{"id":15900,"date":"2026-03-05T06:36:07","date_gmt":"2026-03-05T06:36:07","guid":{"rendered":"https:\/\/newestek.com\/?p=15900"},"modified":"2026-03-05T06:36:07","modified_gmt":"2026-03-05T06:36:07","slug":"14-old-software-bugs-that-took-way-too-long-to-squash","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15900","title":{"rendered":"14 old software bugs that took way too long to squash"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

In 2021, a vulnerability was revealed in a system that lay at the foundation of modern computing. An attacker could force the system to execute arbitrary code. Shockingly, the vulnerable code was almost 54 years old \u2014 and there was no patch available, and no expectation that one would be forthcoming.<\/p>\n

Fortunately, that\u2019s because the system in question was Marvin Minsky\u2019s 1967 implementation of a Universal Turing Machine<\/a>, which, despite its momentous theoretical importance for the field of computer science, had never actually been built into a real-world computer. But in the decade or so after Minsky\u2019s design, the earliest versions of Unix and DOS came into use, and their descendants are still with us today in the 21st century. Some of those systems have had bugs lurking beneath the surface for years or even decades.<\/p>\n

Here are 14 noteworthy bugs that, once long dormant, took over a decade to be discovered and fixed \u2014 in descending order of how long they went unaddressed.<\/p>\n

Libpng graphics library flaw<\/h2>\n

Age:<\/em> 30 years<\/strong><\/em><\/p>\n

Date introduced: <\/em>1995<\/strong><\/em><\/p>\n

Date fixed:<\/em> February 2026<\/strong><\/em><\/p>\n

Researchers unearthed a legacy flaw in the widely used libpng open-source library<\/a> that had existed since the technology was first released more than 30 years ago.<\/p>\n

The heap buffer overflow vulnerability (CVE-2026-25646<\/a>) meant that applications using the flawed software would crash when presented with a maliciously constructed PNG raster image file. Although difficult to exploit, the vulnerability potentially poses an information disclosure or remote code execution risk.<\/p>\n

The vulnerable png_set_quantize function, previously called png_set_dither, is rarely used. This in combination with the difficulty of exploitation mean that the flaw earns a CVSS score of 8.3, rating it as a \u201chigh\u201d rather than \u201ccritical\u201d risk.<\/p>\n

Nonetheless many Linux distributions (Debian, Red Hat, Ubuntu), desktop apps, and some Java runtimes rely on vulnerable versions of the library and need to be patched.<\/p>\n

PrintDemon<\/strong><\/h2>\n

Age: <\/em>24 years
<\/strong>Date introduced: <\/em>1996
<\/strong>Date fixed: <\/em>May 2020<\/strong><\/p>\n

Printers are a frequent pain point for IT because there are a lot <\/em>of models, they aren\u2019t made by the same vendors who make computers and operating systems, and users expect to plug them in and start printing. Microsoft in its early years battled to make installing a printer driver relatively easy and painless. But a bug found in 2020, dubbed PrintDemon<\/a>, showed that maybe they took that a bit too far back in the \u201990s \u2014 and paid for it for decades.<\/p>\n

The core of the vulnerability lies in three facts: Non-administrative users can add printers to a Windows machine; the underlying mechanics make it possible to print to a file rather than a physical printing device; and crucial printing services<\/a> on Windows run with system privileges. That means that, if you do it right, you can build a \u201cprinter\u201d driver that can create a file (even an executable one) anywhere on the filesystem (even in privileged directories). There are plenty of exploits that have been cooked up to take advantage of these design flaws \u2014 Stuxnet<\/a>, it turns out, was one of them \u2014 but PrintDemon was a real doozy, made possible because Microsoft\u2019s fixes over the years had been patches rather than a complete rebuild of the printing subsystem.<\/p>\n

As Winsider described it<\/a>, \u201cWith very subtle file system modifications, you can achieve file copy\/write behavior that is not attributable to any process, especially after a reboot \u2026 with a carefully crafted port name, you can imagine simply having the Spooler drop a [portable executable] file anywhere on disk for you.\u201d Sounds like bad news!<\/p>\n

