No fix for 'critical' hole in Windows 98, ME

Microsoft will not fix a serious flaw in Windows 98 and Windows Millennium Edition because a patch could break other applications.

The security bug relates to Windows Explorer and could let an intruder commandeer a vulnerable PC, Microsoft warned in April. The software maker has made fixes available for Windows Server 2003, Windows XP and Windows 2000, but it has found that eliminating the vulnerability in Windows 98 and ME is "not feasible," it said.

"To do so would require re-engineering a significant amount of a critical core component of the operating system," Microsoft said in a Thursday update to its MS06-015 security bulletin. "After such a re-engineering effort, there would be no assurance that applications designed to run on these platforms would continue to operate."

Instead, Microsoft recommends that people who still use the older operating systems protect their PCs by using a network firewall that filters traffic on TCP Port 139. "Such a firewall will block attacks attempting to exploit this vulnerability from outside of the firewall," it said.

The software maker even had trouble with its fix for Windows XP. It had to revise the update and release it a second time because the patch caused problems for people who used Hewlett-Packard Share-to-Web software or older Nvidia graphics drivers.

Microsoft is phasing out support for the older operating systems. Windows 98 was released in June 1998, Second Edition followed a year later, and Millennium Edition came out in 2000. Microsoft has been providing fixes for only "critical" flaws the past couple of years and is ending support altogether next month, after its planned July 11 patch release. Windows XP with Service Pack 1 reaches its end of support on Oct. 10, 2006.

Not providing fixes leaves users vulnerable, but software can't be supported forever, said Michael Sutton, a director at security intelligence company iDefense, a part of VeriSign. "At some point, any vendor has to make a business decision to cease product support, and these products are now 7 to 8 years old," he said.

The older Windows versions have never been secure, said Russ Cooper, a senior scientist at Cybertrust, a security vendor in Herndon, Va. "The lack of a 'critical' patch does not weaken these OSes. Instead, it should merely put an end to their perception that they were secure before this fault came to light," he said.

And as far as blocking traffic on port 139 goes, it is a network port that has been abused in the past for attacks, said Don Leatham, director of solutions and strategy at PatchLink. "Most organizations will already have port 139 blocked," he said. "Although it is good that Microsoft is reiterating this, I don't see it being a huge impact."

The best way to secure PCs that run older versions of Windows is upgrading the operating system, Microsoft suggested.

"With the upcoming end (of) support for these products, we strongly recommend that those of you who are still running these older versions of Windows upgrade to a newer, more secure version, such as Windows XP SP2, as soon as possible," Christopher Budd, a staffer in Microsoft's' security response center, wrote on the team's blog.

[thenet411]

Yeah...so?

There are valid reasons for still running Windows 9x. If your app requires it and it runs fine, no problem as long as you're offline.

If you are on the Internet with Win9x, with or without a firewall, you deserve what you get.

[bartszyszka]

Ploy to get people to upgrade

This sounds like a ploy to force people to upgrade. Microsoft had been sitting on that Windows 98/Me code for years and they're the most powerful and wealthy software company in the world, yet they can't get people to fix their code? I find that a little hard to swallow...

[Hernys]

Seeing it the other way around...

Spending millions on fixing old, unsupported technology that few people use and no one should be using, only to convince them NOT to move on to newer and supportable technology, would really make business sense, wouldn't it?
There has to be a limit to support. You can't expect support for a product (any product) for ever. And eight years, five versions and a complete change in the scenery sounds to me like a darn good reason to say enough.

[bartszyszka]

Ploy to get people to upgrade

This sounds like a ploy to force people to upgrade. Microsoft had been sitting on that Windows 98/Me code for years and they're the most powerful and wealthy software company in the world, yet they can't get people to fix their code? I find that a little hard to swallow...

[Hernys]

Seeing it the other way around...

Spending millions on fixing old, unsupported technology that few people use and no one should be using, only to convince them NOT to move on to newer and supportable technology, would really make business sense, wouldn't it?
There has to be a limit to support. You can't expect support for a product (any product) for ever. And eight years, five versions and a complete change in the scenery sounds to me like a darn good reason to say enough.

[1HistoryNut]

Yup..... of course it's a push to upgrade

....but what about the millions that still have Win98 for various reasons... like cannont AFFORD to upgrade for whatever reason.... Besides that... as far as I am concerned MS OWES support to it's customers having been so damned lacking as it is. PAY for help with THEIR product ??? And at those rates ???? No, MS should continue to work with ME and 98 for a few years yet at least. And they had trouble with XP as well concerning this "hole" ?? Well, what did they say awhile back, they were only gonna be servicing XP until like '07 ??? MS's eye has ALWAYS been on the corporations.. they could give a damn less about the general home user.

[Tanjore]

Just use linux

If you do not want to upgrade just use linux. Windows 98 is anyways junk.

Microsoft does not like people who does not want to upgrade.

[Tanjore]

Microsoft has also provided workaround

Microsoft has provided work around like installing a hardware firewall and these are cheap to buy.

[1HistoryNut]

Yup..... of course it's a push to upgrade

....but what about the millions that still have Win98 for various reasons... like cannont AFFORD to upgrade for whatever reason.... Besides that... as far as I am concerned MS OWES support to it's customers having been so damned lacking as it is. PAY for help with THEIR product ??? And at those rates ???? No, MS should continue to work with ME and 98 for a few years yet at least. And they had trouble with XP as well concerning this "hole" ?? Well, what did they say awhile back, they were only gonna be servicing XP until like '07 ??? MS's eye has ALWAYS been on the corporations.. they could give a damn less about the general home user.

[Tanjore]

Microsoft has also provided workaround

Microsoft has provided work around like installing a hardware firewall and these are cheap to buy.

[Tanjore]

Just use linux

If you do not want to upgrade just use linux. Windows 98 is anyways junk.

Microsoft does not like people who does not want to upgrade.

[fakespam]

I wonder . . .

Lots of people I know (family, friends, random computer repair I
do, and businesses) in the Las Vegas area still use Celeron
computers with either 64 or 128 MB of RAM, and either Windows
98, 98 SE, ME or 2000.

Yes, I see XP, on my PCs at home, and in places like my bank,
but the pizza company ( http://lasvegas.citysearch.com/profile/
35789320/?brand=smx_restaurant-nc ) I work for uses
Windows 98 SE on two computers and Windows 95 something
on a laptop for payroll. My mom still uses Windows 95 on a
Tandy 2500 somehow for her business computer. Even the
library's in the Las Vegas area has Windows 2000 PCs for
everything.

So, why not make a patch? With good programming, that lame-o
excuse M$ gave doesn't apply.

http://www.network54.com/Forum/7505/

Programmer #A-5 of www.totallyparanoia.com

[Tanjore]

Depends on how you are using OS

If the pizza company is using the machine and not connected to internet then they are fine - No need for a fix. But, if they are connecting to internet then they have a problem.

No company however rich will not fix because it is waste of their resources.

Companies are willing to loose the good will instead of supporting older versions.

[fakespam]

I wonder . . .

Lots of people I know (family, friends, random computer repair I
do, and businesses) in the Las Vegas area still use Celeron
computers with either 64 or 128 MB of RAM, and either Windows
98, 98 SE, ME or 2000.

Yes, I see XP, on my PCs at home, and in places like my bank,
but the pizza company ( http://lasvegas.citysearch.com/profile/
35789320/?brand=smx_restaurant-nc ) I work for uses
Windows 98 SE on two computers and Windows 95 something
on a laptop for payroll. My mom still uses Windows 95 on a
Tandy 2500 somehow for her business computer. Even the
library's in the Las Vegas area has Windows 2000 PCs for
everything.

So, why not make a patch? With good programming, that lame-o
excuse M$ gave doesn't apply.

http://www.network54.com/Forum/7505/

Programmer #A-5 of www.totallyparanoia.com

[Tanjore]

Depends on how you are using OS

If the pizza company is using the machine and not connected to internet then they are fine - No need for a fix. But, if they are connecting to internet then they have a problem.

No company however rich will not fix because it is waste of their resources.

Companies are willing to loose the good will instead of supporting older versions.

[roy cactus]

name one

can anyone name a company that offers more than a one year limited warranty on any product?

kudos to MS for doing what they have for so long.

[darklurker]

Adtran

Adtran offers support on their WAN gear for as long as you own it (and can keep lightning from frying it). Free, I might add.

Most roofing shingles have at least a 15 year warranty.

Most decent flooring (laminate, engineered) has at least a 5 year warranty.

Craftsman hand tools (ratchets, wrenches, screwdrivers, etc) have a lifetime warranty. Your lifetime, not the tool's lifetime.

Nah, MS isn't doing anything THAT particularly wonderful, especially considering how much money they made off of Win9x (and how large the installed base was and still is).

