The Big Bad Empire: Putting Old Code to Bed

There’s been a lot of FUD circulated about the WMF vulnerability. Now that this issue is beginning to quiet down and we have patches available for most users, I truly hope that the exaggerated (and in some cases, down-right false) nature of some of the statements made about the bug comes to light. Apparently, though, the Microsoft heel-nipping frenzy that is going on in the community and in the media isn’t going to quiet down just yet.

What now, you ask? Predictably, Microsoft declined to offer free patches for users of its Windows 98 and Windows Millennium Edition operating systems. The vulnerability is not exploitable by-default on these systems and requires a level of user-interaction comparable to that required to infect a system with an e-mail worm even after the defaults are altered (by the installation of custom software, no less). Users still have to click, and choose “Run”, or double-click on an e-mail attachment. So, Microsoft handed the flaw a non-critical rating, and therefore, users of those operating systems won’t be receiving a patch.

I have no problem with what Microsoft did. Looking at the full details of the vulnerability and its (non-)exploitability on Windows 98 and Windows Millennium, their choice was made based upon extremely solid technical grounds. Some organizations, though (most notably the infamous Gibson Research Corporation) have taken it upon themselves to “protect their users” from the “devastating, big bad bug” Microsoft has so egregiously left its users exposed to, they say.

But let’s not pull punches. It’s time to face the facts. Windows 98 and Windows Me were designed for a market that is not today’s market. Plain and simple. Leaving a single-user system exposed to the internet is exponentially more dangerous than it was in 1998 or 2000, and is generally a bad idea. The demands of the system market have changed, and Microsoft’s release of Windows XP was a first step toward satisfying those demands. Windows XP Service Pack 2 was further evidence of the demand for security in the desktop market.

But being three or four years out of cycle isn’t enough for some people. Unable to see the benefits of upgrading to a system that is at least moderately capable of handling today’s threat landscape (which Windows 98 and Windows Me are not, as even Microsoft will tell you), they want to continue using their old product indefinitely. They don’t want to continue to be a paying customer of Microsoft and actually buy a new OS for its vastly superior features. Further, they don’t want to be inconvenienced by having to take mitigation measures to protect their aging assets. They expect to remain plugged in and chugging along, and they expect someone else to make up for the deficiencies in the design of that code.

Realizing the scope of continued dependence on Windows 98 and Windows Millennium, Microsoft extended critical security update support with the goal of preserving the relative security of moderately-protected single-use systems running those OSes. It was so that businesses still running atrocities like 16-bit call-center applications could continue running them for some time until competing or upgraded software emerged.

Some vocal but extraordinarily ignorant home users, though, were empowered by Microsoft’s concession. They’re now making the nonsensical claim that they deserve to get every patch for every vulnerability known so-long as their system runs, and they deserve to get it for free. Empowered by equally-ignorant and still-more-obnoxious spokespeople, these groups are prepared to threaten the entire internet rather than upgrade. All this because they care too much about their security to buy a new product from the big bad meanie who decided to quit giving them the all-important lifeline of free patches.

In case you haven’t caught it by now, this line is complete hogwash. If you don’t care enough to upgrade your system along a more-than-reasonable maintenance timeframe (5 years+ in the case of Windows Me, 8+ in the case of Windows 98), you’re not a very valuable customer, and you certainly are none too concerned about having cutting-edge security. There may be other drivers (compatibility, for instance), but security is clearly in the back seat. So don’t complain to me, Microsoft, or anyone else that your security is affected severely by you not receiving a patch for your dinosa… er, operating system for a vulnerability that does not affect a default install. Surely, you can at least choose a complaint that would draw a little concern from me?

This may sound harsh, but I am one of scores in my business who is completely tired of dealing with Windows 98 and Windows Me systems that simply cannot be secured on the level of newer technologies, particularly for everyday use. Even more frustrating are the people who use these obsolete relics, as most of them just don’t get security. It’s time for users of these old systems who suddenly find security so valuable to get with the program. Upgrade, buy support, change OSes, or quit complaining. Microsoft owes you nothing until you get your own priorities straight.