<\/a>win32k.sys vulnerabilities<\/h2>\n

Age: <\/em>23 years
<\/strong>Date introduced: <\/em>1996
<\/strong>Date fixed: <\/em>2019<\/strong><\/p>\n

Two big vulnerabilities were detected in the Win32 API in Microsoft Windows in 2019. The first, found in April, was a Use-After-Free vulnerability<\/a>, in which OS coding errors made it possible for programs to access system memory that should\u2019ve been protected; this vulnerability was detected by security researchers when they discovered malicious hackers attempting to use it in the wild<\/a> to gain control of computers. The other, discovered in December, was an elevation-of-privilege vulnerability lurking in the OS\u2019s window switching functionality; this vulnerability was similarly discovered in the course of active attacks<\/a>, which simulated keystrokes to create memory leaks.<\/p>\n

Both vulnerabilities have their origins in the early days of Windows. \u201cThe problem originates from the time when WIN32K made its debut with Windows NT 4.0, when much of Win32\u2019s graphics engine was moved from user level to kernel to boost performance,\u201d explained Boris Larin, senior security researcher at Kaspersky, back in 2019. And while these two vulnerabilities have been patched, that long-ago decision on the part of Microsoft has had much broader effects \u2014 and probably will continue to do so, Larin said then. \u201cThroughout the years, the WIN32K component has been responsible for more than a half of all kernel security vulnerabilities discovered in Windows.\u201d<\/p>\n

<\/a>PuTTY heap overflow<\/h2>\n

Age: <\/em>20 years, 9 months
<\/strong>Date introduced: <\/em>January 1999
<\/strong>Date fixed: <\/em>October 2019<\/strong><\/p>\n

PuTTY is a free and open-source suite of tools that includes a serial console, a terminal emulator, and various network file transfer applications, with SSH and other encryption schemes built in. It was originally released to bring tools Unix admins took for granted to Windows and Mac OS, but has expanded its scope and is now in wide use on Unix systems as well<\/a>. While PuTTY was designed to secure network connections, it turns out there was a vulnerability lurking at its heart. This was a heap overflow that could be triggered by a too-short SSH key, which could result in crashing PuTTY or even remote code execution.<\/p>\n

The vulnerability was submitted to HackerOne<\/a> as part of a bug bounty program, netting the submitter a $3,645 reward and a thank you from the PuTTY team, which noted that the bug had been present in the very earliest versions of the source code, back to 1999.<\/p>\n

<\/a>SIGRed DNS vulnerability<\/h2>\n

Age: <\/em>17 years
<\/strong>Date introduced: <\/em>2003
<\/strong>Date fixed: <\/em>2020<\/strong><\/p>\n

DNS is one of the underrated backbones of the internet, the system by which your computer knows what IP address correlates to any given URL<\/a>. The system is hierarchical, with requests sent up and down the pyramid looking for DNS servers that know the answer to the question, \u201cWhere is this computer?\u201d As a result, DNS has been built into all major operating systems.<\/p>\n

In 2020, Microsoft disclosed a critical vulnerability in its own version of DNS<\/a>, which had been lurking in the code for 17 years. The vulnerability, dubbed SIGRed by its discoverers at Check Point<\/a>, was a buffer overflow<\/a> flaw in Windows DNS servers that could be triggered by exploit code tucked into a DNS packet\u2019s signature. A malicious nameserver could send such packets in response to requests, bypassing most security protections and potentially gaining remote access to the Microsoft DNS server. The attack would be potentially wormable, meaning that it could be automated and spread without user intervention.<\/p>\n

Python tarfile vulnerability rises again<\/strong><\/h2>\n

Age: <\/em>15 years
<\/strong>Date introduced: <\/em>2007
<\/strong>Date fixed: <\/em>September <\/strong><\/em>2022<\/strong><\/p>\n

Cybersecurity company Trellix discovered that CVE-2007-4559, a vulnerability affecting Python\u2019s tarfile module first identified in 2007, continued to affect hundreds of thousands of repositories up until at least September 2022.<\/p>\n

