The vulnerability, patched for other Windows operating systems in the MS06-015 bulletin, exists in the way Windows Explorer handles COM (Component Object Model) objects but, although it puts Windows 98 users at risk of code execution attacks, Microsoft warned that a fix would not be made available.
"After extensive investigation, weve found that its not feasible to make the extensive changes necessary to Windows Explorer on these older versions of Windows to eliminate the vulnerability," said Christopher Budd, a program manager in the MSRC (Microsoft Security Response Center).
Public and technical support for Windows 98, Windows 98 SE (Second Edition), and Windows ME (Millennium Edition) formally ends on July 12, the scheduled day for security patches in July.
In a post on the MSRC blog, Budd said Microsoft has made "significant enhancements to the underlying architecture of Windows Explorer" since the development on Windows 2000, meaning that the architecture on older operating systems versions is "much less robust."
"Due to these fundamental differences, these changes would require reengineering a significant amount of a critical core component of the operating system. After such a reengineering effort, there would be no assurance that applications designed to run on these platforms would continue to operate on the updated system," Budd said.
Microsofts recommendation is for Windows 98 customers to protect those systems by placing them behind a perimeter firewall that filters traffic on TCP Port 139. This will block attacks attempting to exploit the Windows Explorer flaw
With security support ending, the company is again urging users to upgrade to a newer, more secure version, such as Windows XP Service Pack 2, as soon as possible.
Support for Windows XP SP1 ends on October 10, 2006.
The latest information comes as Microsoft is preparing to release a dozen bulletins to cover a wide range of flaws affecting Windows, Microsoft Office and Microsoft Exchange. A patch for the Internet Explorer browser is also on tap.
One of the Microsoft Office patches will cover a zero-day vulnerability in Microsoft Word that has already been exploited in targeted attacks.