Windows 98's demise leaves questions on security

Microsoft's plan to stop issuing security patches for the Windows 98 next month could pose significant security challenges for...

Microsoft's plan to stop issuing security patches for the Windows 98 next month could pose significant security challenges for organisations still running the operating system, experts have warned.

Microsoft said on 8 December that it is halting further distribution of Windows 98, with the exception of Windows 98 Second Edition, by the end of this month to comply with a legal settlement with Sun Microsystems over a dispute about the Java programming language.

The company ended no-charge incident support for Windows 98 on 30 June and has long warned that it will discontinue paid incident support on 16 January 2004. After that date, Microsoft has no plans to continue producing security patches for Windows 98 even if a virus or worm outbreak targets that platform, according to a company spokeswoman.

Should such an outbreak occur, customers should upgrade to a supported Windows operating system, she said. For those who do not upgrade, information as well as firewall and antivirus software from third-party companies can help protect vulnerable Windows 98 systems, the spokeswoman said.

With more than 39 million copies of Windows 98 installed across the globe, according to research group IDC, the impact of Microsoft's policy on Windows 98 will be felt far and wide.

Steve O'Halloran, managing director of AssetMetrix, recently conducted research into Windows deployments in 672 companies that use its asset management products.

The review of companies in the US, Canada, the UK, Australia and New Zealand found that machines running Windows 95 and 98 accounted for 27% of desktop systems studied, or more than 372,000 installations. Windows XP installations, by contrast, accounted for just 7% of installations.

AssetMetrix believes many of those installations can be traced to a rush by companies in 1999 to upgrade their computers before the year 2000 shift, O'Halloran said, adding that a slumping economy in 2001 postponed upgrades from Windows 98 to Windows 2000 at many of those companies.

Some of AssetMetrix's customers have Windows 98 deployed in isolated manufacturing environments or on kiosks where they are shielded from Internet attacks, O'Halloran said.

The adage "if it isn't broke, don't fix it" also applies, said Dan Kusnetzky, an analyst at IDC.

"Windows 98 works well enough that people will continue to run it until the machine is so obsolete that it can't run anymore," he said.

Frequently, such systems use software applications or hardware that is incompatible with newer operating systems. That means that even with the end of support, companies will continue to use the operating system until hardware failures or software limitations force them to move, he said.

That may not be a bad thing. The key is for companies to understand where their Windows 98 machines are deployed and what their exposure to the internet is, O'Halloran said.

Companies that have "internet-facing" computers running Windows 98 face an increasing risk of network security breaches from viruses, worms and Trojan horse programs in 2004, AssetMetrix said in its report.

However, security concerns rather than outdated functionality will lead most companies to move from Windows 98 and to newer Windows operating systems, O'Halloran said.

"If someone discovers a security exploit and you cannot get a hot fix for it, you have to decide if that's the world you want to live in," he added.

Paul Roberts writes for IDG News Service

Read more on IT risk management