\u201cWhile investigating an unrelated vulnerability, Trellix Advanced Research Center stumbled across a vulnerability in Python\u2019s tarfile module,\u201d Kasimir Schulz, a vulnerability researcher for Trellix\u2019s Threat Labs, wrote on the firm\u2019s blog<\/a>. \u201cInitially we thought we had found a new zero-day vulnerability. As we dug into the issue, we realized this was in fact CVE-2007-4559.\u201d<\/p>\n

According to NIST, CVE-2007-4559<\/a> is a directory traversal vulnerability in the extract and extractall functions in the tarfile module in Python that allows user-assisted remote attackers to overwrite arbitrary files via a \u201c..\u201d sequence in filenames in a TAR archive.<\/p>\n

Bad actors can create exploits with as few as six lines of code added to the tarfile module, which allows users to add a filter to parse and modify a file\u2019s metadata before it is added to the tar archive, Schulz said. CVE-2007-4559 \u201cis incredibly easy to exploit, requiring little to no knowledge about complicated security topics. Due to this fact and the prevalence of the vulnerability in the wild, Python\u2019s tarfile module has become a massive supply chain issue threatening infrastructure around the world.\u201d Trellix has found more than 300,000 repositories affected by the vulnerability.<\/p>\n

Trellix developed a scanning utility<\/a> to identify the vulnerability and patched a number of open-source repositories.<\/p>\n

<\/a>Linux SCSI subsystem bugs<\/h2>\n

Age: <\/em>15 years
<\/strong>Date introduced: <\/em>2006
<\/strong>Date fixed: <\/em>March 2021<\/strong><\/p>\n

SCSI, a 1980s-era data transfer standard, is still in use in some contexts today, and Linux, always intended to be as flexible and universal as possible, still has an extensive SCSI subsystem for those systems that need it. These modules are available via automatic module loading<\/em>,<\/em> in which the OS grabs and installs the system code it needs when it needs it \u2014 helpful if you find yourself plugging a SCSI drive into your Linux machine and don\u2019t want to hunt down the necessary supporting code.<\/p>\n

Cybersecurity consultancy Grimm posted an extensive breakdown of several bugs in this Linux SCSI code<\/a> that they discovered in March 2021. One was a buffer overflow vulnerability that could allow a normal user to gain root privileges, and the others were errors where information from the kernel could be leaked to user space, and all could be used to get privileged information or as part of a DoS attack on the affected machine. Grimm dates the bugs back to 2006 and dryly notes that they\u2019re \u201can indication of a lack of security-conscious programming practices that was prevalent at the time this code was developed.\u201d<\/p>\n

<\/a>Domain Time II man-on-the-side attack<\/h2>\n

Age: <\/em>14 years
<\/strong>Date introduced: <\/em>2007
<\/strong>Date fixed: <\/em>April 2021<\/strong><\/p>\n

If two computers on the same network can\u2019t agree on the time, the results can range from annoying to disastrous<\/a>. This longstanding problem<\/a> was to be solved by Domain Time II<\/a>, a closed-source application in use on Windows, Linux, and Solaris.<\/p>\n

But Domain Time II harbored for most of its existence a very serious vulnerability. At intervals or on conditions the user can set, the program sends UDP queries to an update server run by Greyware Automation Products, the software\u2019s vendor. If the server replies with a URL, Domain Time II will run a program with admin privileges to download and install an update from that URL.<\/p>\n

The problem? If a malicious actor manages to reply to the query before Greyware\u2019s server does, that attacker can send its own reply<\/a>, prompting Domain Time II to download whatever malware<\/a> the attacker wants installed. In a true man-in-the-middle attack<\/a>, the attacker would be intercepting communications in both directions; in contrast, this man-on-the-side<\/em> attack can\u2019t stop replies to its target machine getting through and so has to send its own reply more quickly.<\/p>\n

