How do software bugs go unpatched for years?

On Tuesday, Microsoft patched a critical bug affecting Windows that researchers say could potentially allow hackers to remotely control users’ machines. But the bug wasn’t some recent mistake. The IBM researchers who found it say it has been around for nearly two decades, highlighting the difficulty of spotting and fixing bugs even in code that has gone through extensive review.

“Significant vulnerabilities can go undetected for some time,” wrote IBM X-Force research manager Robert Freeman in a blog post on the problem. “In this case, the buggy code is at least 19 years old and has been remotely exploitable for the past 18 years.” The bug was present as far back as the original release code for Windows 95, he says.

The IBM team says it hasn’t found any evidence that the bug has been exploited. Still, there’s a whole market for previously unknown computer software bugs where cybercriminals and even governments bid for ways to hack into computer systems. IBM said that this newly discovered bug would have fetched six figures on this market, which occupies a legal gray area.

This isn’t the first time major flaws have taken years to uncover. In 2010, a Google engineer uncovered a 17-year-old Windows bug affecting all 32-bit versions of the operating system and that could be used to hijack PCs. In September, another problem called “Shellshock” was discovered in a free software package built into some 70 percent of all devices connected to the Internet. It could have been introduced as long as 22 years ago, says Chet Ramey, the long-time maintainer of the code.

And there are other examples, like the infamous Heartbleed bug that emerged in April and had gone undiscovered for two years.

So why does it take so long for seemingly important problems in critical systems to be discovered and fixed?

Part of it has to do with the process of software development and review. Writing code is not like a traditional engineering task such as building a bridge, where there are clear definitions for whether a project meets technical specifications. Code is a far messier medium, and it can be hard to know how the individual pieces will work together when combined into a final product.

Developers also do their own assessments of products, and in many cases hire testers to look for obvious flaws. But the true test of the security of a piece of software often comes after it has been released. That’s when code is exposed to outside security researchers and hackers who start to pick it apart, looking for weaknesses.

Many companies, including Microsoft, offer financial incentives through bug bounty programs to make the process go faster. (There are people who make a living searching for bugs and collecting these bug bounties.)

But despite all these efforts, no one knows just how many bugs are out there, waiting to be discovered. And sometimes, it takes decades to find them.

Talk to us

More in Herald Business Journal

David Simpson (left) and Scott Murphy.
Port of Everett candidates spar over transparency

An incumbent, David Simpson, is challenged by Everett City Councilmember Scott Murphy.

Rendering of the new terminal that Propeller Airports plans to build at Paine Field in Everett. The terminal, which will serve the general aviation community, will replace Castle & Cooke Aviation's existing building at the Snohomish County-owned airport. (Propeller Airports LLC)
Propeller Airports to acquire Castle & Cooke at Paine Field

Propeller, which owns the nearby passenger terminal, plans a new complex for private aviation.

Everett Farmer’s Market canceled Sunday due to weather

Organizers cited a high-wind advisory. It is to reopen Oct. 31 for the final market of the season.

FILE - In this May 26, 2020, file photo, a sign at the headquarters for the Washington state Employment Security Department is shown at the Capitol in Olympia, Wash. Washington state's rush to get unemployment benefits to residents who lost jobs due to the coronavirus outbreak left it vulnerable to criminals who made off with hundreds of millions of dollars in fraudulent claims. (AP Photo/Ted S. Warren, File)
Washington’s unemployment rate in September was 4.9%

Employers added 17,600 jobs last month, a 7.3% increase over August.

With the Olympic mountains in the background, the first passenger flight by Alaska Airlines Flight 2878 departs for Portland on opening day of the Paine Field Terminal on Monday, March 4, 2019 in Everett, Wash. (Andy Bronson / The Herald)
Alaska Airlines stalls plan for extra flights in Everett

Business has been sluggish, but the airline says it will offer 12 flights a day at Paine Field in the new year.

Hillside homes in Mukilteo are seen from the ferry line on Oct. 20. (Andrea Brown / The Herald)
Mukilteo asks for input on housing density, and it’s complicated

Here’s a guide to what voters should know about the advisory ballot measure. What does it actually do?

People hold signs in protest of the vaccine mandate after Boeing announced it would terminate workers who do not comply on Friday, Oct. 15, 2021 in Everett, Wa. (Olivia Vanni / The Herald)
Some Boeing workers protest in Everett over vaccine mandate

The Boeing Company announced earlier this week that its workers must be vaccinated by Dec. 8.

FILE - In this file photo dated Monday, March 11, 2019, rescuers work at the scene of an Ethiopian Airlines plane crash south of Addis Ababa, Ethiopia.  The number of deaths in major air crashes around the globe fell by more than half in 2019 according to a report released Wednesday Jan. 1, 2020, by the aviation consultancy To70, revealing the worst crash for the year was an Ethiopian Airlines Boeing 737 MAX on March 10 that lost 157 lives. (AP Photo/Mulugeta Ayene, FILE)
Former Boeing test pilot pleads not guilty in 737 Max case

He’s the first person to be charged with a crime in connection with the Indonesia and Ethiopia crashes.

FILE - In this March 14, 2019 file photo, Ethiopian relatives of crash victims mourn at the scene where the Ethiopian Airlines Boeing 737 Max 8 crashed shortly after takeoff killing all 157 on board, near Bishoftu, south-east of Addis Ababa, in Ethiopia. Relatives of some of the passengers who died in the crash will mark the two-year anniversary of the disaster on Wednesday, March 10, 2021, by seeking a reversal of government orders that let Boeing 737 Max jets fly again.  (AP Photo/Mulugeta Ayene, File)
Boeing pilot involved in Max testing is indicted in Texas

He’s accused of giving the FAA false information about systems that played a role in two deadly crashes.

Top (L-R): Kim Daughtry, Steve Ewing. Bottom (L-R): Gary Petershagen, Marcus Tageant.
Developers court Lake Stevens council incumbents with over $20K

Over half of the campaign dollars for four candidates came from people tied to real estate or property development.

Traffic drives in view of a massive Boeing Co. production plant, where images of jets decorate the hangar doors, Friday, April 23, 2021, in Everett, Wash. (AP Photo/Elaine Thompson)
Boeing says workers must get the COVID vaccine by Dec. 8

“Compliance with these requirements is a condition of employment,” says an internal company presentation.

The Boeing 737 Max 10 airplane landing at Boeing Field in Seattle on June 18. (Chona Kasinger / Bloomberg)
Boeing ramps up 737 Max but 787 deliveries are still blocked

Boeing last month maintained its steady trickle of sales as it navigates the aviation downturn.