End of support for Windows 98 and Windows ME

[NoelMVP]

The tweak works as well in ME as it did in 98/SE - and in some cases, better (the maximum value is 512MB (524288) - but most people take teh eqasy way out and use 512000). The value that lgbpop found is not to far from teh 'magic number' that existed for some motherboards in Win98 of 70% of RAM (or of 512MB) - look here for more details.....
http://www.aumha.org/win4/a/memmgmt.htm

[cyndommett]

I've just had a motherboard failure and my son has put in a new one, formatted a spare hard drive and put my old hard drive as a slave. We've installed the original Windows 98SE and Internet Explorer etc.

Now I need to upgrade with all critical upgrades but, of course, I've just found out that Microsoft.com doesn't support 98 any more.

I have tried doing a Google search on necessary upgrades but get such a load of information that I don't know where to start.

Being a mere woman who is now faced with all this software to upgrade and sort through, could someone tell me what I should be looking for please?

Cyn

[lgbpop]

If the computer was working OK before the mobo failure, you can try making your old HDD the master (boot) drive, then on the next startup go into the BIOS and enable the "clear configuration data" (also known as ECSD, you may see that instead) then F10 to save-&-exit and start up the computer. You'll be reinstalling a bunch of the hardware as a result (have your CDs handy and ready to use) but the OS and all the updates will be undisturbed otherwise.

[Murf]

98 Updates are still available on MS site. I also have all of them in "Murf's Garage, click link in my signature.

[ProfessorU]

You're going to start losing support for other apps on the 98/ME platform as well. The latest version of ZoneAlarm free no longer installs on 98/ME. As a computer tech, I have respect for anyone who wants to 'experiment' with an old OS but the only 'repair' I'll do on a 98/ME system is an OS upgrade.
I don't think people understand what this means. New security holes will be found. Probably within a week of the end of critical updates. Some will be holes in all windows OSes, some will be holes specifically in win98/ME. Hackers probably have exploits they have been sitting on for months just to drop them after the support deadline. Win98/ME users will have no recourse. Microsoft isn't going to fix the problem. This isn't something that has happened before. This will be a VERY big security event. Windows 98 will get a lot of press when the first exploits come out.

Maybe you'll get an occasional third-party patch from a nice guy like Steve Gibson, but who are you going to trust? If I was running a Windows 98 machine, it certainly wouldn't be connected to the internet any more!

[Nix]

This isn't something that has happened before. This will be a VERY big security event.

Ok Chicken Little lets not get carried away - Y2K was supposed to be the end of the world as we know it and look at what a flop that was.

[SpywareDr]

http://www.techtree.com/techtree/jsp...ment_id=338204

Microsoft has encountered a critical vulnerability in Windows 98, 98 SE and Windows Me that it simply cannot fix, the company acknowledged Friday. The flaw affects Windows Explorer and after investigating the issue, Microsoft said it would need to reengineer a significant amount of the operating system.

Announced as part of April's security bulletins, a remote execution vulnerability exists in Windows Explorer because of the way that it handles COM objects. A malicious Web site could force a connection to a remote file server, which in turn causes Explorer to fail and potentially execute arbitrary code.

Microsoft says an attacker could take complete control of affected operating systems in this manner. Patches correcting the flaw were issued for Windows 2000, XP and Windows Server 2003, but the vulnerability remains unpatched on Windows 9x based systems.

The Redmond company says that because it would need to re-architecture Windows Explorer in those legacy systems to better match Windows 2000, a fix just isn't feasible. According to the updated bulletin, Microsoft could not ensure that applications written for Windows 9x would continue to operate as intended after the changes.

Moreover, Microsoft has little incentive to expend the resources necessary to patch the flaw. Support for Windows 98, 98 SE and Windows Me ends on July 11, which means no more security updates will be released and no technical or public support will be provided.

