[Thread split] Win98 anybody?

Re: Is XP the most popular and successful OS of all time?

That coincides with my observations as well. With operating systems that have more holes in them than a screen door, you can't patch your way to security. I've also concluded that the risk of running an older or unpatched system is deliberately exaggerated, again to push sales.

What you describe with Win 7, I've been doing with XP-SP2 and 98SE. I've made no effort to identify or avoid potentially malicious sites. During my beta testing of SSM, I sought them out. Remember the .wmf exploits? Remember this from SANS?

It got my attention when it singled out 98 so I decided to find out. I never could affect my 98 unit with it, even with all defenses shut down, but I did manage to capture and submit 2 brand new variants of the exploit that everything on VirusTotal missed.

Remember this one? 0day: PDF pwns Windows. Easily defeated with any security app that gives the user control over parent-child permissions.

I've lost count of the times stuff like this has come and gone, or how many times I've watched these "exploits" bounce off of my "insecure and obsolete systems". You mention wondering why you don't have more issues? Maybe it's because the threats are hyped way beyond the actual risk. They don't take any of the users defenses into account, like reducing, hardening, and isolating the attack surface. There's all kinds of posts and comments about what attackers can do with this code, usually accompanied by "you're vulnerable without the latest and greatest". This code doesn't just teleport in and run itself, although they sure make it sound that way. IMO, they're assuming a big, unprotected attack surface that lets this code just pass through. If that's the kind of system someone runs, then they deserve what they get. I won't say those claims are impossible, but until I see something more than theoretical rhetoric, I'll stay with what I have. I enjoy running an OS that uses less than 2GB of disk space with all apps installed, flies on 1GB of RAM, runs everything I want, and repels everything I throw at it.

 

Re: Is XP the most popular and successful OS of all time?

It is always a point when I'm reading descriptions of worms, exploits, or trojans, particularly from AV companies - they are often quite vague about the actual vector for infection.

Interesting what you say about Win98. I would have assumed that most of the risks of using Win98 in this day and age would be from network/internet worms - something a router modem with a basic default deny firewall would be sufficient to block surely?

 

Re: Is XP the most popular and successful OS of all time?

There is some malware that still works against 98. I have a few samples that behave like rootkits on 98. Like the NT systems, a default-deny policy defeats them before they launch. As for internet worms and being infected by other PCs on a network, this is much less a problem on 98. With one configuration change, 98 has no open ports. It has no internet facing services to exploit. Compared to a modern NT system (XP or newer) almost none of the OS is exposed as an attack surface. Strip out Internet Explorer and 98s biggest vulnerability and the worst source of instability is gone. Add some of the unofficial upgrades that were built for 98 and it becomes a stable, reliable platform that runs much of the newer software. Mine runs a Tor exit node and can run Virtual PC.

The issues facing XP and its users are much the same as what 98 users dealt with when its support ended, then was reinstated, then ended again. Some of us don't like NT systems, stayed with 98, and started working on it in order to see just what it could be made into, fixing and improving what MS wouldn't. The results have been nothing short of incredible. As popular as XP is, I wholly expect to see groups and individuals doing with XP what we've done with 98, continuing to develop it to its real potential.

 

Re: Is XP the most popular and successful OS of all time?

Strip IE in 98, as in remove? If so could you share a link? Edit: I found this official method here http://support.microsoft.com/kb/217344

I've tried autopatcher in the past on my 98 box. Do you use anything similar to this?

 

Re: Is XP the most popular and successful OS of all time?

I used to install 98SE without IE using 98Lite, perhaps there's something along those lines available as well. I've still got a registered copy.

 

Re: Is XP the most popular and successful OS of all time?

Shows how much I've forgotten about Windows 98 - I'd customised it more than I have any other OS I've had (particularly the UI), and by the time I was forced onto XP I just couldn't bring myself to spend so much on that. Now it's all a blur.

Is this site along the lines of what you mean about continued unofficial support for Windows98? http://www.mdgx.com/upd98me.php

 

Re: Is XP the most popular and successful OS of all time?

Well I was just curious. It's a spare pc that I play old games on, but I'm all for more stability. I was reading on another site that if you remove IE from 98 that DirectX doesn't install correctly. I don't know if that's a fact or not, but since in my case the machine is used primarily for old games and to tinker around with, it probably wouldn't be worth it anyway. I keep the network adapter disabled on it usually.

