Many software bugs are merely annoying or inconvenient, but some can have extremely serious consequences—either financially or as a threat to human well-being.[1] The following is a list of software bugs with significant consequences.

Administration

edit
  • The software of the A2LL system for handling unemployment and social services in Germany presented several errors with large-scale consequences, such as sending the payments to invalid account numbers in 2004.[citation needed]

Blockchain

edit
  • The DAO bug. On June 17, 2016, the DAO was subjected to an attack exploiting a combination of vulnerabilities, including the one concerning recursive calls, that resulted in the transfer of 3.6 million Ether – around a third of the 11.5 million Ether that had been committed to The DAO – valued at the time at around $50M.[2][3]

Electric power transmission

edit

Encryption

edit

See also Category:Computer security exploits

  • In order to fix a warning issued by Valgrind, a maintainer of Debian patched OpenSSL and broke the random number generator in the process. The patch was uploaded in September 2006 and made its way into the official release; it was not reported until April 2008. Every key generated with the broken version is compromised (as the "random" numbers were made easily predictable), as is all data encrypted with it, threatening many applications that rely on encryption such as S/MIME, Tor, SSL or TLS protected connections and SSH.[5]
  • Heartbleed, an OpenSSL vulnerability introduced in 2012 and disclosed in April 2014, removed confidentiality from affected services, causing among other things the shut down of the Canada Revenue Agency's public access to the online filing portion of its website[6] following the theft of social insurance numbers.[7]
  • The Apple "goto fail" bug was a duplicated line of code which caused a public key certificate check to pass a test incorrectly.
  • The GnuTLS "goto fail" bug was similar to the Apple bug and found about two weeks later. The GnuTLS bug also allowed attackers to bypass SSL/TLS security. [8]

Finance

edit
  • The Vancouver Stock Exchange index had large errors due to repeated rounding. In January 1982 the index was initialized at 1000 and subsequently updated and truncated to three decimal places on each trade. This was done about 3000 times a day. The accumulated truncations led to an erroneous loss of around 25 points per month. Over the weekend of November 25–28, 1983, the error was corrected, raising the value of the index from its Friday closing figure of 524.811 to 1098.892.[9][10]
  • Knight Capital Group lost $440 million in 45 minutes due to the improper deployment of software on servers and the re-use of a critical software flag that caused old unused software code to execute during trading.[11]
  • The British Post Office scandal; between 2000 and 2015, 736 subpostmasters were prosecuted by the UK Post Office, with many falsely convicted and sent to prison. The subpostmasters were blamed for financial shortfalls which actually were caused by software defects in the Post Office's Horizon accounting software.[12]

Media

edit
  • In the Sony BMG copy protection rootkit scandal (October 2005), Sony BMG produced a Van Zant music CD that employed a copy protection scheme that covertly installed a rootkit on any Windows PC that was used to play it. Their intent was to hide the copy protection mechanism to make it harder to circumvent. Unfortunately, the rootkit inadvertently opened a security hole resulting in a wave of successful trojan horse attacks on the computers of those who had innocently played the CD.[13] Sony's subsequent efforts to provide a utility to fix the problem actually exacerbated it.[14]

Medical

edit
  • A bug in the code controlling the Therac-25 radiation therapy machine was directly responsible for at least five patient deaths in the 1980s when it administered excessive quantities of beta radiation.[15][16][17]
  • Radiation therapy planning software RTP/2 created by Multidata Systems International could incorrectly double the dosage of radiation depending on how the technician entered data into the machine. At least eight patients died, while another 20 received overdoses likely to cause significant health problems (November 2000).[18]
  • A Medtronic heart device was found vulnerable to remote attacks (2008-03).[19]
  • The Becton Dickinson Alaris Gateway Workstation allows unauthorized arbitrary remote execution (2019).[20][21]
  • The CareFusion Alaris pump module (8100) will not properly delay an Infusion when the "Delay Until" option or "Multidose" feature is used (2015).[22]