Microsoft will continue to offer Windows 98 and Me help topics through its Web site until at least July 11, 2007. However, without additional security updates, customers will be left unprotected from exploits taking advantage of the critical vulnerability, as well as any future problems.

[Nix]

Wasn't Me a flaw !! LOL

[lgbpop]

The Redmond company says that because it would need to re-architecture Windows Explorer in those legacy systems to better match Windows 2000, a fix just isn't feasible.

Illogical. Someone still using one of these OSs probably isn't using Win2K or any NTFS system, so why does it have to match it? It doesn't have to from the user's vantage point. To use a non-existent problem as an excuse not to fix an existing problem is double-talk IMHO, and saying that apps written for 9x sytems may not run after the changes is obvious--but misleading, since that's predicated on the false premise.

[Herring]

ProfessorU - I wouldn't want to do OS upgrades on many of the systems I see around here. Lots of them belong to seniors and are either PII or PIII and they suit the peoples needs (most of who are on minimal pensions), I'd hate to see them have to go through the stress and expense of purchasing a new system that could run XP or whatever's coming down the tubes next (and learning the new OS) just so that they can get email with pictures of their grandkids... and run their genealogy software, or write a book in Word.
Most of these people don't venture too far on the Web, use dial up and get problems after their grandkids come visit and go online or from hardware failure (modems and PSUs most commonly these days).
I run W2k on one machine and 98SE on this (my main) machine, a PIII 733MHz; I'm connected pretty well 24/7 and take reasonable precautions and have not had a problem in years other than hardware related.

On a happy note. One of my clients was really excited to go online and purchase a brand new Dell and upgrade his genealogy software for his 92nd birthday this Winter. It was one of those freezing -25°C days with a cold North wind and he didn't have to go shopping. Just fill in the forms give the credit card number and they would deliver it to his door in 5 working days. That was exciting for this gentleman, he was literally like a kid in a candy store. I went there and set up the system for him and he's been happily working away ever since.

[SpywareDr]

Excerpts from other related various articles and bulletins ...

Microsoft Technet > Microsoft Security Bulletin MS06-015
Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)
http://www.microsoft.com/technet/sec.../MS06-015.mspx

Affected Software:

• ...
• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems.

Executive Summary:

This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

We recommend that customers apply the update immediately.

Frequently asked questions (FAQ) related to this security update

If Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) are listed as an affected product, why is Microsoft not issuing security updates for them?

During the development of Windows 2000, significant enhancements were made to the underlying architecture of Windows Explorer. The Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) Windows Explorer architecture is much less robust than the more recent Windows architectures. Due to these fundamental differences, after extensive investigation, Microsoft has found that it is not feasible to make the extensive changes necessary to Windows Explorer on Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) to eliminate the vulnerability. To do so would require reengineer a significant amount of a critical core component of the operating system. After such a reengineering effort, there would be no assurance that applications designed to run on these platforms would continue to operate on the updated system.

Microsoft strongly recommends that customers still using Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) protect those systems by placing them behind a perimeter firewall which is filtering traffic on TCP Port 139. Such a firewall will block attacks attempting to exploit this vulnerability from outside of the firewall, as discussed in the workarounds section below.

Will Microsoft issue security updates for Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) sometime in the future?

Microsoft has extensively investigated an engineering solution for Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME). We have found that these architectures will not support a fix for this issue now or in the future.

Workarounds for Windows Shell Vulnerability - CVE-2006-0012:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Disable the Web Client service

Disabling the Web Client service will help protect the affected system from attempts to exploit this vulnerability. To disable the Web Client service, follow these steps:

1. Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel.
   
   
2. Double-click Administrative Tools.
   
   
3. Double-click Services.
   
   
4. Double-click WebClient.
   
   
5. In the Startup type list, click Disabled.
   
   
6. Click Stop, and then click OK.

You can also stop and disable the Web Client service by using the following command at the command prompt:

Code:

sc stop WebClient & sc config WebClient start= disabled

Use the Group Policy settings to disable the WebClient service on all affected systems that do not require this feature.