[darklurker]

plenty

Craftsman hand tools (ratchets, wrenches, screwdrivers, etc) have a lifetime warranty. Your lifetime, not the tool's lifetime.

Adtran offers support on their WAN gear for as long as you own it (and can keep lightning from frying it). Free, I might add.

Most roofing shingles have at least a 15 year warranty.

Most decent flooring (laminate, engineered) has at least a 5 year warranty.

Nah, MS isn't doing anything THAT particuliarly wonderful, especially considering how much money they made off of Win9x (and how large the installed base was and still is).

[karypm]

re: name one

It isn't about warranties, it's about fixing newly
discovered defects. The automotive industry calls
them "recalls". Most OS companies put out patches
for new security problems. The last OpenVMS patch
wasn't that far back, Sun has Recomended_X kits
where X is for Solaris 8 and earlier.... If your
kid chokes on a 3 year old toy or your 8 year old
TV catches fire due to a defect you can bet the
manufacturer will recall it before the lawsuits
hit.

[zaznet]

They are not delivering on their promise

This is not the first "critical" level security threat to face the out of service versions of Windows. It also is not the first such threat to not be patched.

However when Microsoft announced it was ending support for the OSes it did so saying it would continue to patch "critical" level threats. The first such threat I saw was coded differently for the other OSes and that was their excuse for not offering the update. This time it is "it would be too much work to fix" type of excuse. Next time it will be "We are no longer patching that OS" and the end of the debate.

Microsoft is slowly shifting away from a stance they took to keep their products secure from serious threats. When they made the promise they had an image to keep, and right now that image has improve enough they can relax from it some. This has nothing to do with fixing problems and everything to do with marketing.

[roy cactus]

name one

can anyone name a company that offers more than a one year limited warranty on any product?

kudos to MS for doing what they have for so long.

[darklurker]

Adtran

Adtran offers support on their WAN gear for as long as you own it (and can keep lightning from frying it). Free, I might add.

Most roofing shingles have at least a 15 year warranty.

Most decent flooring (laminate, engineered) has at least a 5 year warranty.

Craftsman hand tools (ratchets, wrenches, screwdrivers, etc) have a lifetime warranty. Your lifetime, not the tool's lifetime.

Nah, MS isn't doing anything THAT particularly wonderful, especially considering how much money they made off of Win9x (and how large the installed base was and still is).

[darklurker]

plenty

Craftsman hand tools (ratchets, wrenches, screwdrivers, etc) have a lifetime warranty. Your lifetime, not the tool's lifetime.

Adtran offers support on their WAN gear for as long as you own it (and can keep lightning from frying it). Free, I might add.

Most roofing shingles have at least a 15 year warranty.

Most decent flooring (laminate, engineered) has at least a 5 year warranty.

Nah, MS isn't doing anything THAT particuliarly wonderful, especially considering how much money they made off of Win9x (and how large the installed base was and still is).

[zaznet]

They are not delivering on their promise

This is not the first "critical" level security threat to face the out of service versions of Windows. It also is not the first such threat to not be patched.

However when Microsoft announced it was ending support for the OSes it did so saying it would continue to patch "critical" level threats. The first such threat I saw was coded differently for the other OSes and that was their excuse for not offering the update. This time it is "it would be too much work to fix" type of excuse. Next time it will be "We are no longer patching that OS" and the end of the debate.

Microsoft is slowly shifting away from a stance they took to keep their products secure from serious threats. When they made the promise they had an image to keep, and right now that image has improve enough they can relax from it some. This has nothing to do with fixing problems and everything to do with marketing.

[karypm]

re: name one

It isn't about warranties, it's about fixing newly
discovered defects. The automotive industry calls
them "recalls". Most OS companies put out patches
for new security problems. The last OpenVMS patch
wasn't that far back, Sun has Recomended_X kits
where X is for Solaris 8 and earlier.... If your
kid chokes on a 3 year old toy or your 8 year old
TV catches fire due to a defect you can bet the
manufacturer will recall it before the lawsuits
hit.

[mcepat]

Its 2006 (Let 98 and Me rot to death)

If you own a 486-pentium 200Mhz and run windows 98 or me, take the system and yourself and jump out a window

[SeizeCTRL]

Windows MEstake

WinME should have began it's rotting death the first week of it's release. What a piece of crap OS that was.

[mcepat]

Its 2006 (Let 98 and Me rot to death)

If you own a 486-pentium 200Mhz and run windows 98 or me, take the system and yourself and jump out a window

[SeizeCTRL]

Windows MEstake

WinME should have began it's rotting death the first week of it's release. What a piece of crap OS that was.