As for my take on Microsoft’s decision to suspend hotfix support on an ambitious schedule, I’m quite happy. At last, it will be incentive for these users to upgrade. I, personally, having long ago upgraded systems, find it unfortunate that the dog pack otherwise known as legacy users still nips at Microsoft’s heels, and prevents the company from moving forward into solutions for the security issues it faces. This is especially true when it’s obvious that security is of, at best, minor importance to these users. When June 30, 2006 rolls around, I will be very happy. Maybe then we’ll stop hearing users gripe about why Microsoft patches one-and-not-the-other (without any knowledge of the bugs’ details, mind you).

I’d love to see Microsoft send a clear message about the direction of its business by suspending support for Windows 98 and Windows Millennium tomorrow. But I won’t get my wish. So June 30 is on my calendar as the day… Microsoft finally puts these disasters of an OS to bed.

Share
  • Win98 User

    Just FYI, not all who use Win 98 are ignorant. I have various legacy apps and no intention of abiding by the Win XP EULA (which is why I don’t use XP).

    That said, I’ve had a grand total of -zero- infections. I haven’t got anything listening as a service to be exploited remotely. I do not use IE. And I still deal with the seedy side of the web to learn what exploits and such are out there.

    There are many admins, of many operating systems, who cannot claim the same record. Unless, perhaps, they run OpenBSD exclusively or something :) And it’s not just luck or ignorance of how thoroughly I’m 0wn3d–I’m quite well aware of what’s on my computer, able to control it, and smart enough not to fall for the zillions of scams I’ve seen all over the web, had emailed to me, etc.

    Worse, I admin DOS 6.22 machines at work, which also has a mix of XP and a few other things. The two isolated win 98 boxes here have never caused a single bit of trouble. The DOS machines are the easiest to script for, and thus by far the easiest to administer.

    Not every new thing is an improvement. Food for thought?

  • http://www.techroot.org F-117

    It´s hard, we must see old codes before using it on new systems.

  • blaher

    Ido posted about the very issue you talk about. There is a problem with upgrading to new operating systems or even new patches because of hardware issues:
    http://blogs.securiteam.com/index.php/archives/171

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    @Win98 User:

    I wasn’t meaning to say that any (or even necessarily the average) Win98 user is by-definition ignorant. But there are a few people who are, and they’re pushing for MS to keep supporting what is ultimately a dying technology.

    If you, for whatever reason, have a requirement to continue running 98/Me, isolate it. You seem to have done that. What bugs me is people using Windows 98 or Windows Me in supposedly security-critical roles (to the extent that they require an official, supported patch for a non-critical flaw). If the system were really “critical”, it needs to be upgraded.

    @blaher:

    Ido and I have a difference of opinion as to the requirements of running XP. If you run XP in the Classic theme, almost all of the high-demand requirements for graphical purposes disappear. I’ve run XP on a system with 128MB of RAM, a struggling PIII, and onboard video. It’s not impossible.

    In address to both comments, what people miss is that there was another upgrade option (and still is, if you want to exercise downgrade rights). That is Windows 2000. If you need to run a business-critical piece of software on a workstation OS (why?), and have it configured in such a way that it is at risk from non-critical bugs, you can afford to run an OS that offers a higher level of protection (in the form of user account isolation) for these applications.

    Ultimately, “critical” is far more narrow than most people believe. Most Win98/WinME users these days can get away with simply killing off WMFs that come to them via the web or via e-mail. If you can’t afford to run an OS that’s capable of dealing with the security issues, you need to be capable of dealing with them yourself.

  • AFT

    My first Xp Machine was a PIII 700 laptop with 256MB and an 8MB video card. Ran just fine. It didn’t bog down until I loaded it down with extras that ran in the background, and even then it was just at startup.

  • Pingback: Dinis Cruz @ Owasp .Net Project