In practice, this means the attacker would need to control a computer on the target\u2019s local network to pull this off, but this attack represents a way an attacker could escalate their intrusion onto more valuable and secure machines within a local network. This vulnerability was spotted by the security firm Grimm, which noted that the flaw was present in versions of the software going back at least to 2007.<\/p>\n

Critical vulnerability in Redis in-memory store<\/h2>\n

Age: <\/em>13 years<\/strong><\/em><\/p>\n

Date introduced:<\/em> 2012<\/strong><\/em><\/p>\n

Date fixed:<\/em> October 2025<\/strong><\/em><\/p>\n

A vulnerability in Redis in-memory store<\/a> posed a critical risk for servers hosting the database.<\/p>\n

The vulnerability, identified as CVE-2025-49844 or RediShell, stemmed from a use-after-free memory corruption bug that has existed in the Redis code base for around 13 years and posed a remote code execution risk.<\/p>\n

While the flaw required authentication to exploit, an estimated 60,000 internet exposed Redis instances were exposed to the internet without authentication enabled, leaving these systems open to attack. Wiz researchers discovered the flaw and used it in the Pwn2Own Berlin contest in May 2025, weeks before its public disclosure in October 2025.<\/p>\n

<\/a>LionWiki local file inclusion<\/h2>\n

Age: <\/em>11 years, 11 months
<\/strong>Date introduced: <\/em>November 2008
<\/strong>Date fixed: <\/em>October 2020<\/strong><\/p>\n

LionWiki<\/a> is a minimalist wiki engine, programmed in PHP. Unlike many popular wiki engines, LionWiki doesn\u2019t use a database, and instead is entirely file-based. Because its goal is simplicity, this is a strength, but it also makes a significant vulnerability possible.<\/p>\n

In essence, the various files underlying a particular LionWiki instance are accessed by file and pathnames in the URL of the corresponding pages. This means that, with a correctly crafted URL, you could traverse the filesystem of the server hosting the LionWiki instance. There are URL-filtering provisions in place to block attempts to do this, but as Infosec Institute Cyber Range Engineer June Werner discovered, they could be defeated fairly easily<\/a>.<\/p>\n

One thing Werner noted is that the vulnerability persisted despite attempts to correct it. \u201cSome mitigations were first put in place in July of 2009, and then more extensive mitigations were put in place in January of 2012,\u201d she noted. \u201cDespite these mitigations, the code was still vulnerable to the same type of attack. This vulnerability stayed in the code for another eight years until it was rediscovered, along with a way to bypass the mitigations, in October 2020.\u201d After the bug was formally reported<\/a>, it was patched by the developer.<\/p>\n

<\/a>sudo host<\/h2>\n

Age: <\/em>11 years, 10 months
<\/strong>Date introduced: <\/em>September 2013
<\/strong>Date fixed: <\/em>July 2024<\/strong><\/p>\n

The sudo command is an important tool in any Unix admin\u2019s toolkit, granting superpowered user privileges<\/a> to those who have the permission to invoke it. To access these privileges, a user must be listed in a configuration file called sudoers. Because many organizations centrally administer many Unix hosts, sudoers can include a list of specific hosts where each user has sudo rights, so that these config files can be written once and then be pushed out to all the organization\u2019s hosts.<\/p>\n

The problem is that, to get access to the sudoers file and see the hosts on which you or another user might have sudo powers, you need those sudo powers yourself. But a command-line flag intended to let users view host-specific privileges could be abused to trick sudo into treating the command as if it were running on a different host \u2014 potentially one where the user has elevated privileges. That could allow the user to run commands, including those that edit sudoers, even if they shouldn\u2019t have that access on the local machine. This security flaw isn\u2019t rated as too serious<\/a>, but it did lurk undetected for nearly 12 years. (Another more serious flaw with the chroot option<\/a>, revealed at the same time, is a mere baby at two years old.)<\/p>\n