 

Re: Is XP the most popular and successful OS of all time?

As do I... as do I. I like the turn that thread took. And I've been considering continuing to run XP after that EOL date. As long as it isn't broken, why should I have to fix it?

With these patches, in the short description it'll say something like: "without this patch a user can remotely access, yadda yadda..." sounds terrible. But after looking at the fine print you realize the exploit is dependent upon a dozen other scenarios having to fall in line too. People like us likely could get away with continuing to run an unsupported OS indefinitely. But I wouldn't recommend it to others.

We'll see... but at some point necessary software may no longer work on the OS in question. If I could no longer use a product I coveted, that would be the end of the line for me. And I'd be more worried about the software (namely browsers) no longer being patched than the OS itself. Then again with safe browsing habits, and even a dated NoScript, would I have much cause for concern? Maybe even that fear is unfounded.

 

Re: Is XP the most popular and successful OS of all time?

It is quite broken.

https://en.wikipedia.org/wiki/Shatter_attack

http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx

 

@Hungry Man

I realize you love to stay current with these types of things (exploits and ways to mitigate). I don't disagree.

But, why do you suppose the hardcore 98/xp users around here don't pay attention to it much? I can include myself in that group on certain points too I suppose.

Personally, I think it is because, even though you point to facts, those types of facts have simply never fallen upon us. I know they haven't for me, and I'll bet it is the same for others.

I personally appreciate that you are very much into all of this, and like to share such infos. I don't have time or the inclination to do that much research on such topics any more.

But sometimes I think that you might think that if we are not running the latest and greatest security mitigation tools, we will be hosed for certain. (not trying to upset you, just discussing is all). I understand the implications, but never see them to fruition.

Do you really think all that super duper security is really needed for knowledgable users? (I certainly do NOT include average users in my equations, and not in this context either)

Sul.

 

You don't notice these things because hackers don't need a cool privilege escalation exploit. It's much easier to just attack Java, which will hit every OS. If you want to call the fastest gazelle in the pack secure that's fine but in my opinion the truth of it is that the slowest gazelle is just easy pickings.

I can run an unpatched XP system from pre-SP1. I might never get infected because it's easier for an attacker to simply use a java exploit from a month ago and hit hundreds of thousands of users.

You might call that secure - I don't. I don't want to measure my security by how insecure others are - I'd like to measure my security based on the actual cost for exploiting the system.

It actually takes very little time and research to learn that XP is insecure.

 

Re: Is XP the most popular and successful OS of all time?

Yes! In all the years I've followed exploits, the most aggrevating thing has been that the "researchers" aren't always forthcoming with details of the attack vector. They love to describe the sensational methods the payload uses once it has buried itself into the Operating System (OS).

Impressive, for sure, but irrelevant to prevention.

Once attack vector details are revealed, the exploit can be diagnosed, for it usually falls into two main categories:

==> remote code execution

==> social engineering

(some are a combination of the above)

Speaking for myself:

None of the web-embedded remote code execution exploits I've looked at over the years would trigger on my system unless I disabled my browser security configurations (Java, Javascript, Plugins).

None of the USB exploits would run unless I disabled my USB security measures.

None of this, of course, has anything to do with the OS, since the above protect, no matter the OS (Win98, Win2K, WinXP in my case).

The WMF exploit, mentioned above, was rather interesting for me. When the story broke at sans.edu in 2005, I went to the site but nothing happened. Well, I was using the (antiquated!) Win2K as my desktop system, which I realized after a while, didn't have the Windows Fax Viewer, nor the .wmf file type.

I had an XP laptop, so I put some security on it and connected to the internet to see what would happen:

http://www.urs2.net/rsj/computing/tests/wmf_zeroday/

All of this is Speaking for myself, of course.

For, I'm not one to advocate what OS or security measures one should or shouldn't use/implement. It's too dangerous -- and intrusive if not asked -- to advise from a distance (on a forum) without knowing the user's expertise, computing habits, and the like.


----
rich

 

I never tried Autopatcher. I've always preferred choosing the individual updates and upgrades I want.

98Lite is where I start as well. IEradicator, available from the same site also works well. Regarding IE, 98Lite removes a more components than IEradicator, some of which are used by other IE dependent apps. These files can be put in the applications own folders as needed.