Because the Web Client service is a possible attack vector, disable the service by using the Group Policy settings. You can disable the startup of this service at either the local, site, domain, or organizational-unit level by using Group Policy object functionality in Windows 2000 domain environments or in Windows Server 2003 domain environments.

Block TCP ports 139 and 445 at the firewall:

Although WebDAV uses TCP port 80 for outbound communication, TCP ports 139 and 445 can be used outbound to attempt to connect to a malicious service and try to exploit this vulnerability. Blocking them at the firewall can help prevent systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, visit the following Web site.

Internet Security Systems > Research > X-Force Database > X-Force Database Results
Microsoft Windows Explorer COM object code execution
http://xforce.iss.net/xforce/xfdb/25554

win-explorer-com-code-execution (25554)

Microsoft Windows Explorer could allow a remote attacker to execute arbitrary code and take complete control over a victim's system, caused by a vulnerability regarding the handling of folders that have the same GUID as a COM object. An attacker could exploit this vulnerability by persuading a victim to visit a malicious Web site or open a malicious email attachment.

Microsoft Windows Explorer Remote Code Execution Vulnerability (MS06-015)
http://www.frsirt.com/english/advisories/2006/1320

Advisory ID : FrSIRT/ADV-2006-1320

A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to take complete control of an affected system. This flaw is due to an error in Windows Explorer that does not properly handle certain COM objects, which could be exploited by remote attackers to execute arbitrary commands by convincing a user to visit a web page that could force a connection to a remote file server containing specially crafted files and directories that invoke malicious code.

No Fix for Critical Windows 98, Me Flaw
http://www.betanews.com/article/No_F...law/1149873723

... Microsoft could be leaving millions of computers at risk to attack."It's surprising how many consumers or businesses still use these older versions, particularly Windows 98. Their continued use partly accounts for an extension of support for about an additional 18 months--from January 2004 to July 2006," Jupiter Research (a division of Jupitermedia Corporation) senior analyst Joe Wilcox told BetaNews.

"Our surveys show that, among consumer households, most older Windows versions run on second or third PCs, and I expect many to remain in use even after security support ends."

More like this: http://www.google.com/search?hl=en&l...22&sa=N&tab=nw

[ProfessorU]

The most interesting part of this is the health of the internet as a whole. This has the potential to really open up DDoS attacks again. Botnets will get more powerful. Running windows 98 could be like leaving your handgun loaded on the front step.
And if the big websites being attacked can't get recourse against the bot master, who's to say they can't sue the people that are half-knowingly running bots? Three years ago it was unheard of to sue a 'John Doe' IP, but the RIAA did it and won.
Chicken Little, my butt. You'd be better off running Windows for Workgroups for the next few years.

[Norman]

Time for this old geezer to join the 21st Century and buy a new machine/OS!!

Currently 1998 Gateway, G6-450, PII, Win98SE, Office97 ... USB 1.0, DVD/CD Rom, 1.44 floppy and Zip. Thanks to this forum, i'd been patching along all these years 'cuz so many personal/business files on this machine.

Can you point me to some links/discussions (ease of file transfers, compatibility, etc)? i.e. Why can't a guy simply uncork the old hard drive and plug it into the new machine as a separate, dedicated drive? (Then could simply transfer files that way).

Thanks ... you guys have saved me fanny many times over the years!!

[Train]

Why can't a guy simply uncork the old hard drive and plug it into the new machine as a separate, dedicated drive? (Then could simply transfer files that way).

Not a thing wrong with that. It is the recommended way of doing it.

[ProfessorU]

Just be sure your new rig has an open IDE slot and power, and the drive jumpers are configured correctly. Then you're golden.
If you're running on the original hard drive, I'd advise retiring it after the data move. It's not likely to last much longer, and if you bought it in 1998 it's probably puny anyway.