How do software bugs go unpatched for years?

On Tuesday, Microsoft patched a critical bug affecting Windows that researchers say could potentially allow hackers to remotely control users’ machines. But the bug wasn’t some recent mistake. The IBM researchers who found it say it has been around for nearly two decades, highlighting the difficulty of spotting and fixing bugs even in code that has gone through extensive review.

“Significant vulnerabilities can go undetected for some time,” wrote IBM X-Force research manager Robert Freeman in a blog post on the problem. “In this case, the buggy code is at least 19 years old and has been remotely exploitable for the past 18 years.” The bug was present as far back as the original release code for Windows 95, he says.

The IBM team says it hasn’t found any evidence that the bug has been exploited. Still, there’s a whole market for previously unknown computer software bugs where cybercriminals and even governments bid for ways to hack into computer systems. IBM said that this newly discovered bug would have fetched six figures on this market, which occupies a legal gray area.

This isn’t the first time major flaws have taken years to uncover. In 2010, a Google engineer uncovered a 17-year-old Windows bug affecting all 32-bit versions of the operating system and that could be used to hijack PCs. In September, another problem called “Shellshock” was discovered in a free software package built into some 70 percent of all devices connected to the Internet. It could have been introduced as long as 22 years ago, says Chet Ramey, the long-time maintainer of the code.

And there are other examples, like the infamous Heartbleed bug that emerged in April and had gone undiscovered for two years.

So why does it take so long for seemingly important problems in critical systems to be discovered and fixed?

Part of it has to do with the process of software development and review. Writing code is not like a traditional engineering task such as building a bridge, where there are clear definitions for whether a project meets technical specifications. Code is a far messier medium, and it can be hard to know how the individual pieces will work together when combined into a final product.

Developers also do their own assessments of products, and in many cases hire testers to look for obvious flaws. But the true test of the security of a piece of software often comes after it has been released. That’s when code is exposed to outside security researchers and hackers who start to pick it apart, looking for weaknesses.

Many companies, including Microsoft, offer financial incentives through bug bounty programs to make the process go faster. (There are people who make a living searching for bugs and collecting these bug bounties.)

But despite all these efforts, no one knows just how many bugs are out there, waiting to be discovered. And sometimes, it takes decades to find them.

Talk to us

More in Herald Business Journal

Bill McSherry, vice president of government operations for Boeing Commercial Airplanes, walks back to his seat, Tuesday, Feb. 25, 2020, after testifying before the House Finance Committee at the Capitol in Olympia, Wash. The committee was hearing testimony on a bill introduced at Boeing's request to suspend the aerospace giant's preferential business and occupation tax rate in Washington state unless the United States and European Union reach an agreement on their long-running international trade dispute that would allow the lower tax rate. Last year, the World Trade Organization body ruled that Boeing received an illegal U.S. tax break from Washington state that damaged sales by European archrival Airbus. (AP Photo/Ted S. Warren)
A Boeing executive delivers good and bad news for Everett

The commercial headquarters could indeed come to Paine Field. But demand for big jets will not rebound quickly.

An Israeli Air Force Boeing AH-64 Apache attack helicopter from the 113th Squadron, also known as the Hornet Squadron, lands during a display for the foreign press in Ramon air force base near the Israeli town of Mitzpe Ramon, in the Negev desert, southern Israel, Monday, Oct. 21, 2013.(AP Photo/Ariel Schalit)
Boeing’s Arizona chopper plant under scrutiny by Army team

The company reported quality problems it says were caused by a derelict technician.

FILE - An American Airlines Boeing 737-823 lands at Miami International Airport, Monday, July 27, 2020, in Miami.American Airlines said Tuesday, Aug. 25 that it will furlough or lay off 19,000 employees in October as it struggles with a sharp downturn in travel because of the pandemic. Flight attendants will bear the heaviest cuts, with 8,100 losing their jobs.  (AP Photo/Wilfredo Lee, File)
American plans flights with Boeing 737 Max by year-end

Customers can see on American’s website the type of plane for any flight if they know where to click.

Patrick Ky, executive director of the European Aviation Safety Agency, in Amsterdam on Nov. 27, 2018. MUST CREDIT: Bloomberg photo by Yuriko Nakao.
Boeing Max judged safe to fly by Europe’s aviation regulator

A synthetic sensor to aid pilots when the mechanical angle-of-attack sensors fail is still two years out.

The Boeing factory at Paine Field in Everett. (Boeing Co.)
Could Everett become Boeing’s next jetliner headquarters?

The company is considering selling the Commercial Airplanes division offices at Longacres in Renton.

Cop turned pinup model in Gold Bar charged with $67K fraud

Brenda Cavoretto was injured when a dead body fell on her in 2012. She’s accused of overselling its lasting impact.

Washington unemployment rate drops to 7.8%

Most job growth occurred in leisure and hospitality, construction and other services.

Premera Blue Cross will eliminate hundreds of jobs as it seeks to cut costs sparked by the current economic downturn. (Submitted photo)
Mountlake Terrace-based health insurer Premera cuts 285 jobs

The layoff at Premera Blue Cross, prompted by the economic downturn, represents about 8.3% of its workforce.

FILE - In this Feb. 8, 2018, file photo, the logo for Twitter is displayed above a trading post on the floor of the New York Stock Exchange.  Twitter is imposing new rules, Friday, Oct. 9, 2020,  ahead of the U.S. presidential election, prohibiting people,  including candidates, from claiming an election win before it is called by either state election officials or two authoritative, national news outlets. (AP Photo/Richard Drew, File)
Twitter to pay $100,000 over Washington campaign violations

The company failed to maintain records related to ads that ran from 2012 through 2019.

FILE  - In this Sept. 30, 2020, file photo, a Boeing 737 MAX jet, piloted by Federal Aviation Administration (FAA) chief Steve Dickson, prepares to land at Boeing Field following a test flight in Seattle. Boeing says the pandemic will reduce demand for new planes for the next decade, long after experts expect a vaccine for COVID-19. The company updated its forecast of the airplane market on Tuesday, Oct. 6, 2020. It remains upbeat about long-term prospects driven by increasing air travel in Asia. Boeing, which along with Europe’s Airbus dominates the aircraft-building industry, has seen orders and deliveries of new planes crumble this year. (AP Photo/Elaine Thompson, File)
Boeing’s struggles continue: No jetliner sales in September

The company has suffered 448 cancellations for the Max and dropped another 602 orders from its backlog.

Valdis Dombrovskis, Vice-President of the EU Commission, speaks at a press conference in Berlin, Germany, following the informal talks of the EU Trade Ministers on Monday, Sept. 21, 2020.  (Bernd von Jutrczenka/Pool via AP)
Rule: EU can impose $4 billion in tariffs over Boeing support

Tax breaks for Boeing from Washington state were deemed to have unfairly harmed certain Airbus jets.

Kellie Shanahan loads Jacob McGovern's vehicle with his class tool bag at Meadowdale High School in Lynnwood on October 1, 2020.  (Kevin Clark / The Herald)
How do you teach auto shop remotely? Edmonds class finds out

For some local high school students, auto shop is the thing that keeps them from dropping out.