 |
It wasn’t a surprise that all free Microsoft support for Windows 98 (and Windows Me) was supposed to terminate on June 30 with the end of free security fixes, but instead of an orderly farewell party with a brief reprieve to July 11, it turned into a rout. Robert McMillan at PCWorld:
With support for its Windows 98 and Windows Millennium Edition operating systems about to expire, Microsoft has given up on the idea of patching a critical security vulnerability in the products, the company announced this week.The flaw has to do with the way Windows Explorer handles the Component Object Model objects used by Windows programs. Attackers could take over a system by tricking users into visiting a Web site that would then connect them to a remote file server.
“This remote file server could then cause Windows Explorer to fail in a way that could allow code execution,” Microsoft said.
Microsoft had fixed the problem in the majority of its Windows products on April 11. At the time, it had promised to deliver a patch for Windows 98 and ME “as soon as possible.”
Microsoft’s Christopher Budd explains:
Specifically, after extensive investigation, we’ve found that it’s not feasible to make the extensive changes necessary to Windows Explorer on these older versions of Windows to eliminate the vulnerability.This is because during the development of Windows 2000, we made significant enhancements to the underlying architecture of Windows Explorer. The Windows Explorer architecture on these older versions of Windows is much less robust than the more recent Windows architectures.
Due to these fundamental differences, these changes would require reengineering a significant amount of a critical core component of the operating system. After such a reengineering effort, there would be no assurance that applications designed to run on these platforms would continue to operate on the updated system.
We do strongly recommend that customers still using Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) protect those systems by placing them behind a perimeter firewall which filters traffic on TCP Port 139 which will block attacks attempting to exploit this vulnerability. This is discussed in the “Workarounds” section of the vulnerability.
The “Workarounds” section is in the official Microsoft Security Bulletin MS06-015.
Jupiter Research’s Joe Wilcox offers a sensible assessment:
I don’t think Microsoft’s decision not to patch is designed to force Windows XP upgrades, as I’ve been repeatedly asked. But I do find the situation highly ironic. Microsoft had extended support for both products from June 30 to July 11, so there would be one last security patch–July 11 is a Security Tuesday–for Windows 98 and Me. So, it’s ironic that the two operating systems will end of life with one remaining critical flaw patched on newer Windows versions.How serious is the situation? … Our data shows plenty of consumers and businesses still using Windows 98 and Me.
But his net is that Windows 98′s day has passed.
The continuing problem of older Microsoft products that refuse to disappear has popped up for Windows 98 in Korea (via Bink.nu) – MS Ignores Plea for Window 98 Security Patches:
Microsoft, the world’s biggest software maker, looks to stop issuing security patches for the Windows 98 operating system starting next July, despite Korea’s requests to postpone the plan.
Microsoft Korea, the global giant’s affiliate here, Tuesday said the U.S.-based firm decided to go ahead with the original plan on the outdated operating system.
…
The decision outright raises the ire of Korean Windows 98 users and experts like the Korea Information Security Agency official Seung Jae-mo, who predicts an onslaught of hacking and virus attacks next year.“Windows 98 is still widely used in Korea in government offices, medium-sized firms, households and schools. Some of them will be replaced by more advanced systems but some will be still based on Windows 98 next year,” Seung said.
Seung estimated about 10 percent of Korean PC users depend on Windows 98 and merely half of them would substitute the decade-old system with higher versions like Windows 2000 and XP.
…
In response, Microsoft Korea’s chief security advisor Cho Won-young said it is only Korea that is asking for the suspension of the patch-discontinuation plan in the world.“We also estimate roughly 10 percent of PC operating systems would be Windows 98 here. But most of them do not download our security patches files for Windows 98,” Cho noted.
The scheduled end of free security fixes for Windows 98 is June 30, 2006 and soon we’ll get to see how many Windows 98 users there are and whether they care. Microsoft had previously tried to end support in 2004, but backed off. I really doubt that Korea is the only place where there will be complaints once the information becomes widely known. For reference, the AssetMatrix study from June pegged the percentage of business users of Windows 95 and 98 at 5%.
