I originally posted this on the AVIEN blog site at http://avien.net/blog/?p=286, but in view of the increasing volume of "Y2.10k" date-related bug reports, I'll re-post it here with an updated list. (Thanks to Mikko Hypponen for posting a couple of links I hadn't seen.)
Windows Mobile/SMS bug (Welcome to 2016!)
http://www.theregister.co.uk/2010/01/05/windows_mobe_bug/
http://www.wmexperts.com/y2016-sms-bug
Bank Bugs:
http://www.theregister.co.uk/2010/01/04/bank_queensland/
http://www.msnbc.msn.com/id/34706092/ns/technology_and_science-security/?ocid=twitter]
Symantec bug
http://www.theregister.co.uk/2010/01/05/symantec_y2k10_bug/
http://www.symantec.com/connect/forums/official-status-sepm-definitions-stay-31-12-2009-last-updated-04-jan-2010
Spamassassin FP bug:
http://www.spamresource.com/2010/01/spamassassin-2010-bug.html
SAP bug: "SAP have detected a problem in the spool area which affects all customers in the world regardless of the SAP release and any support package level."
http://www.basissap.com/2010/01/sap-spool-issue-affects-all-releases/
http://service.sap.com/sap/support/notes/1422843
It's not really that surprising that we're seeing more date-related bugs than at the start of the Millennium: this is a more-or-less accidental cluster of somewhat similar bugs, as far as I can see. It’s certainly not an industry-wide issue that was foreseen years in advance and therefore attracted serious proactive research and remediation.
In fact, if there’s a lesson here, it’s one for the people who dismiss the entire Y2K remediation issue as hype and wasted resources. Well, there was a great deal of hype around at that time (did anyone actually see a Y2K virus?), and a number of consultants made money out of advising IT people on the ground to do what they were already doing.
However, given the (short-term) impact of this handful of unanticipated (but fairly easily fixed) bugs, I think it’s reasonable to assume that if system administrators and support technicians all over the globe hadn’t done that proactive remediative work, the first weeks of the new millennium would have been a lot more dramatic.
Like Ross Anderson (http://www.cl.cam.ac.uk/~rja14/Papers/y2k.pdf), I doubt if the sky would have fallen if that work hadn't been done, but some of the consequent issues would have been harder and more expensive to fix reactively.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