[pixturesk]

No fix Critical Hole Win 98, Win98SE

I continue to use Win 98SE, perfect OS for my computing requirements. To protect myself against these critical holes etc., I use Norton Ghost to burn my "C" drive to a number of cd media. Then if I have to format my "C" drive, I just copy my complete Win 98SE installation back to my "C" drive, fully functional. I usually update with Norton Ghost every six months. As well I use AVG free, AdAware personal, Spyware Blaster and Crap Cleaner to continually maintain my computer's integrity.

[pixturesk]

No fix Critical Hole Win 98, Win98SE

I continue to use Win 98SE, perfect OS for my computing requirements. To protect myself against these critical holes etc., I use Norton Ghost to burn my "C" drive to a number of cd media. Then if I have to format my "C" drive, I just copy my complete Win 98SE installation back to my "C" drive, fully functional. I usually update with Norton Ghost every six months. As well I use AVG free, AdAware personal, Spyware Blaster and Crap Cleaner to continually maintain my computer's integrity.

[john55440]

Support For WinXP SP1 Goes In October

Microsoft is dropping support for Windows XP SP1 on October 10, 2006.

I don't really blame them.

[john55440]

Support For WinXP SP1 Goes In October

Microsoft is dropping support for Windows XP SP1 on October 10, 2006.

I don't really blame them.

[crythias]

Just block the port from people you don't trust.

Get a grip, people. It's not like people who paid $100 (or even better: got it OEM installed!) for Windows 98 over 6 years ago should expect eternal upgrades for free for the price.

It's time. Change your OS or apply the *very* easy fix. Most people can spend $40 on a router or get a free firewall software to block this vector. If you aren't willing to take it into your own hands to prevent this issue, you get what you deserve and get off the Internet.

[crythias]

Just block the port from people you don't trust.

Get a grip, people. It's not like people who paid $100 (or even better: got it OEM installed!) for Windows 98 over 6 years ago should expect eternal upgrades for free for the price.

It's time. Change your OS or apply the *very* easy fix. Most people can spend $40 on a router or get a free firewall software to block this vector. If you aren't willing to take it into your own hands to prevent this issue, you get what you deserve and get off the Internet.

[Dave_Brown]

Windows XP with SP1 reaches its end of support on Oct. 10, 2006.

So let me get this straight, XP with SP1 support ends on Oct. 10/06. I would assume this also includes XP with no service pack (unless it's support is being withdrawn prior to this). What about XP with SP2? I trust they will support that at least for a few more years. Not everyone is going to buy a new system in order to install Vista with all it's useless bells and whistles when XP with SP2 works fine.

Personally, in regards to Win98, I had fun with it until a couple of years ago but after converting over to Win 2K who needs it? Win98 crashes way too often. BSOD anyone? XP (with SP2) and 2000 are much more stable.

Dave

[ddesy]

Time for SP3?

If support is being dropped for SP1, perhaps they are planning to have SP3 out within the next year?

There have been more than 40 critical updates since SP2, so I would say it's time.

[Dave_Brown]

Windows XP with SP1 reaches its end of support on Oct. 10, 2006.

So let me get this straight, XP with SP1 support ends on Oct. 10/06. I would assume this also includes XP with no service pack (unless it's support is being withdrawn prior to this). What about XP with SP2? I trust they will support that at least for a few more years. Not everyone is going to buy a new system in order to install Vista with all it's useless bells and whistles when XP with SP2 works fine.

Personally, in regards to Win98, I had fun with it until a couple of years ago but after converting over to Win 2K who needs it? Win98 crashes way too often. BSOD anyone? XP (with SP2) and 2000 are much more stable.

Dave

[ddesy]

Time for SP3?

If support is being dropped for SP1, perhaps they are planning to have SP3 out within the next year?

There have been more than 40 critical updates since SP2, so I would say it's time.

[baswwe]

No one has a legitimate win 98 disk

comeon thats the more pirated system around

can you do that with xp?

[normdaley]

HA! I've got 2.

Maybe I'll use them as coasters along with the AOL CDs that used to come in the mail.

I would love to upgrade, but I don't think my hardware meets the specs for XP. This poor little thing started out with Win 3.1 and has been upgraded to Win95 then Win98. I get a headache just thinking about how many junk OS files must be on that thing.

The optimist inside of me hopes MS will offer a deal to upgrade to XP from Win98. The realist in me just laughs.