message, according to a security researcher who demonstrated the issue and successfully discovered my IP address by using it. Yossi, the independent security researcher who uncovered the vulnerability, reported the issue to Microsoft earlier this month, according to Yossi and a cache of emails and bug reports he shared with 404 Media. In those emails Microsoft said the issue does not require immediate servicing, and gave no indication that it plans to fix the security hole. Only after 404 Media contacted Microsoft for comment did the company say it would patch the issue in an upcoming update.

This month the official Rust blog announced: For the 6th year in a row, the Rust Project conducted a survey on the Rust programming language, with participation from project maintainers, contributors, and those generally interested in the future of Rust. This edition of the annual State of Rust Survey opened for submissions on December 5 and ran until December 22, 2022... [W]e had 9,433 total survey completions and an increased survey completion rate of 82% vs. 76% in 2021...

- More people are using Rust than ever before! Over 90% of survey respondents identified as Rust users, and of those using Rust, 47% do so on a daily basis — an increase of 4% from the previous year.

- 30% of Rust user respondents can write simple programs in Rust, 27% can write production-ready code, and 42% consider themselves productive using Rust. Of the former Rust users who completed the survey, 30% cited difficulty as the primary reason for giving up while nearly 47% cited factors outside of their control.

- The growing maturation of Rust can be seen through the increased number of different organizations utilizing the language in 2022. In fact, 29.7% of respondents stated that they use Rust for the majority of their coding work at their workplace, which is a 51.8% increase compared to the previous year.

- There are numerous reasons why we are seeing increased use of Rust in professional environments. Top reasons cited for the use of Rust include the perceived ability to write "bug-free software" (86%), Rust's performance characteristics (84%), and Rust's security and safety guarantees (69%). We were also pleased to find that 76% of respondents continue to use Rust simply because they found it fun and enjoyable. (Respondents could select more than one option here, so the numbers don't add up to 100%.)

- Of those respondents that used Rust at work, 72% reported that it helped their team achieve its goals (a 4% increase from the previous year) and 75% have plans to continue using it on their teams in the future.

- But like any language being applied in the workplace, Rust's learning curve is an important consideration; 39% of respondents using Rust in a professional capacity reported the process as "challenging" and 9% of respondents said that adopting Rust at work has "slowed down their team". However, 60% of productive users felt Rust was worth the cost of adoption overall...

- Of those respondents who shared their main worries for the future of Rust, 26% have concerns that the developers and maintainers behind Rust are not properly supported — a decrease of more than 30% from the previous year's findings. One area of focus in the future may be to see how the Project in conjunction with the Rust Foundation can continue to push that number towards 0%.

- While 38% have concerns about Rust "becoming too complex", only a small number of respondents were concerned about documentation, corporate oversight, or speed of evolution. 34% of respondents are not worried about the future of Rust at all.

This year's survey reflects a 21% decrease in fears about Rust's usage in the industry since the last survey.