Military

edit

Space

edit
  • NASA's 1965 Gemini 5 mission landed 80 miles (130 km) short of its intended splashdown point when the pilot compensated manually for an incorrect constant for the Earth's rotation rate. A 360-degree rotation corresponding to the Earth's rotation relative to the fixed stars was used instead of the 360.98-degree rotation in a 24-hour solar day. The shorter length of the first three missions and a computer failure on Gemini 4 prevented the bug from being detected earlier.[29]
  • The Russian Space Research Institute's Phobos 1 (Phobos program) deactivated its attitude thrusters and could no longer properly orient its solar arrays or communicate with Earth, eventually depleting its batteries. (September 10, 1988).[30]
  • The European Space Agency's Ariane flight V88 was destroyed 40 seconds after takeoff (June 4, 1996). The first flight of the Ariane V rocket self-destructed due to an overflow occurring during a floating-point to integer conversion in the on-board guidance software. The same software had been used successfully in the Ariane IV program, but the Ariane V produced larger values for some variable, causing the overflow.[31][32]
  • In 1997, the Mars Pathfinder mission was jeopardised by a bug in concurrent software shortly after the rover landed, which was found in preflight testing but given a low priority as it only occurred in certain unanticipated heavy-load conditions.[33] The problem, which was identified and corrected from Earth, was due to computer resets caused by priority inversion.[34]
  • In 2000, a Zenit 3SL launch failed due to faulty ground software not closing a valve in the rocket's second stage pneumatic system.[35]
  • The European Space Agency's CryoSat-1 satellite was lost in a launch failure in 2005 due to a missing shutdown command in the flight control system of its Rokot carrier rocket.[36]
  • NASA Mars Polar Lander was destroyed because its flight software mistook vibrations caused by the deployment of the stowed legs for evidence that the vehicle had landed and shut off the engines 40 meters from the Martian surface (December 3, 1999).[37]
  • Its sister spacecraft Mars Climate Orbiter was also destroyed, due to software on the ground generating commands based on parameters in pound-force (lbf) rather than newtons (N).
  • A mis-sent command from Earth caused the software of the NASA Mars Global Surveyor to incorrectly assume that a motor had failed, causing it to point one of its batteries at the sun. This caused the battery to overheat (November 2, 2006).[38][39]
  • NASA's Spirit rover became unresponsive on January 21, 2004, a few weeks after landing on Mars. Engineers found that too many files had accumulated in the rover's flash memory. It was restored to working condition after deleting unnecessary files.[40]
  • Japan's Hitomi astronomical satellite was destroyed on March 26, 2016, when a thruster fired in the wrong direction, causing the spacecraft to spin faster instead of stabilize.[41]
  • ESA/Roscosmos Schiaparelli Mars lander impacted surface of Mars. Unanticipated spin during descent briefly saturated the IMU, software then misinterpreted the data as showing the lander was underground, so prematurely ejected parachute and shut down engines, resulting in crash.[42]
  • Israel's first attempt to land an uncrewed spacecraft on the Moon with the Beresheet was rendered unsuccessful on April 11, 2019, due to a software bug with its engine system, which prevented it from slowing down during its final descent on the Moon's surface. Engineers attempted to correct this bug by remotely rebooting the engine, but by the time they regained control of it, Beresheet could not slow down in time to avert a hard, crash landing that disintegrated it.[43]

Telecommunications

edit
  • AT&T long-distance network crash (January 15, 1990), in which the failure of one switching system would cause a message to be sent to nearby switching units to tell them that there was a problem. Unfortunately, the arrival of that message would cause those other systems to fail too – resulting in a cascading failure that rapidly spread across the entire AT&T long-distance network.[44][45]
  • In January 2009, Google's search engine erroneously notified users that every web site worldwide was potentially malicious, including its own.[46]
  • In May 2015, iPhone users discovered a bug where sending a certain sequence of characters and Unicode symbols as a text to another iPhone user would crash the receiving iPhone's SpringBoard interface,[47] and may also crash the entire phone, induce a factory reset, or disrupt the device's connectivity to a significant degree,[48] preventing it from functioning normally. The bug persisted for weeks, gained substantial notoriety and saw a number of individuals using the bug to play pranks on other iOS users,[citation needed] before Apple eventually patched it on June 30, 2015, with iOS 8.4.

Tracking years

edit
  • The year 2000 problem spawned fears of worldwide economic collapse and an industry of consultants providing last-minute fixes.[49]
  • A similar problem will occur in 2038 (the year 2038 problem), as many Unix-like systems calculate the time in seconds since 1 January 1970, and store this number as a 32-bit signed integer, for which the maximum possible value is 231 − 1 (2,147,483,647) seconds.[50] 2,147,483,647 seconds equals 68 years, and 2038 is 68 years forward from 1970.
  • An error in the payment terminal code for Bank of Queensland rendered many devices inoperable for up to a week. The problem was determined to be an incorrect hexadecimal number conversion routine. When the device was to tick over to 2010, it skipped six years to 2016, causing terminals to decline customers' cards as expired.[51]

Transportation

edit

Video gaming

edit
  • Eve Online's deployment of the Trinity patch erased the boot.ini file from several thousand users' computers, rendering them unable to boot. This was due to the usage of a legacy system within the game that was also named boot.ini. As such, the deletion had targeted the wrong directory instead of the /eve directory.[58]
  • The Corrupted Blood incident was a software bug in World of Warcraft that caused a deadly, debuff-inducing virtual disease that could only be contracted during a particular raid to be set free into the rest of the game world, leading to numerous, repeated deaths of many player characters. This caused players to avoid crowded places in-game, just like in a "real world" epidemic, and the bug became the center of some academic research on the spread of infectious diseases.[59]
  • On June 6, 2006, the online game RuneScape suffered from a bug that enabled certain player characters to kill and loot other characters, who were unable to fight back against the affected characters because the game still thought they were in player-versus-player mode even after they were kicked out of a combat ring from the house of a player who was suffering from lag while celebrating an in-game accomplishment. Players who were killed by the glitched characters lost many items, and the bug was so devastating that the players who were abusing it were soon tracked down, caught and banned permanently from the game, but not before they had laid waste to the region of Falador, thus christening the bug "Falador Massacre".[60]
  • In the 256th level of Pac-Man, a bug results in a kill screen. The maximum number of fruit available is seven and when that number rolls over, it causes the entire right side of the screen to become a jumbled mess of symbols while the left side remains normal.[61]
  • Upon initial release, the ZX Spectrum game Jet Set Willy was impossible to complete because of a severe bug that corrupted the game data, causing enemies and the player character to be killed in certain rooms of the large mansion where the entire game takes place.[62] The bug, known as "The Attic Bug", would occur when the player entered the mansion's attic, which would then cause an arrow to travel offscreen, overwriting the contents of memory and altering crucial variables and behavior in an undesirable way. The game's developers initially excused this bug by claiming that the affected rooms were death traps, but ultimately owned up to it and issued instructions to players on how to fix the game itself.[63]
  • One of the free demo discs issued to PlayStation Underground subscribers in the United States contained a serious bug, particularly in the demo for Viewtiful Joe 2, that would not only crash the PlayStation 2, but would also unformat any memory cards that were plugged into that console, erasing any and all saved data onto them.[64] The bug was so severe that Sony had to apologize for it and send out free copies of other PS2 games to affected players as consolation.[65]
  • Due to a severe programming error, much of the Nintendo DS game Bubble Bobble Revolution is unplayable because a mandatory boss fight failed to trigger in the 30th level.[66]
  • An update for the Xbox 360 version of Guitar Hero II, which was intended to fix some issues with the whammy bar on that game's guitar controllers, came with a bug that caused some consoles to freeze, or even stop working altogether, producing the infamous "red ring of death".[67]
  • Valve's Steam client for Linux could accidentally delete all the user's files in every directory on the computer. This happened to users that had moved Steam's installation directory.[68] The bug is the result of unsafe shellscript programming:
    STEAMROOT="$(cd "${0%/*}" && echo $PWD)"
    
    # Scary!
    rm -rf "$STEAMROOT/"*
    
    The first line tries to find the script's containing directory. This could fail, for example if the directory was moved while the script was running, invalidating the "selfpath" variable $0. It would also fail if $0 contained no slash character, or contained a broken symlink, perhaps mistyped by the user. The way it would fail, as ensured by the && conditional, and not having set -e cause termination on failure, was to produce the empty string. This failure mode was not checked, only commented as "Scary!". Finally, in the deletion command, the slash character takes on a very different meaning from its role of path concatenation operator when the string before it is empty, as it then names the root directory.
  • Minus World is an infamous glitch level from the 1985 game Super Mario Bros., accessed by using a bug to clip through walls in level 1–2 to reach its "warp zone", which leads to the said level.[69] As this level is endless, triggering the bug that takes the player there will make the game impossible to continue until the player resets the game or runs out of lives.
  • "MissingNo." is a glitch Pokémon species present in Pokémon Red and Blue, which can be encountered by performing a particular sequence of seemingly unrelated actions. Capturing this Pokémon may corrupt the game's data, according to Nintendo[70][71][72] and some of the players who successfully attempted this glitch. This is one of the most famous bugs in video game history, and continues to be well-known.[73]

