Microsoft has encountered a critical vulnerability in Windows 98, 98 SE and Windows Me that it simply cannot fix, the company acknowledged Friday. The flaw affects Windows Explorer and after investigating the issue, Microsoft said it would need to reengineer a significant amount of the operating system.
Announced as part of April's security bulletins, a remote execution vulnerability exists in Windows Explorer because of the way that it handles COM objects. A malicious Web site could force a connection to a remote file server, which in turn causes Explorer to fail and potentially execute arbitrary code.
Microsoft says an attacker could take complete control of affected operating systems in this manner. Patches correcting the flaw were issued for Windows 2000, XP and Windows Server 2003, but the vulnerability remains unpatched on Windows 9x based systems.
The Redmond company says that because it would need to re-architecture Windows Explorer in those legacy systems to better match Windows 2000, a fix just isn't feasible. According to the updated bulletin, Microsoft could not ensure that applications written for Windows 9x would continue to operate as intended after the changes.
Moreover, Microsoft has little incentive to expend the resources necessary to patch the flaw. Support for Windows 98, 98 SE and Windows Me ends on July 11, which means no more security updates will be released and no technical or public support will be provided.
Microsoft will continue to offer Windows 98 and Me help topics through its Web site until at least July 11, 2007. However, without additional security updates, customers will be left unprotected from exploits taking advantage of the critical vulnerability, as well as any future problems.
Customers still running the older operating systems can take steps to protect themselves, Microsoft says.
"We do strongly recommend that customers still using Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) protect those systems by placing them behind a perimeter firewall which filters traffic on TCP Port 139 which will block attacks attempting to exploit this vulnerability."
The company is also taking the opportunity to urge customers to upgrade their machines to a newer version of Windows, such as Windows XP Service Pack 2. Support for Service Pack 1 will cease on October 10, notes Christopher Budd from Microsoft's Security Response Center.
But with the critical vulnerability remaining unpatched, Microsoft could be leaving millions of computers at risk to attack.
"It's surprising how many consumers or businesses still use these older versions, particularly Windows 98. Their continued use partly accounts for an extension of support for about an additional 18 months--from January 2004 to July 2006," Jupiter Research senior analyst Joe Wilcox told BetaNews.
"Our surveys show that, among consumer households, most older Windows versions run on second or third PCs, and I expect many to remain in use even after security support ends."