HashiCorp Vault and CyberArk Conjur logic flaws<\/h2>\n

Age: <\/em>10 years<\/strong><\/em><\/p>\n

Date introduced:<\/em> 2015<\/a><\/strong>[1]<\/a>\u00a0<\/em><\/em><\/p>\n

Date fixed:<\/em> August 2025<\/strong><\/p>\n

Multiple flaws in components of HashiCorp Vault and CyberArk Conjur<\/a>, two open-source credential management systems, left the door open to a variety of attacks, including authentication bypass and the theft or erasure of supposedly protected secrets.<\/p>\n

Both HashiCorp Vault and CyberArk Conjur are used for storing and controlling access to secrets such as API keys, database passwords, certificates, and encryption keys. Each technology is commonly used in DevSecOps pipelines.<\/p>\n

Researchers from Cyata discovered an array of issues, many of which had remained hidden in the codebase of widely used open-source secrets vaults for years. The vulnerabilities were discovered after manual code reviews that focused on logic flaws in components responsible for authentication and policy enforcement rather than memory corruption issues typically detected by automated tools.<\/p>\n

Findings from the research \u2014 which led to the discovery of a combined total of 14 vulnerabilities in the two secrets vaults \u2014 were revealed at Black Hat USA in August 2025.<\/p>\n

The most severe vulnerability in HashiCorp Vault (CVE-2025-6000<\/a>) created a mechanism for attackers to delete a critical file containing the keys needed to decrypt stored secrets, leaving data unreachable.<\/p>\n

All the vulnerabilities were addressed before the research was publicly disclosed.<\/p>\n

<\/a>Linux GRUB2 Secure Boot hole<\/h2>\n

Age: <\/em>10 years
<\/strong>Date introduced: <\/em>2010
<\/strong>Date fixed: <\/em>July 2020<\/strong><\/p>\n

When UEFI was introduced to replace BIOS, it was deemed the cutting edge of security<\/a>, with features to fight attacks that operated on the level of the bootloading software that starts up an OS. Key to this is an interlocked chain of signed cryptographic certificates that verifies each bootloader program as legit, a mechanism known as Secure Boot. The root certificate for UEFI is signed by Microsoft, and Linux distributions put their own bootloaders, each with its own validated certificate, further down the chain.<\/p>\n

But GRUB2, a widely popular Linux bootloader with a UEFI-ready certificate, contains a buffer overflow vulnerability<\/a> that can be exploited by malicious code inserted into in its configuration file. (While GRUB2 itself is signed, its configuration file, meant to be editable by local admins, is not.) This hole was spotted by Eclypsium<\/a>, and while an attacker would need to have a degree of local control of the target machine to implement this attack, if they pulled it off successfully, they could ensure that they remain in control of that computer going forward each time it boots up, making it difficult to evict them from the system.<\/p>\n

Telnet<\/h2>\n

Age:<\/em> 10 years, 8 months<\/strong><\/p>\n

Date introduced:<\/em> May 2017<\/strong><\/p>\n

Date fixed:<\/em> Jan 2026<\/strong><\/p>\n

Telnet is an early internet protocol and associated tools used for remotely logging into another machine via a text-based terminal session. Although superseded by the more secure and encrypted SSH technology since the mid-1990s, Telnet is still widely used by embedded systems, network hardware, and other legacy systems.<\/p>\n

An easily-exploited Telnet authentication bypass vulnerability<\/a> (CVE-2026-24061), introduced in code changes release in May 2017, left devices running pre-patched versions of the software wide open to remote compromise, provided that its Telnet server was exposed to the internet.<\/p>\n

\n

<\/a><\/p>\n

\u00a0[1]<\/a>HashiCorp Vault was first released in 2015, with CyberArk Conjur becoming available in 2016. I\u2019m assuming that at least some of these vulnerabilities date back to the first release of each technology.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

In 2021, a vulnerability was revealed in a system that lay at the foundation of modern computing. An attacker could force the system to execute arbitrary code. Shockingly, the vulnerable code was almost 54 years old \u2014 and there was no patch available, and no expectation that one would be forthcoming. Fortunately, that\u2019s because the system in question was Marvin Minsky\u2019s 1967 implementation of a… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15900","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15900","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15900"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15900\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15900"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15900"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15900"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}