See also

edit

References

edit
  1. ^ "Why Software fails". IEEE Spectrum: Technology, Engineering, and Science News. 2 September 2005. Retrieved 2021-03-20.
  2. ^ Popper, Nathaniel (17 June 2016). "Hacker May Have Taken $50 Million From Cybercurrency Project". The New York Times. Archived from the original on 20 June 2017. Retrieved 3 March 2017.
  3. ^ Price, Rob (17 June 2016). "Digital currency Ethereum is cratering amid claims of a $50 million hack". Business Insider. Archived from the original on 11 June 2017. Retrieved 17 June 2016.
  4. ^ "Software Bug Contributed to Blackout". Archived from the original on 2004-03-13. Retrieved 2008-01-07.
  5. ^ "DSA-1571-1 openssl -- predictable random number generator". Retrieved 2008-04-16.
  6. ^ "Heartbleed bug may shut Revenue Canada website until weekend". CBC News. 2014-04-09.
  7. ^ "Heartbleed bug: 900 SINs stolen from Revenue Canada - Business - CBC News". CBC News. Retrieved 2014-04-14.
  8. ^ Goodin, Dan (March 4, 2014). "Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping". Ars Technica. Retrieved September 7, 2020.
  9. ^ Quinn, Kevin (November 8, 1983). "Ever Had Problems Rounding Off Figures? This Stock Exchange Has". The Wall Street Journal. p. 37.
  10. ^ Wayne, Lilley (November 29, 1983). "Vancouver stock index has right number at last". The Toronto Star.
  11. ^ Popper, Nathaniel (2 August 2012). "Knight Capital Says Trading Glitch Cost It $440 Million". New York Times.
  12. ^ Flinders, Karl (3 March 2022). "Post Office warned of software flaw in 2006, but failed to alert subpostmaster network". Computer Weekly.
  13. ^ Borland, John (11 November 2005). "FAQ: Sony's 'rootkit' CDs - CNET News". news.com. Archived from the original on 5 December 2008.{{cite web}}: CS1 maint: unfit URL (link)
  14. ^ Russinovich, Mark (4 Nov 2005). "Mark's Blog : More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home". blogs.technet.com. Archived from the original on 3 January 2007.
  15. ^ "The Therac-25 Accidents (PDF), by Nancy Leveson" (PDF). Retrieved 2008-01-07.
  16. ^ "An Investigation of the Therac-25 Accidents (IEEE Computer)". Retrieved 2008-01-07.
  17. ^ "Computerized Radiation Therapy (PDF) reported by TROY GALLAGHER" (PDF). Retrieved 2011-12-12.
  18. ^ Garfinkel, Simson (November 8, 2005). "History's Worst Software Bugs". Wired. Retrieved September 6, 2020.
  19. ^ Feder, Barnaby J. (2008-03-12). "A Heart Device Is Found Vulnerable to Hacker Attacks". The New York Times. Retrieved 2008-09-28.
  20. ^ "ICS Advisory (ICSMA-19-164-01)" (Press release). Cybersecurity and Infrastructure Security Agency. 2019-06-13. Retrieved 2019-11-15.
  21. ^ Newman, Lily Hay (2019-10-01). "Decades-Old Code Is Putting Millions of Critical Devices at Risk". Wired. Retrieved 2019-11-15.
  22. ^ "Urgent: Medical Device Recall Notification, AFFECTED DEVICE: Alaris® Pump module (Model 8100)"Delay Until" Option and "Multidose" Feature" (PDF) (Press release). CareFusion. 2014-04-23. Archived from the original (PDF) on 2015-06-12. Retrieved 2019-11-15.
  23. ^ "Patriot missile defense, Software problem led to system failure at Dharhan, Saudi Arabia; GAO report IMTEC 92-26". US Government Accounting Office.
