No Fix for Critical Windows 98, Me Flaw

[ronjor]

Quote:

Microsoft has encountered a critical vulnerability in Windows 98, 98 SE and Windows Me that it simply cannot fix, the company acknowledged Friday. The flaw affects Windows Explorer and after investigating the issue, Microsoft said it would need to reengineer a significant amount of the operating system

Story

[Carver]

I had windows 98SE on my old computer. 2 years ago I read M$ are planing to phase out support for windows 98/98SE, so I bought a licensed copy of Windows XP w/SP2 and also put in a new HD. I am lucky I can afford this, many people can't for different reasons. For people who just can't afford it (third world countrys) there is Windows XP starter edition.

[ronjor]

The way things are going, open source may be the only hope for many.

[Lamehand]

Quote:

"It's surprising how many consumers or businesses still use these older versions, particularly Windows 98. Their continued use partly accounts for an extension of support for about an additional 18 months--from January 2004 to July 2006," Jupiter Research senior analyst Joe Wilcox told BetaNews.

I am surprised that he is surprised, if you see the money that is involved to upgrade to a newer version. Specially if you have more than one computer to maintain at home.

Lamehand

They sure try to make it sound like impending doom for 98 users.
From the article:

Quote:

"We do strongly recommend that customers still using Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) protect those systems by placing them behind a perimeter firewall which filters traffic on TCP Port 139 which will block attacks attempting to exploit this vulnerability.

Any decent security suite should accomplish this. Then again, users could always close this port manually.
http://www.grc.com/su-bondage.htm
From Microsoft Security Bulletin MS06-015

Quote:

A remote code execution vulnerability exists in Windows Explorer because of the way that it handles COM objects. An attacker would need to convince a user to visit a Web site that could force a connection to a remote file server. This remote file server could then cause Windows Explorer to fail in a way that could allow code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

You may be compromised if:
1, you can be convinced to click on something you shouldn't,
and
2, Your not using a firewall,
and
3 You haven't closed these ports manually
I can't hardly call this a critical vulnerability to anyone who practices even semi-reasonable security. If the first 2 items describe any user and their PC, it won't matter what OS they're using. They're probably compromised horribly already and one more won't make a difference.
Rick

[Alphalutra1]

Quote:

Originally Posted by herbalist

If the first 2 items describe any user and their PC, it won't matter what OS they're using.

So my openbsd box that is exposed to the internet is in danger

Come on, many OS's don't need a firewall, and since there is no malware in the wild for many os's, then clicking on things isn't going to pose a problem.

Now, any version of windows your statement will apply to.

Cheers,

Alphalutra1

Quote:

Now, any version of windows your statement will apply to.

I was definitely referring to windows OS. Anyone running BSD is already very security minded.

[Lamehand]

It's just another 'make them scared' -tactic to drive the hurd into the direction of XP or even Vista.
It could backfire though, one could be driven into the direction of a linux-distro.


Lamehand

Quote:

It's just another 'make them scared' -tactic to drive the hurd into the direction of XP or even Vista.

Pretty much. Yes, the vulnerability is real but the user has to be nearly unsecured and then be deceived on top of that. They initially did the same thing with the .wmf exploit, saying they wouldn't patch 98 against it. Turned out it wasn't vulnerable in the first place, at least not in the form it was released, but a lot of XP users took a beating.
Rick

[Lamehand]

herbalist, i know you are a big fan of windows 98, but what are you gonna do when in the future a real vulnerability pops up in 98?, you know one of those things you can't fix in a easy way or with security applications.

Lamehand

It's not so much that I'm a fan of 98. I just badly dislike XP and everything I've read about Vista. I also like DOS and rely on it to secure windows.
If one turns up that I can't block out with a firewall, filter out with Proxomitron, keep from executing with SSM, isn't caused by my doing/clicking something stupid, and I can't find any other way to stop it, I'll probably switch to Linux or a BSD version. Then again, I could get stubborn about it, figure out exactly what files, registry entries, etc are being compromised and include it into the restore process that runs in DOS when I reboot. I'm hoping to get a multi-OS box put together in not too much longer. Still downloading BSD, got Ubuntu burned to CD. Once I get the boot setup figured out, I'll have new toys to learn and play with.
I'm still waiting to see such a vulnerability. It might happen, it might not. I'll deal with it one way or another.
Rick

[Lamehand]

I understand what you're saying, why not use it when it's not broken.
There are other things to consider aswell, i realised that after reading that Firefox 3.0
won't run on windows 98.
So when the applications used don't support 98 anymore it could get more difficult to maintain a secure level of some sort, with or without the presence of a critical flaw.

Lamehand