On Security, Windows ’98 dies with a whimper, not a bang

Microsoft took another turn with that little dance called “damned if we do damned if we don’t” this week when it announced, once again, that it was cutting off support for the Windows ’98, Windows ’98 SE and Windows ME operating systems. If you forgot, they tried to pull the plug on these dinosaurs back in 2004, but changed their mind after listening to a lot of yelling, especially from enterprise IT managers that were still running the operating system.

But this time it’s for real and, come July 11, the ranks of Win ’98 users will be pushed out of their caves, blinking, onto the brightly lit streets of the 21st century.

Microsoft’s reason for pushing the Windows ’98 birdies out the nest at long last — security. According to their post:

“Microsoft is ending support for these products because they are outdated and these older operating systems can expose customers to security risks. We recommend that customers who are still running Windows 98 or Windows Me upgrade to a newer, more secure Microsoft operating system, such as Windows XP, as soon as possible.”

Sounds like a convenient cover — I mean, when you get right down to it, what move can’t be justified by invoking the need for greater security? But are Microsoft’s claims that Windows ’98 and ME machines pose a risk to security to be believed?

Yes, says Johannes Ullrich of the SANS Internet Storm Center – but probably not for the reason you think.

Windows ’98 and ME machines are mere “background noise” in the MegaDeath concert of attack data that SANS operators enjoy every day. But the problem isn’t that Windows ’98 is so insecure — it’s just that all the software you would use to secure it no longer runs on Windows ’98, he said.

“I think what’s going on is that if you’ve still got Windows ’95 or ’98, you’re not going to have antivirus software that’s up to date,” he said.

“If you don’t have the money to upgrade your operating system, you’re probably not going to be upgrading your antivirus software either,” he said.

Windows ’98 and ME customers can still get by even without security patches from Microsoft — especially if they don’t engage in high risk activities like, say, sending or receiving e-mail, Ullrich said. That will probably be the case at the thousands of companies that still run Windows ’98, usually for the benefit of custom applications that can’t run on anything else.

Come July 11, Ullrich doesn’t expect much to change in terms of the overall security of the Internet. As for Windows ’98 and ME users, however, the timing isn’t great. Microsoft is, of course, cutting them off well shy of the release of Vista, the next version of Windows, which isn’t scheduled to be out until the end of 2006 — at the earliest. Barring any more nasty 0days that affect ’98 and ME machines, Windows customers will have plenty of time to flip through Dell catalogues and figure out just what they need to buy to take advantage of those cool Aero graphics.

As for whether Microsoft is doing the right thing — fuhgettaboudit, says Ullrich.

“Certainly, Microsoft has the right to cut them off,” he said.

I mean, come on. This is an eight year old operating system we’re talking about!!