The Big Bad Empire: Putting Old Code to Bed
There’s been a lot of FUD circulated about the WMF vulnerability. Now that this issue is beginning to quiet down and we have patches available for most users, I truly hope that the exaggerated (and in some cases, down-right false) nature of some of the statements made about the bug comes to light. Apparently, though, the Microsoft heel-nipping frenzy that is going on in the community and in the media isn’t going to quiet down just yet.
What now, you ask? Predictably, Microsoft declined to offer free patches for users of its Windows 98 and Windows Millennium Edition operating systems. The vulnerability is not exploitable by-default on these systems and requires a level of user-interaction comparable to that required to infect a system with an e-mail worm even after the defaults are altered (by the installation of custom software, no less). Users still have to click, and choose “Run”, or double-click on an e-mail attachment. So, Microsoft handed the flaw a non-critical rating, and therefore, users of those operating systems won’t be receiving a patch.
I have no problem with what Microsoft did. Looking at the full details of the vulnerability and its (non-)exploitability on Windows 98 and Windows Millennium, their choice was made based upon extremely solid technical grounds. Some organizations, though (most notably the infamous Gibson Research Corporation) have taken it upon themselves to “protect their users” from the “devastating, big bad bug” Microsoft has so egregiously left its users exposed to, they say.
But let’s not pull punches. It’s time to face the facts. Windows 98 and Windows Me were designed for a market that is not today’s market. Plain and simple. Leaving a single-user system exposed to the internet is exponentially more dangerous than it was in 1998 or 2000, and is generally a bad idea. The demands of the system market have changed, and Microsoft’s release of Windows XP was a first step toward satisfying those demands. Windows XP Service Pack 2 was further evidence of the demand for security in the desktop market.
But being three or four years out of cycle isn’t enough for some people. Unable to see the benefits of upgrading to a system that is at least moderately capable of handling today’s threat landscape (which Windows 98 and Windows Me are not, as even Microsoft will tell you), they want to continue using their old product indefinitely. They don’t want to continue to be a paying customer of Microsoft and actually buy a new OS for its vastly superior features. Further, they don’t want to be inconvenienced by having to take mitigation measures to protect their aging assets. They expect to remain plugged in and chugging along, and they expect someone else to make up for the deficiencies in the design of that code.
Realizing the scope of continued dependence on Windows 98 and Windows Millennium, Microsoft extended critical security update support with the goal of preserving the relative security of moderately-protected single-use systems running those OSes. It was so that businesses still running atrocities like 16-bit call-center applications could continue running them for some time until competing or upgraded software emerged.
Some vocal but extraordinarily ignorant home users, though, were empowered by Microsoft’s concession. They’re now making the nonsensical claim that they deserve to get every patch for every vulnerability known so-long as their system runs, and they deserve to get it for free. Empowered by equally-ignorant and still-more-obnoxious spokespeople, these groups are prepared to threaten the entire internet rather than upgrade. All this because they care too much about their security to buy a new product from the big bad meanie who decided to quit giving them the all-important lifeline of free patches.
In case you haven’t caught it by now, this line is complete hogwash. If you don’t care enough to upgrade your system along a more-than-reasonable maintenance timeframe (5 years+ in the case of Windows Me, 8+ in the case of Windows 98), you’re not a very valuable customer, and you certainly are none too concerned about having cutting-edge security. There may be other drivers (compatibility, for instance), but security is clearly in the back seat. So don’t complain to me, Microsoft, or anyone else that your security is affected severely by you not receiving a patch for your dinosa… er, operating system for a vulnerability that does not affect a default install. Surely, you can at least choose a complaint that would draw a little concern from me?
This may sound harsh, but I am one of scores in my business who is completely tired of dealing with Windows 98 and Windows Me systems that simply cannot be secured on the level of newer technologies, particularly for everyday use. Even more frustrating are the people who use these obsolete relics, as most of them just don’t get security. It’s time for users of these old systems who suddenly find security so valuable to get with the program. Upgrade, buy support, change OSes, or quit complaining. Microsoft owes you nothing until you get your own priorities straight.
As for my take on Microsoft’s decision to suspend hotfix support on an ambitious schedule, I’m quite happy. At last, it will be incentive for these users to upgrade. I, personally, having long ago upgraded systems, find it unfortunate that the dog pack otherwise known as legacy users still nips at Microsoft’s heels, and prevents the company from moving forward into solutions for the security issues it faces. This is especially true when it’s obvious that security is of, at best, minor importance to these users. When June 30, 2006 rolls around, I will be very happy. Maybe then we’ll stop hearing users gripe about why Microsoft patches one-and-not-the-other (without any knowledge of the bugs’ details, mind you).
I’d love to see Microsoft send a clear message about the direction of its business by suspending support for Windows 98 and Windows Millennium tomorrow. But I won’t get my wish. So June 30 is on my calendar as the day… Microsoft finally puts these disasters of an OS to bed.