Re: Is a Windows 98se computer more, or less, of a security threat with IE 5.5 (unused) & Firefox, or with IE 6.0 & latest updates (unused) & Firefox?

Paper policies are about as much use as a fart in a thunderstorm! - all it takes is a Monday-morning hangover, and the policy goes out the window with the aspirin-wrappers.
There is no such thing as a 'strong' paper policy - it needs to be backed up by *enforced* group policies within the OS.

*Twice a month*???? - MS only normally issue patches on the second Tuesday of the month (and that policy has been in place for more than a year - broken, IIRC, once only, for the WMF problems at Christmas)

I can't help feeling that your client is getting more work than they need for less result than they need.

The fact is that ANY PC on a network exposes ALL of the PC';s to the same risks - and if one is infected, then all become immediately moor vulnerable, because the virus is behind the (supposedly invulnerable) corporate firewall, and may have free rein!

Win 98 is already unsafe, if running on IE5.ox - you're planning too little, too late.

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com

http://tinyurl.com/6oztj

Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
"Nate Goulet" <askifyouwant@xxxxxxxxx> wrote in message news:44b7c287.3395015@xxxxxxxxxxxxxxxxxxxxxx

Security may be better served by an NT-based OS, but for safety
from drive-by attacks (especially clickless attacks) its a closer
call, IMO leaning towards Win9x.

Security from with in the company getting onto someone's pc is less of
an issue, and i'm aware that Win98 doesn't have real security like NT
OS's do. And for those users that do have sensitive information, we
are using XP Pro.

Plus, if you're using OE, you have all the IE HTML rendering bugs
in full (d)effect, as the same engine renders Outlook and OE HTML
"message text". That opens you up to clickless attack.

I have the preview panels disabled in OE on all the computers, so
hopefully the users would at least have to at least open the messages
to get infected. We have strict policies on opening e-mails, and
instructions how to determine if messages look suspecious. Users are
instructed to deleted any e-mails that are not essential.

I think the patches we already have in place with OE require the users
to click on an icon in OE to show HTML if the messages are not plain
text.

Win9x has yet to be subject to clickless pure network worm attacks.

This is my primary concern with Win98, and i'll be listening to hear
what others are saying about it.

If you cannot patch, then XP can suddenly become deadly, thanks to
all the network surfaces it exposes *plus* the intense focus on exploiting
these. Make no mistake, there will be exploitable surfaces within IE 5.5
(even as patches stop altogether) but they are less likely to be attacked
unless an attack crafted for IE 6 also "fits the gap" (quite likely).

Again, I can patch with-in reason. But It's a part-time job with many
things to do. Patching 30 or so computers twice a month is a problem.
I wish Microsoft or someone else would come up with a better solution
than requiring a small company or business to have full time IT staff
just to deal wth this crap. Why can't they come out with some type of
hardware solution where the updates get applied rather than our local
hard drives, so we don't have to worry that installing updates are
going to crash machines? If it caused a problem, simply remove the
chip and your computer works fine but is unprotected until the issue
is addressed.

I've never seen a case where updating anti-virus definitions (with
maybe an exception of program updates) caused a computer to crash or
affected the OS or other applications from working correctly. The
same can not be said for Windows Updates. Every time they come out
with new ones, dozens of people complain on this list group alone.
Their has to be a better solution.

But the main thing is, Win9x exposes far fewer network surfaces, and
what pure network surfaces there are, will be such different code that
attacks crafted for XP are unlikely to succeed.

That's my feeling about it. But at the same time, I don't want to be
the only one in this position or keep us exposed to the possibility
this could change. Especially if Microsoft really isn't going to be
releasing any new updates for Win98.

I certainly feel we would likely to have suffered far more problems
over the past couple years from attacks if all the pcs were running
WinXP.


: ...after July Win98 might be unsafe finally and we may finally
: decide to replace all the older pcs. But we'll see. We'd rather
: replace them as needed by software requirements.

