Windows 98 Presents Security Problems As It Ends Lifespan

Companies still running Windows 98 risk facing unpatched Internet threats as Microsoft puts the operating system out to pasture early next year, said a research firm Thursday.

The research paper and an accompanying survey, both released by AssetMetrix Research Labs, an arm of IT asset management vendor AssetMetrix, points out that although there are large numbers of machines in enterprises still running Windows 98, the Redmond, Wash.-based developer is set to retire the operating system and will stop posting security fixes for the OS in mid-January 2004.

AssetMetrix's survey of 670 companies found that 80 percent of the firms were still running at least one machine with Windows 98 and the older OS, Windows 95. Together, the two operating systems account for over 27 percent of all installed Windows machines, a number substantially higher than the meager seven percent share of Windows XP. Windows 2000 placed in the number one spot, with 53 percent, while the aged Windows NT, still popular in many enterprises, accounted for 13 percent.

The problem with Windows 98 stems from Microsoft's product lifecycle. As of January 16, 2004, Microsoft will shift Windows 98 into what it dubs the 'non-supported phase,' which means that although online help for the operating system will continue, the company is not obligated to release security 'hotfixes' for uncovered vulnerabilities.

To compound the issue, Microsoft earlier this week announced that it was discontinuing distribution for all editions of Windows 98 except for Windows 98 Second Edition, a move required by a settlement reached with Sun Microsystems in a dispute over Java."But the largest potential risk to corporations using Windows 95 and 98 is the probability of an Internet-based security exploit being discovered after January that can affect a Win9X PC," said AssetMetrix's report.

"The biggest issue here is that Windows 98 is being dropped from hotfixes," said Steve O'Halloran, the directing manager of AssetMetrix's Research Labs, and the author of the research paper.

"If a bad guy finds an exploit that affects Windows 98, that exploit then becomes an issue for companies with Internet-facing machines. Windows 98 systems can become the Typhoid Mary of the corporation, the back door for hackers," he said.

The reason why so many companies still rely on aging versions of Windows, said O'Halloran, is a confluence of events going as far back as 1998. "The legacy OSes are still because the legacy hardware is still there," he said. "The stars lined up all wrong for the people who tried to do the right thing. They were told to prepare for Y2K in late 1998, but three years later, in 2001, when they should be retiring these machines, it was right in the middle of the economic slowdown."

As Windows 98 rolls into its obsolete phase, O'Halloran added, companies should look closely at those machines, especially the ones with access to the Internet. "Any Windows 9X-based PC with access to the Internet, including laptops that leave the company network, should be candidates for migrating to Windows XP or Windows 2000," he said in his report.Another way to handle Windows 98 systems is to move them into positions where they're isolated from the Internet, he advised. Production machines and kiosks, for instance, that don't connect to the Internet, could still safely run the older OS.

Among his other recommendations: make sure that all PCs, regardless of the operating system, have the latest security fixes from Microsoft installed, inventory the enterprise's PCs to determine how many are running Windows 95 and 98, and obtain installation images prior to December 23, when Microsoft will stop the distribution of most flavors of Windows 98.