News Flash: Win9x Less Secure Than Ever

MS has stopped releasing security patches for Windows 98 and 98SE. Security Center Editor Larry Seltzer says the end of the line for ME is just around the corner.

A long time ago in a galaxy far, far away, Windows 9x was an innovative operating system and a productive choice for users. For many years now, its been clear that its not only third-rate architecturally, but also irreparable. The solution to the Win9x problem has always been to get users onto the NT kernel, as implemented in Windows 2000 and Windows XP.

You cant just tell 100 zillion users to upgrade, though; you have to give them time to feel like they got their moneys worth out of the old crummy operating system and the computer it came on, and you have to provide some support for them in the interim, including security patches.

All things must pass though, including operating system support. According to Microsofts Windows Desktop Product Life Cycle Support and Availability Policies for Businesses page, we are already past the time period during which Microsoft would provide security patches for Windows 98 and Windows 98SE. The expiration date for Windows ME is December 31 of this year. And it seems its not just a plan; according to this user on SecurityFocuss BugTraq mailing list who noticed that there were no Windows 9x versions for Microsofts most recent Windows security patch, they are saying specifically that they wont be supplying such patches for 9x anymore.

The page says interesting things about Microsofts view of their products. I suspect most people dont think about these things, but they are important. The period we are leaving for Windows 9x is what Microsoft calls the "mainstream phase," a term I think most of us would think is over for the cursed 9x kernel. As a matter of simple terminology it seems a little extreme to me that security patches would not be provided at this point when we still have the "extended phase" and "non-supported phase" to go and its still possible, at least through some channels, to buy the product from Microsoft. But if the result is to nudge more users off the 9x kernel then at least the policy has something going for it.

Its important to note that nothing in this policy prevents you from running the operating system if you choose, even some years from now when all support and sales channels end. Hey, you can still run DOS 1.0 on your 64K IBM PC if you want, and since you cant get on the Internet you wont miss the security patches. Most people are better off moving on to new versions.

Even operating systems, such as UNIX and Linux, which were designed for the Internet in the sense that the Internet was designed for them, have had a considerable history of security flaws and patches. The extent of the problem has been limited by a number of factors: Far fewer desktop users, and almost none of the consumer users who made Windows a big deal, use these operating systems. And the smaller size of the client base makes it a less attractive target for malicious coders who, like any enterprising programmer, want the widest user base for their products. In fact, the last point is especially relevant for the modern generation of mass-mailer worms; if such a worm were written for Linux it wouldnt spread easily because so few of the users receiving it would be able to execute it. This is one reason some analysts call for diversity in operating system use as a general matter for security purposes.

Nonetheless, Linux and UNIX are not so different from Windows when it comes to patch policies. Windows 98 was released over 5 years ago. If you were running a version of Linux from 5 years ago (probably Red Hat 5.1 or so), there would likely be no way for you to patch it up to date. Red Hat, Linus, and the rest of the Linux Industrial Complex would expect you either to upgrade to a more recent and secure base version or to keep the machine in a role where it would not be subject to attack. Guess what: same for Windows. (Take a look at Red Hats policies for "errata maintenance end of life"; quite a few versions lose their support at the end of this year.)

When I urge people to patch early and often I get a lot of responses that if it aint broke I shouldnt fix it. If only things were that simple. The Internet is broken; we wont be able to fix it easily, so well all have to fix out own computers to deal with it.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer