Remember the Y2K bug? Well another time-related bug could cause problems between April 1 and April 8 for applications and Web sites built with certain versions of Microsoft Corp.’s Visual C++. Richard Smith, chief technology officer with The Privacy Foundation, calls it the April Fools 2001 bug.
Smith discovered the bug in 1999, and Microsoft released a patch soon after. But while many computers were updated with a fix, applications also needed to be updated, and it is unclear how many applications with the bug are currently deployed.
“This bug will most likely be present in embedded computers that are dedicated to doing particular jobs,” Smith told the bugtraq mailing list Wednesday. “These systems typically don’t get software updates as often as desktop computers.”
Affected systems may include airport arrival and departure time monitors, building access control systems, scheduling systems for transportation and hotel wake-up systems. Web sites, too, could be vulnerable.
“IIS itself is probably written with VC++,” Smith said. “Ditto for many ActiveX controls which are used on ASP pages. ASP pages that use JavaScript could have the bug.” Smith said he was uncertain about VBScript.
The bug is a time/date problem caused by the code’s failure to calculate the change in time for daylight savings (the first Sunday of April) on years when it occurs on April 1. The bug corrects itself on April 8.
The bug causes applications that use CRT time functions to give times which are off by one hour — even though the Windows clock shows the correct time. When Microsoft first reported the bug, it said it believed the scope of the issue was limited.
To test applications, Microsoft suggested setting the system date to 2 April 2001 and making sure the times reported or stored by the applications agree with the system time.