  24. ^ Skeel, Robert. "Roundoff Error and the Patriot Missile". SIAM News, volume 25, nr 4. Archived from the original on 2008-08-01. Retrieved 2008-09-30.
  25. ^ Rogerson, Simon (April 2002). "The Chinook Helicopter Disaster". IMIS Journal. 12 (2). Archived from the original on 2012-07-17.
  26. ^ "Software glitches leave Navy Smart Ship dead in the water". gcn.com. 13 Jul 1998. Archived from the original on 8 February 2006.
  27. ^ "F/A-22 Program History". f-22raptor.com. Archived from the original on 25 August 2009.
  28. ^ "Lockheed's F-22 Raptor Gets Zapped by International Date Line". DailyTech. 26 Feb 2007. Archived from the original on 16 March 2007.
  29. ^ "Gemini 5". On The Shoulders of Titans: A History of Project Gemini. Archived from the original on 2019-07-14. Retrieved 2019-08-20.
  30. ^ Sagdeev, R. Z.; Zakharov, A. V. (1989). "Brief history of the Phobos mission". Nature. 341 (6243): 581–585. Bibcode:1989Natur.341..581S. doi:10.1038/341581a0. S2CID 41464654.
  31. ^ Dowson, M. (March 1997). "The Ariane 5 Software Failure". Software Engineering Notes. 22 (2): 84. doi:10.1145/251880.251992. S2CID 43439273.
  32. ^ Jézéquel JM, Meyer B (January 1997). "Design by Contract: The Lessons of Ariane" (PDF). IEEE Computer. 30 (1): 129–130. doi:10.1109/2.562936.
  33. ^ Heaven, Douglas (2013). "Parallel sparking: Many chips make light work". New Scientist. 219 (2930). Elsevier BV: 42–45. doi:10.1016/s0262-4079(13)62046-1. ISSN 0262-4079.
  34. ^ Reeves, Glenn E (15 Dec 1997). "What really happened on Mars? -- Authoritative Account". research.microsoft.com. Archived from the original on 30 December 2016.{{cite web}}: CS1 maint: unfit URL (link)
  35. ^ "Spaceflight Now | Breaking News | Sea Launch malfunction blamed on software glitch". spaceflightnow.com. Retrieved January 2, 2022.
  36. ^ "CryoSat Mission lost due to launch failure". European Space Agency. 8 October 2005. Retrieved 19 July 2010.
  37. ^ "Mars Polar Lander". Archived from the original on 2012-09-27. Retrieved 2008-01-07.
  38. ^ "Report Reveals Likely Causes of Mars Spacecraft Loss". Archived from the original on 2007-11-09. Retrieved 2008-01-07.
  39. ^ "Faulty Software May Have Doomed Mars Orbiter". Space.com. Archived from the original on July 24, 2008. Retrieved January 11, 2007.
  40. ^ "Out of memory problem caused Mars rover's glitch". computerworld.com. February 3, 2004.
  41. ^ Witze, Alexandra (2016). "Software error doomed Japanese Hitomi spacecraft". Nature. 533 (7601): 18–19. Bibcode:2016Natur.533...18W. doi:10.1038/nature.2016.19835. PMID 27147012. S2CID 4451754.
  42. ^ Tolker-Nielsen, Toni, ed. (18 May 2017). ExoMars 2016 – Schiaparelli Anomaly Inquiry (Report). European Space Agency. pp. 18–19. DG-I/2017/546/TTN.
  43. ^ Weitering, Hanneke (12 April 2019). "Israeli Moon Lander Suffered Engine Glitch Before Crash". Space.com. Retrieved 29 May 2019.
  44. ^ Sterling, Bruce (1993). The Hacker Crackdown: Law and Disorder on the Electronic Frontier. Spectra Books. ISBN 0-553-56370-X.
  45. ^ "The Crash of the AT&T Network in 1990". Retrieved 2024-02-26.
  46. ^ Metz, Cade (January 31, 2009). "Google mistakes entire web for malware". The Register. Retrieved December 20, 2010.
  47. ^ "Bug in iOS Unicode handling crashes iPhones with a simple text". Apple Insider. 26 May 2015. Retrieved 29 May 2015.