MDGX is the place to find the unofficial upgrades for 98. If you're more interested in the development of the upgrades, a lot of it happens here. KernelEx and several related projects are dealing with the compatibility issues of new apps. Revolutions Pack largely mitigates the resource handling issues that MS refused to fix. You'll also find upgrades that fix the 2GB file size limitation, the 137GB hard drive limitation, upgrades that give 98 full USB 2 compatibility and more.

I can't comment on DirectX. It's not installed on any PC I use. AFAIK, DirectX basically requires Internet Explorer anyway, as do most apps that use it.

They assume a lot with those claims, starting with that your system will:

1. automatically run or allow to run everything that comes its way
2. that you both have vulnerable or outdated applications exposed as part of your attack surface
3. your system allows anything to run anything else (windows default setting)

Any OS that allows things like these is insecure. Just as for any other version of Windows, the tools exist to deal with most of these issues.

 

At risk of blundering about in this thread like an ignoramus...

Win98 has no access control. At all. Period. FAT32 just doesn't support it. Doesn't this security harder, if not impossible?

No offense, noone_particular, but I tend to think that Windows 98 is not targeted so much because hardly anyone uses it. It's more productive to target XP, since it's so much more popular, but if 98 were more popular I think it would be much harder to secure against threats than XP.

That said...

That said, I do get sick of the constant Latest And Greatest promotion that goes on in the software world. If the software companies are to be believed, you must install the latest version, believe us, it'll be twice as fast and twice as secure as the old one... And never mind that you'll need four times the RAM and a new video card to enjoy it, and it will have twenty critical vulnerabilities by the end of next month. It's an endless, vicious cycle of largely useless upgrades, and honestly it disgusts me - it wastes people's money, wastes people's time, and at its worst gets people killed (see e.g. conflict minerals).

Windows 2000 does everything I need. I know it's insecure, and may be beyond my ability to secure against modern threats... But it works, and it works well. And I don't like breaking my setup, bogging down my computer, and generally messing everything up just because Microsoft wants to make a brand new Revolution OS every few years.

So I can very well understand the desire to avoid upgrades. A car works for 10+ years, and you use it for as long as you can. A computer works for 10+ years, too... And you get a new one after 2-3 years, mostly because some idiots in Redmond thought you'd like As-Seen-On-TV special effects on your new OS. Pretty stupid, isn't it?

 

I can see where you're coming from. It's clear that we're viewing the subject from 2 completely different positions. Your focus is on the core. Mine is on the perimeter. I'm less concerned with what is theoretically possible and more focused on the outcome. I'm not at all concerned with automated malware. The vast majority will not run on my system. Out of the ones that do, most won't find what it needs to work or won't be able to run it. There's no open points of entry on my PC other than the ports used by Tor. The only way to get malicious code onto my PC is to get me to a malicious site or get me to open a malicious file. Even then, they still have to get that code executed, if it's not filtered out beforehand. Unless someone is deliberately targeting me, any malicious code I contact will be designed for a completely different system. What little is left that is compatible won't survive a reboot. My system replaces the registry and core system files on every reboot, well before Windows ever starts. I'll admit that technically I'm not secure. That said, in practice I'm not vulnerable to most of the malicious code out there. The result is the same.

I don't share your trust/dependence on the security measures implemented by MS. Many of the "security features" included in their present operating systems were available as separate applications long before MS adopted them. What MS passed as a firewall on XP was a weakened joke. Only now is it getting close to what's been available all along. A lot of their present features have been available in classic HIPS for years. I'll trust a 3rd party to properly implement them a lot more than MS. MS made too many exceptions for system components, exceptions that the 3rd party security apps I use don't. I'm also convinced that you're underestimating the abilities of what is available for 98 users. Given your focus on new technology, I can only assume that you haven't been exposed to or have never tried some of it.

From the other thread:

There is no good reason an operating system should even require this much just to run other than forcing the user to buy new hardware. Actually, I've never bought a new PC and have never paid one cent for an OS. That won't change whether I have the money or not.

 

Hi,

Can you give me an example of something that targets XP rather than some other OS?

thanks,


----
rich

 

Agreed - the results are very much the same. And you're right that I care much more about theory - most of what I've learned is from discussing security with security researchers, and they tend to focus on theory. I talked to a pen tester and he had a very different approach.

I think Gullibe Jones brought up that there aren't permissions in FAT. Everything is set through flags and it's incredibly insecure. File permissions have come a long way.

The way I see it is this. You've got an insecure operating system but you've supplemented it with a serious of powerful policies and tools.

