News Flash: Win9x Less Secure Than Ever

By Larry Seltzer  |  Posted 2003-09-10 Print this article Print

MS has stopped releasing security patches for Windows 98 and 98SE. Security Center Editor Larry Seltzer says the end of the line for ME is just around the corner.

A long time ago in a galaxy far, far away, Windows 9x was an innovative operating system and a productive choice for users. For many years now, its been clear that its not only third-rate architecturally, but also irreparable. The solution to the Win9x problem has always been to get users onto the NT kernel, as implemented in Windows 2000 and Windows XP. You cant just tell 100 zillion users to upgrade, though; you have to give them time to feel like they got their moneys worth out of the old crummy operating system and the computer it came on, and you have to provide some support for them in the interim, including security patches.

All things must pass though, including operating system support. According to Microsofts Windows Desktop Product Life Cycle Support and Availability Policies for Businesses page, we are already past the time period during which Microsoft would provide security patches for Windows 98 and Windows 98SE. The expiration date for Windows ME is December 31 of this year. And it seems its not just a plan; according to this user on SecurityFocuss BugTraq mailing list who noticed that there were no Windows 9x versions for Microsofts most recent Windows security patch, they are saying specifically that they wont be supplying such patches for 9x anymore.

The page says interesting things about Microsofts view of their products. I suspect most people dont think about these things, but they are important. The period we are leaving for Windows 9x is what Microsoft calls the "mainstream phase," a term I think most of us would think is over for the cursed 9x kernel. As a matter of simple terminology it seems a little extreme to me that security patches would not be provided at this point when we still have the "extended phase" and "non-supported phase" to go and its still possible, at least through some channels, to buy the product from Microsoft. But if the result is to nudge more users off the 9x kernel then at least the policy has something going for it.

Its important to note that nothing in this policy prevents you from running the operating system if you choose, even some years from now when all support and sales channels end. Hey, you can still run DOS 1.0 on your 64K IBM PC if you want, and since you cant get on the Internet you wont miss the security patches. Most people are better off moving on to new versions.

Even operating systems, such as UNIX and Linux, which were designed for the Internet in the sense that the Internet was designed for them, have had a considerable history of security flaws and patches. The extent of the problem has been limited by a number of factors: Far fewer desktop users, and almost none of the consumer users who made Windows a big deal, use these operating systems. And the smaller size of the client base makes it a less attractive target for malicious coders who, like any enterprising programmer, want the widest user base for their products. In fact, the last point is especially relevant for the modern generation of mass-mailer worms; if such a worm were written for Linux it wouldnt spread easily because so few of the users receiving it would be able to execute it. This is one reason some analysts call for diversity in operating system use as a general matter for security purposes.

Nonetheless, Linux and UNIX are not so different from Windows when it comes to patch policies. Windows 98 was released over 5 years ago. If you were running a version of Linux from 5 years ago (probably Red Hat 5.1 or so), there would likely be no way for you to patch it up to date. Red Hat, Linus, and the rest of the Linux Industrial Complex would expect you either to upgrade to a more recent and secure base version or to keep the machine in a role where it would not be subject to attack. Guess what: same for Windows. (Take a look at Red Hats policies for "errata maintenance end of life"; quite a few versions lose their support at the end of this year.)

When I urge people to patch early and often I get a lot of responses that if it aint broke I shouldnt fix it. If only things were that simple. The Internet is broken; we wont be able to fix it easily, so well all have to fix out own computers to deal with it.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel