Destaque

Tesla will have to recall 817,143 vehicles to repair a defect in the software that prevents the audible message warning that the seat belt is not fastened from being activated. In documents released by the US National Highway Traffic Safety Administration (NHTSA), the US company said that until January 31 it had no record of "accidents, injuries or deaths" caused by the defect. According to the same documents, it was a South Korean institute that notified Tesla of the defect on January 6. Following the warning from the Korea Automobile Testing and Research Institute (KATRI), Tesla technicians verified the problem. The defect affects models 3 2017-2022, S 2021-2022, X 2021-2022 and Y 2020-2022. The problem is centered on the software that controls the activation of the audible warning signal and occurs when the driver interrupts the audible message, for example by leaving the vehicle while it is activated. In these circumstances, the software registers that it has already warned the driver, but does not repeat the beep. Tesla has also indicated that the beep is activated when the car exceeds 22 kilometers per hour and the driver's seat belt is not fastened. Elon Musk's company told the NHTSA that, in order to correct the problem, it will remotely update the software in all affected vehicles and will notify owners by mail on April 1. The original article via Expresso can be read at: https://expresso.pt/economia/tesla-recolhe-mais-de-800-mil-veiculos-devido-a-defeito-em-software/

In France, a vaccination certificate is required to enter the vast majority of public places, including restaurants, cinemas and museums, as well as public transport. All people over the age of 16 are obliged to wear the certificate in order to gain access to these spaces, and at the moment, in order to have a valid certificate you need to have received a booster dose. Vaccination certificates can be automatically deactivated if the holder has not received a booster dose within the required timeframe, however, a problem has been reported that would lead to the deactivation of these certificates, even though some of these people have been vaccinated with a booster dose. This is a problem that mainly affects people who have already been infected with the COVID-19 virus. France operates on a policy of "one infection corresponds to one dose of vaccine" - which means that if a person has been inoculated with a two-dose vaccine (AstraZeneca/Pfizer/Moderna) and is infected with Covid before or after the first dose, they don't need a second dose. However, the booster dose is indeed necessary. As an example, French President Emmanuel Macron became infected with the COVID virus in December 2020, when it came time to get vaccinated, he received a single dose, and as soon as the boosters opened for under 50s in November, he had his booster shot. In recent weeks, some people in a similar situation have received alerts via the TousAntiCovid app, warning that their vaccination certificate would be deactivated. This was mainly due to a software bug that incorrectly interpreted the two doses - and which has since been fixed. So far, the TousAntiCovid app has had surprisingly few software glitches, but there is one problem that has affected people vaccinated in the UK. As NHS (British National Health Service) vaccination codes only last 30 days, TousAntiCovid will be deactivated as soon as the code expires, which means that the user has to download a new QR code every 30 days from the NHS app, in order to scan for TousAntiCovid and keep it active. The original article via The Local can be read at: https://www.thelocal.fr/20220202/warning-over-deactivation-bug-in-frances-vaccine-pass/

Several iPhone 13 users have reported a problem that is, to say the least, random: The device's screen turns pink, making it impossible to use the phone without restarting it. One of the first cases to be reported dates back to October, on Apple's discussion forums. Although in this case the device in question was replaced, other users began to report the same problem in the following weeks and months. While some customers managed to get their iPhone 13 replaced, others weren't so lucky, as Apple said it was just a software bug. Reading the reports, it's not possible to find a pattern that explains why this happens, although it seems to be restricted to the iPhone 13 line. According to one user, in December: "I had the same problem when taking a photo and the screen not only froze but turned pink and restarted soon after. I called Apple support, they diagnosed it and said there was nothing wrong." Also on the social network Reddit, some users ended up reporting the same situation: "This happened to me the other day while I was in the car. It was preceded by my GPS giving me completely wrong directions, away from my destination, until I turned it off and on again. During this time the screen turned pink." Amongst all these complaints, the My Drivers blog discovered that Apple recently made a statement on the Chinese social network Weibo, precisely because the vast majority of cases appear to have arisen in China. According to the US company: "We have not detected any relevant hardware problems with the devices, as this situation [pink screen] is caused when the system is locked." According to the publication, Apple advises users to back up their data, and install the latest update available, in order to rule out incompatibility between an app version and the iOS version. Since then, iOS 15.3 RC doesn't mention fixing the pink screen bug, which also causes confusion among users, since some of these reports first appeared when the iPhone 13 was originally released. The original article via 9To5Mac can be read at: https://9to5mac.com/2022/01/23/some-iphone-13-users-report-pink-screen-issues-apple-says-its-a-software-bug/

