Windows 98 Presents Security Problems As It Ends Lifespan

Companies still running Windows 98 risk facing unpatched Internet threats as Microsoft puts the operating system out to pasture early next year, a research firm says.

The research paper and an accompanying survey, both released Thursday by AssetMetrix Research Labs, a unit of IT asset-management vendor AssetMetrix, points out that although there are large numbers of machines in businesses still running Windows 98, Microsoft is set to retire the operating system and will stop posting security fixes in mid-January.

AssetMetrix's survey of 670 companies found that 80% were still running at least one machine with Windows 98 and its predecessor, Windows 95. Together, the two operating systems account for more than 27% of all installed Windows machines--substantially more than the meager 7% that run Windows XP. Windows 2000 was first with 53%, while the aged Windows NT, still popular in many companies, accounted for 13%.

The problem with Windows 98 stems from Microsoft's product lifecycle. As of Jan. 16, 2004, Microsoft will shift Windows 98 into what it dubs the "non-supported phase," which means that although online help for the operating system will continue, the company is not obligated to release security "hot fixes" for uncovered vulnerabilities.

To compound the issue, Microsoft said earlier this week that it was discontinuing distribution for all editions of Windows 98 except for Windows 98 Second Edition, a move required by a settlement reached with Sun Microsystems in a dispute over Java.

"But the largest potential risk to corporations using Windows 95 and 98 is the probability of an Internet-based security exploit being discovered after January that can affect a Win9x PC," said AssetMetrix's report.

"The biggest issue here is that Windows 98 is being dropped from hot fixes," said Steve O'Halloran, directing manager of AssetMetrix's Research Labs, and the author of the research paper. "If a bad guy finds an exploit that affects Windows 98, that exploit then becomes an issue for companies with Internet-facing machines. Windows 98 systems can become the Typhoid Mary of the corporation, the back door for hackers."

The reason why so many companies still rely on aging versions of Windows, said O'Halloran, is a confluence of events going as far back as 1998. "The legacy operating systems are still there because the legacy hardware is still there," he said. "The stars lined up all wrong for the people who tried to do the right thing. They were told to prepare for Y2K in late 1998, but three years later, in 2001, when they should be retiring these machines, it was right in the middle of the economic slowdown."

As Windows 98 rolls into its obsolete phase, O'Halloran added, companies should look closely at those machines, especially the ones with access to the Internet. "Any Windows 9x-based PC with access to the Internet, including laptops that leave the company network, should be candidates for migrating to Windows XP or Windows 2000," he said in his report.

Another way to handle Windows 98 systems is to move them into positions where they're isolated from the Internet, he advised. Production machines and kiosks, for instance, that don't connect to the Internet, could still safely run the older operating system.

Among his other recommendations: Make sure that all PCs, regardless of the operating system, have the latest security fixes from Microsoft installed, inventory PCs to determine how many are running Windows 95 and 98, and obtain installation images prior to Dec. 23, when Microsoft will stop the distribution of most flavors of Windows 98.