No Fix for Critical Windows 98, Me Flaw

[SpywareDr]

http://www.techtree.com/techtree/jsp...ment_id=338204

Microsoft has encountered a critical vulnerability in Windows 98, 98 SE and Windows Me that it simply cannot fix, the company acknowledged Friday. The flaw affects Windows Explorer and after investigating the issue, Microsoft said it would need to reengineer a significant amount of the operating system.

Announced as part of April's security bulletins, a remote execution vulnerability exists in Windows Explorer because of the way that it handles COM objects. A malicious Web site could force a connection to a remote file server, which in turn causes Explorer to fail and potentially execute arbitrary code.

Microsoft says an attacker could take complete control of affected operating systems in this manner. Patches correcting the flaw were issued for Windows 2000, XP and Windows Server 2003, but the vulnerability remains unpatched on Windows 9x based systems.

The Redmond company says that because it would need to re-architecture Windows Explorer in those legacy systems to better match Windows 2000, a fix just isn't feasible. According to the updated bulletin, Microsoft could not ensure that applications written for Windows 9x would continue to operate as intended after the changes.

Moreover, Microsoft has little incentive to expend the resources necessary to patch the flaw. Support for Windows 98, 98 SE and Windows Me ends on July 11, which means no more security updates will be released and no technical or public support will be provided.

Microsoft will continue to offer Windows 98 and Me help topics through its Web site until at least July 11, 2007. However, without additional security updates, customers will be left unprotected from exploits taking advantage of the critical vulnerability, as well as any future problems.

[Nix]

Wasn't Me a falw !! LOL

[SpywareDr]

Excerpts from other related various articles and bulletins ...

Microsoft Technet > Microsoft Security Bulletin MS06-015
Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)
http://www.microsoft.com/technet/sec.../MS06-015.mspx

Affected Software:

• ...
• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems.

Executive Summary:

This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

We recommend that customers apply the update immediately.

Frequently asked questions (FAQ) related to this security update

If Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) are listed as an affected product, why is Microsoft not issuing security updates for them?

During the development of Windows 2000, significant enhancements were made to the underlying architecture of Windows Explorer. The Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) Windows Explorer architecture is much less robust than the more recent Windows architectures. Due to these fundamental differences, after extensive investigation, Microsoft has found that it is not feasible to make the extensive changes necessary to Windows Explorer on Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) to eliminate the vulnerability. To do so would require reengineer a significant amount of a critical core component of the operating system. After such a reengineering effort, there would be no assurance that applications designed to run on these platforms would continue to operate on the updated system.

Microsoft strongly recommends that customers still using Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) protect those systems by placing them behind a perimeter firewall which is filtering traffic on TCP Port 139. Such a firewall will block attacks attempting to exploit this vulnerability from outside of the firewall, as discussed in the workarounds section below.

Will Microsoft issue security updates for Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) sometime in the future?

Microsoft has extensively investigated an engineering solution for Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME). We have found that these architectures will not support a fix for this issue now or in the future.

Workarounds for Windows Shell Vulnerability - CVE-2006-0012:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Disable the Web Client service

Disabling the Web Client service will help protect the affected system from attempts to exploit this vulnerability. To disable the Web Client service, follow these steps:

1. Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel.
   
   
2. Double-click Administrative Tools.
   
   
3. Double-click Services.
   
   
4. Double-click WebClient.
   
   
5. In the Startup type list, click Disabled.
   
   
6. Click Stop, and then click OK.

You can also stop and disable the Web Client service by using the following command at the command prompt:

Code:

sc stop WebClient & sc config WebClient start= disabled

Use the Group Policy settings to disable the WebClient service on all affected systems that do not require this feature.

Because the Web Client service is a possible attack vector, disable the service by using the Group Policy settings. You can disable the startup of this service at either the local, site, domain, or organizational-unit level by using Group Policy object functionality in Windows 2000 domain environments or in Windows Server 2003 domain environments.

Block TCP ports 139 and 445 at the firewall:

Although WebDAV uses TCP port 80 for outbound communication, TCP ports 139 and 445 can be used outbound to attempt to connect to a malicious service and try to exploit this vulnerability. Blocking them at the firewall can help prevent systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, visit the following Web site.

Internet Security Systems > Research > X-Force Database > X-Force Database Results
Microsoft Windows Explorer COM object code execution
http://xforce.iss.net/xforce/xfdb/25554

win-explorer-com-code-execution (25554)

Microsoft Windows Explorer could allow a remote attacker to execute arbitrary code and take complete control over a victim's system, caused by a vulnerability regarding the handling of folders that have the same GUID as a COM object. An attacker could exploit this vulnerability by persuading a victim to visit a malicious Web site or open a malicious email attachment.

Microsoft Windows Explorer Remote Code Execution Vulnerability (MS06-015)
http://www.frsirt.com/english/advisories/2006/1320

Advisory ID : FrSIRT/ADV-2006-1320

A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to take complete control of an affected system. This flaw is due to an error in Windows Explorer that does not properly handle certain COM objects, which could be exploited by remote attackers to execute arbitrary commands by convincing a user to visit a web page that could force a connection to a remote file server containing specially crafted files and directories that invoke malicious code.

No Fix for Critical Windows 98, Me Flaw
http://www.betanews.com/article/No_F...law/1149873723

... Microsoft could be leaving millions of computers at risk to attack."It's surprising how many consumers or businesses still use these older versions, particularly Windows 98. Their continued use partly accounts for an extension of support for about an additional 18 months--from January 2004 to July 2006," Jupiter Research (a division of Jupitermedia Corporation) senior analyst Joe Wilcox told BetaNews.

"Our surveys show that, among consumer households, most older Windows versions run on second or third PCs, and I expect many to remain in use even after security support ends."

More like this: http://www.google.com/search?hl=en&l...22&sa=N&tab=nw

[usil]

Hmmm, oops?

[104456]

Im not saying these problems are not valid its just kinda strange that they should appear after so many years of use and right at the end of the operating systems shelf life.

[Nix]

Im not saying these problems are not valid its just kinda strange that they should appear after so many years of use and right at the end of the operating systems shelf life.

Good point - it's probably just scare tactics to force people to buy XP and then in be told that it is out of date and they need to buy Vista.

More $$$$$$$$$$ for M$ and in the men time they are busily writing something that will pick up on the flaw and destroy your PC - Maybe they already did and dropped in in the last lot of updates as a non reversable 'fix' that imlements the flaw.

This has got conspiracy theory written all over it.

[Nix]

July 2006 - Updates for Win9x end
July 2007 - Help Topics for Win9x end on MS Website
July 2008 - Bill Gates stops running day to day stuff at MS

All a bit coincidental

[SpywareDr]

Microsoft's fiscal year begins July 1st.