PDA

View Full Version : 98, 98SE, & ME Horrors



SurferJoe46
14-06-2006, 10:25 AM
Microsoft has encountered a critical vulnerability in Windows 98, 98 SE and Windows Me that it simply cannot fix, the company acknowledged Friday. The flaw affects Windows Explorer and after investigating the issue, Microsoft said it would need to reengineer a significant amount of the operating system.

Announced as part of June's security bulletins, a remote execution vulnerability exists in Windows Explorer because of the way that it handles COM objects. A malicious Web site could force a connection to a remote file server, which in turn causes Explorer to fail and potentially execute arbitrary code.
Microsoft says an attacker could take complete control of affected operating systems in this manner. Patches correcting the flaw were issued for Windows 2000, XP and Windows Server 2003, but the vulnerability remains unpatched on Windows 9x based systems.

The Redmond company says that because it would need to re-architecture Windows Explorer in those legacy systems to better match Windows 2000, a fix just isn't feasible. According to the updated bulletin, Microsoft could not ensure that applications written for Windows 9x would continue to operate as intended after the changes.

Moreover, Microsoft has little incentive to expend the resources necessary to patch the flaw. Support for Windows 98, 98 SE and Windows Me ends on July 11, which means no more security updates will be released and no technical or public support will be provided.

Microsoft will continue to offer Windows 98 and Me help topics through its Web site until at least July 11, 2007. However, without additional security updates, customers will be left unprotected from exploits taking advantage of the critical vulnerability, as well as any future problems.

Customers still running the older operating systems can take steps to protect themselves, Microsoft says.

"We do strongly recommend that customers still using Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) protect those systems by placing them behind a perimeter firewall which filters traffic on TCP Port 139 which will block attacks attempting to exploit this vulnerability."

The company is also taking the opportunity to urge customers to upgrade their machines to a newer version of Windows, such as Windows XP Service Pack 2. Support for Service Pack 1 will cease on October 10, notes Christopher Budd from Microsoft's Security Response Center.

But with the critical vulnerability remaining unpatched, Microsoft could be leaving millions of computers at risk to attack.

"It's surprising how many consumers or businesses still use these older versions, particularly Windows 98. Their continued use partly accounts for an extension of support for about an additional 18 months--from January 2004 to July 2006," Jupiter Research senior analyst Joe Wilcox told BetaNews.

"Our surveys show that, among consumer households, most older Windows versions run on second or third PCs, and I expect many to remain in use even after security support ends."

rossnixon
14-06-2006, 12:29 PM
Microsoft has encountered a critical vulnerability in Windows 98, 98 SE and Windows Me that it simply cannot fix, the company acknowledged Friday. The flaw affects Windows Explorer and after investigating the issue, Microsoft said it would need to reengineer a significant amount of the operating system."

Not a problem if you are using a good firewall that blocks TCP ports 139 and 445.
I'm not on my Win9x PC at the moment, so I can't check if the free Sygate Personal Firewall 5.5 has this capability. Maybe someone else can find out?

gibler
14-06-2006, 12:32 PM
I wonder if MS will ever add the solution: Firefox (http://www.mozilla.com/firefox/) :)

Terry Porritt
14-06-2006, 01:53 PM
Just checked on Windows Update and there were 5 critical updates for Win98SE for my machine.

SurferJoe46
14-06-2006, 07:50 PM
Just checked on Windows Update and there were 5 critical updates for Win98SE for my machine.

It ain't July 11th yet

Terry Porritt
14-06-2006, 09:12 PM
It ain't July 11th yet

That's right :). Just mentioning there are some current updates available this week to download for win98.

SurferJoe46
15-06-2006, 02:53 AM
Tnx Terry;

Just wondering if it's possible to dnld the 98SE updates on another non-98 machine to burn and then load into a 98SE machine that is not on the internet.

I would like to get all the newest stuff until the cut off, just in case the little guy has to go online someday.

There must be some sort of work around to get them into an XP machine's file area just in case.

Terry Porritt
15-06-2006, 08:47 AM
Indeed there is, instead of using the windows update site get them from here:

http://www.microsoft.com/windows98/downloads/corporate.asp