It's like running IE5 but disabling Javascript/ plugins. You filter out the most common areas where you'll be attacked but you're still on IE5. So, as you've said, the result will be the same - you likely won't be infected.

You aren't the slowest gazelle. Creating a strong network security/ perimeter security is often enough to supplement a weaker OS. Companies do this a lot because it's cheaper.

I personally do not like default deny policies. I've mentioned this before. I won't go into "bypasses" or whatever - that's in that other topic and I've said enough on it. I don't like them because they annoy me, they get in my way, I like to run a lot of things and so do most users. Think about UAC - people hated it. Default Deny is like UAC on steroids. Classic HIPS were every call has an interrupt would be even worse for the average user.

Microsoft has to worry about what users will like/ what they'll be able to handle and balance that with security.

I don't really trust Microsoft very much. Their implementation of ASLR has been shown to be flawed in every OS.

But I do know that ASLR isn't a Microsoft creation and I do know how it works and that it does work, so I trust it in that way.

What benefit would the Linux community gain from having these requirements? These are the same requirements to run modern IDEs for Linux systems. These are community driven projects... not businesses looking for deals with OEMs.

Computers are more capable than ever. But each capability needs more resources. A decade ago we didn't print from our XP computers wirelessly and now we do - that takes a whole new service. Every capability requires more code. This is the same whether it's OSX, Windows, or Linux.

You used to be able to run systems on 16mhz cores with 64mb of RAM. That isn't the case anymore - systems have to be able to do a million different things and then they hav eto support programs that are going to do another million things each.

You end up with a heavier system, yes, but it's not like they're throwing RAM away just to push you to new hardware. You simply couldn't have Windows 7 or 8 stripped down to XP resources while still maintaining the capabilities provided.

 

http://news.softpedia.com/news/Unpa...y-Actively-Exploited-in-the-Wild-144776.shtml

alternatively
https://duckduckgo.com/?q=Windows XP vulnerability in wild

 

Access control as in file/folder permissions? No, 98 does not have it built in. There is a 3rd party driver that does enable the user to specify read, write, and execute permissions. When I feel up to it, I work with it on a virtual system. regarding access control itself, it's not a necessity. My XP unit uses Fat32 as well. What is going to make the changes to areas that are supposed to need access control protection? If the malicious code can't execute, what's going to make those changes. If that code can run but targets an NT system, it will try to make changes in the wrong places and ultimately fail for that reason. The access control of NTFS was more intended to separate users from each other and (assuming limited accounts) from the system itself. On single user PCs, its far less useful and has other problems I consider worse than what it supposedly fixed. Topping that list was the ability to hide malicious code in alternate data streams. I have no use for an OS that can hide data (and executable code) from the user.

Exactly. This doesn't include all the toxic electronic waste these policies are responsible for. It coerces users to buy cheap imported electronics (with potential backdoors in the firmware or chipsets), adding to the national debt. Electronics can be built to last almost forever. I worked at a place that built such circuit boards. No point in building anything good when the OS is obsolete in a few years. Disposable electronics and software benefits no one except those who sell it.

 

That's counting on your unpatched system to not have a remote code execution vulnerability or for your other systems to prevent that RCE.

 

To that I'll add the fake AV I found in my email a couple months ago. It ran perfectly in a Windows XP VM, and not at all under Windows 2000.

Hungry Man, re improvements in functionality: I'm aware they come at a price, but OSes like Windows are also modular and expandable. And IMO the amount of bloat in the base system is completely out of proportion with functionality. Windows 7 doesn't have a whole lot more functionality than a full Xfce desktop on most Linux distros, and uses ~3 times as much RAM.

 

Compare it to Unity or Gnome 3. It uses about as much.

It takes up a huge amount more disk space though. But I can't see that being them pushing users to new hardware - whether it's 3GB or 16GB HDDs are cheap as hell.

 

On the other end you have Puppy linux which does most everything the average user needs, and uses 1/10 of what the more conventional versions do. Could take it to the other extreme too. Look at that assembler OS that was posted a while ago. Has a GUI, fits on a floppy, and uses almost nothing.

 

Puppy runs a UI more equivalent to XP. Anything that fits on a floppy isn't going to be very capable either.

 

That's not the point though. Xfce (as of version 4., plus a few extra applications and daemons, gives you about the same level of necessary out-of-the-box functionality as Windows 7. So why is Windows 7 (and Unity, and Gnome 3) so much heavier?