The European Commission has launched a program that rewards the detection of bugs in its Open Source projects that underpin its public services. Bug bounty hunters will be able to receive up to €5,000 (the equivalent of 5,600 US dollars) for finding security vulnerabilities in open source software used throughout the European Union (EU), including LibreOffice, LEOS, Mastodon, Odoo and CryptPad. This program, led by the European bug bounty platform Intigriti, will also offer a 20% bonus if a code fix for the bugs is provided by the researchers. In a statement released on January 19, the EC said it is looking for reports of security vulnerabilities such as the exposure of personal data, horizontal/vertical privilege escalation and SQL injection. The highest reward will be paid for the detection of "exceptional vulnerabilities". This latest program follows on from another program, called FOSSA, also run by the EU, which paid out more than 220,000 dollars in its 18 months of operation, and which was heralded as a "remarkable success". Speaking to The Daily Swig, Inti De Ceukelaire, head of hacking at Intigriti, said that the partnership came about last year when Intigriti led a program funded by the EC's ISA2 program. "We are committed to further nurturing the relationship with the open source communities that we have established over the last few years," said the Belgian tester. "Personally, I believe that all government bodies should have and encourage the use of vulnerability disclosure policies and introduce or adopt unambiguous laws to support vulnerability research. Bug bounties, among other crowdsourcing initiatives, are a great way to encourage this." De Ceukelaire added: "Virtually all organizations use open source projects in one way or another. Identifying and resolving security vulnerabilities in these projects has an impact at scale. The Log4j incident has shown us that supporting the security of widely used open source projects is an absolute necessity, so we can only applaud this initiative by the European Commission." The original article via The Daily Swig can be read at: https://portswigger.net/daily-swig/european-commission-launches-new-open-source-software-bug-bounty-program

A software bug introduced in Apple Safari 15's IndexedDB API implementation could be abused by a malicious website to track users' online activity in the web browser and, worse, even reveal their identity. This vulnerability, dubbed IndexedDB Leaks, was disclosed by fraud protection software company FingerprintJS, which reported the problem to the iPhone manufacturer in November 2021. IndexedDB is a low-level JavaScript application programming interface (API) provided by web browsers to manage NoSQL databases of structured data such as files and blobs. "Like most web storage solutions, IndexedDB follows a same-origin policy," according to Mozilla's API documentation. "So while you can access data stored in a particular domain, you cannot access data in different domains." The same-origin policy is a fundamental security mechanism that ensures that resources retrieved from different origins - i.e. a combination of the scheme (protocol), host (domain) and port number of a URL - are isolated from each other. This means that "http[:]//example[.]com/" and "https[:]//example[.]com/" are not from the same source because they use different schemes. By restricting how a script loaded by one origin can interact with a resource from another origin, the idea is to hijack potentially malicious scripts and reduce possible attack vectors by preventing an unauthorized site from executing arbitrary JavaScript code to read data from another domain, i.e. an email service. However, this is not the case with how Safari handles the IndexedDB API on iOS, iPadOS and macOS. "In Safari 15, on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is in violation of the same-origin policy," said Martin Bajanik in an article. "Whenever a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs and windows in the same browser session." One consequence of this privacy breach is that it allows websites to know which other websites a user is visiting, in different tabs or windows, specifically, to accurately identify users on Google services such as YouTube and Google Calendar, because these websites create IndexedDB databases that include authenticated Google user IDs - an internal identifier that uniquely identifies a single Google account. "This not only implies that untrusted or malicious sites can know a user's identity, but also allows them to link several separate accounts used by the same user," added Bajanik. To make matters worse, this leak also affects the private browsing mode in Safari 15, in case a user visits several different websites from the same tab in the browser window. "This is a huge bug," tweeted Jake Archibald, Google Chrome developer advocate. "In OSX, Safari users can (temporarily) switch to another browser to prevent their data from leaking between sources. iOS users don't have that choice, because Apple imposes a ban on other browser engines." The original article via The Hacker News can be read at: https://thehackernews.com/2022/01/new-unpatched-apple-safari-browser-bug.html

A new script malfunctioned and deleted 34 million files from the Japanese university's supercomputer, some of which cannot be recovered by backups. On December 16, Kyoto University began investigating a problem caused by a software update from Hewlett Packard Enterprise (HPE). It was discovered that approximately 77TB of files from 14 research groups had been deleted in the previous two days. Although the university has admitted that it will contact those affected, HPE itself took full responsibility and said that the update to the Japanese university's supercomputer system was originally designed to "improve visibility and readability" by deleting log files that were more than 10 days old. According to the statement issued, the US company admits that there was a "lack of consideration" in the procedure for releasing the new script, and that it was not aware of any potential side effects when it was applied. This caused a script to be overwritten while it was still running, "resulting in undefined variables" that caused the original log files on the supercomputer to be deleted "instead of deleting the [log] file saved in the directory". HPE added that measures will be taken to ensure that the problem does not reoccur in the future, including checking for updates before application and retraining the engineers responsible for preventing risks and human error. Kyoto University is Japan's second oldest university, founded in 1897. It is one of Japan's leading research-oriented institutions and has produced several Nobel Prize winners. Microsoft itself also faced a software problem earlier this year, when its Exchange servers stopped working properly when the clock struck midnight on New Year's Eve. The servers were unable to accommodate the year 2022, which led some to call it the Y2K22 bug. The original article via Silicon Republic can be read at: https://www.siliconrepublic.com/enterprise/software-error-causes-34m-research-files-to-be-lost-at-kyoto-university