  48. ^ Clover, Juli (26 May 2015). "New iOS Bug Crashing iPhones Simply by Receiving a Text Message". MacRumors. Retrieved 29 May 2015.
  49. ^ "Looking at the Y2K bug, portal on CNN.com". Archived from the original on 2007-12-27. Retrieved 2008-01-07.
  50. ^ "The year 2038 bug". Retrieved 2008-01-12.
  51. ^ Stafford, Patrick. "Businesses hit by Bank of Queensland EFTPOS bug". Archived from the original on 7 April 2014. Retrieved 1 April 2014.
  52. ^ Dunn, Michael (28 Oct 2013). "Toyota's killer firmware: Bad design and its consequences". EDN.
  53. ^ "To keep a Boeing Dreamliner flying, reboot once every 248 days". Engadget. 1 Apr 2015.
  54. ^ Corfield, Gareth (25 Jul 2019). "Airbus A350 software bug forces airlines to turn planes off and on every 149 hours". The Register. Retrieved 2021-02-04.
  55. ^ Roy, Eleanor Ainge (21 February 2019). "Auckland threatens to eject Lime scooters after wheels lock at high speed". The Guardian. Retrieved 2019-02-20.
  56. ^ Corfield, Gareth (8 Jan 2020). "Blackout Bug: Boeing 737 cockpit screens go blank if pilots land on specific runways". The Register. Retrieved 2021-02-04.
  57. ^ Corfield, Gareth (29 May 2020). "Software bug in Bombardier airliner made planes turn the wrong way". The Register. Retrieved 2021-02-04.
  58. ^ "About the boot.ini issue (Dev Blog)". 11 December 2007. Retrieved 2014-09-30.
  59. ^ Balicer, Ran (2005-10-05). "Modeling Infectious Diseases Dissemination Through Online Role-Playing Games". Epidemiology. 18 (2): 260–261. doi:10.1097/01.ede.0000254692.80550.60. PMID 17301707. S2CID 20959479.
  60. ^ Bishop, Sam (8 June 2016). "Runescape marks the anniversary of the Falador Massacre". GameFactor. Retrieved 9 August 2018.
  61. ^ "Pac Man'S Split Screen Level Analyzed And Fixed". Donhodges.Com. Retrieved 2012-09-19.
  62. ^ Langshaw, Mark (30 September 2010). "Retro Corner: 'Jet Set Willy' (Spectrum)". Digital Spy. Retrieved 30 May 2018.
  63. ^ "Jet Set Willy Solved!". Personal Computer Games (8): 21. July 1984. Retrieved 2014-04-19.
  64. ^ Krotoski, Aleks (2004-11-30). "Viewtiful Joe 2 demo deletes memory cards". The Guardian. Retrieved 2009-11-10.
  65. ^ Bramwell, AleksTom (2004-12-07). "Sony to replace defective demo discs with games". Eurogamer. Retrieved 2009-11-10.
  66. ^ "Bubble Bobble Revolution DS production issues confirmed *UPDATE*". GoNintendo. 14 Oct 2006.
  67. ^ Bramwell, Tom (2007-04-16). "RedOctane admits to Guitar Hero II patch problem". Eurogamer. Retrieved 2016-12-02.
  68. ^ Paul, Ian (17 Jan 2015). "Scary Steam for Linux bug erases all the personal files on your PC". PCWorld.
  69. ^ Gach, Ethan (14 November 2016). "The NES Classic Carries Over Classic Glitches". Kotaku Australia. Archived from the original on November 15, 2016. Retrieved 8 March 2017.
  70. ^ Nintendo. "Customer Service — Specific GamePak Troubleshooting". Archived from the original on January 27, 2008. Retrieved June 7, 2009.
  71. ^ "Pokechat". Nintendo Power. Vol. 120. May 1999. p. 101.
  72. ^ Loe, Casey (1999). Pokémon Perfect Guide Includes Red-Yellow-Blue. Versus Books. p. 125. ISBN 1-930206-15-1.
  73. ^ "Gaming's Top 10 Easter Eggs". IGN. IGN Entertainment. April 9, 2009. p. 2. Archived from the original on June 5, 2010. Retrieved June 7, 2009.
edit