I don't think Win9x will be much more unsafe as far as exploitability
goes, because by now, you'd expect most weaknesses to have been
found. It's not only MS that "no longer supports" Win9x; once the
pool of users shrinks to the world's poorest on-line users, the interest
of malware writers tends to dry up as well.

That's what i've been betting on, but again, we don't want to be one
of the few companies taking the risk. If it was clear others in our
position were going to, i'd feel a lot better about it.


What is more likely to obsolete Win9x systems are things like...
- can't get small enough HDs and old enough RAM to fix old PCs
- can't easily use USB sticks, card readers, cameras, etc.
- can't get printers, scanners etc. that come with drivers
- patchable edge-facing apps (e.g. Acrobat Reader, Firefox) won't run
- can't find updated av or firewall that will run on Win9x anymore
- some LoB app you need won't run on Win9x

I'm well aware that Win98 isn't going to be useable forever. And as
issues like the above become an issue, we certainly replace systems at
that point. We've been doing that on an individual basis so far as
needed.

It's like keeping an old car. For a period of time it will be more
economical to keep the old car than replacing it with a new one,
"until" you start having major problems with it.

So far i've been able to keep most of the old machines running myself.
When the hardware starts to fail, and it is clear i'm going to have to
spend a good amount of time fixing or money & time for parts. It's an
easy decision to replace a machine at that point.

Certainly when decent AV's are no longer Win98 compatible, we will
definately get rid of the Win98 systems.

Acrobat Reader 7, the latest version, requires XP. So far we've
hadn't needed it as everything opens just fine in 6, or even 5 for
that matter.

I tend to like to keep old printers around, especially laser.
Supplies are generally much cheaper than newer models. Newer ink jet
printers tend to give you far less ink than older models, but i've
just about phased ink-jets out completely.

Again, when our needs change it will be no problem convincing the
company to spend money on upgraded computers. Explaining we need to
do this just because of a security risk alone is difficult. But i'm
discussing it here to try to determine what others in IT would do if
in a similar position as me. Sometimes we have to worry if the doors
are still going to be open in 6 months or the next year. How can I
say, we need to spend many thousands dollars on new computers (and a
lot of IT time) because their might be a security risk if we don't?
I've certainly let them know the risks anyhow.

It's really a matter of how hard should I be pushing, and i'm asking
experts like this group for advice if everyone feels it's too much of
a risk not spending the $$$.

A fresh install of IE 6 over IE 5.00 will run slower at first, until Win98+
figures out which new code to locate at the front of the volume and a
defrag puts that awareness into effect. After that there may still be a
slowdown factor due to bloat. Firefox is trimmer, but even that will be
slower than (say) IE 3.0x on a really old 16M-32M RAM PC. The
Windows Explorer bug is *far* worse than the "normal" slowness!

Again, all of these pcs are well above that. 128 megs of ram, 600mhz
is plenty fast enough to run almost any Win98 app well enough.

You can rely on Vista to respond definitively to today's issues that
plague XP (or at least many of them), but it's also going to be dripping
with brand new version 1.00 features that will bring new risks. Even
old features rendered in brand new code may have that effect.

The idea of waiting for Vista for some of the machines mostly has to
do with longevity. A new machine running Vista will no doubt not
require us to replace a machine or OS for a long time.

If we replace all these with WinXP just over security issues, and
Vista is just around the corner, we could be faced with needing to do
this again too soon. What's to make Microsoft decide not to phase out
XP security updates quickly? Or maybe lots of new apps will attract
us to Vista or require it.

Replacing these machines with XP machines over security issues, when
we'd be replacing them with an already nearly outdated OS (XP) seems
silly. Not a good long term investment. Oddly Win98 still serves the
needs of most of our users, with a few exceptions.

Using patchable FireFox rather than unpatched IE makes sense
on Win9x, until such time that FireFox won't run on your Win9x.
FireFox is a smaller download, which is a mercy for modem users,
so even if you have to install a new version every time, it's still small,
plus (unlike IE) you can amputate it.

Again, we're not "that out of date". We have DSL, and machines that
handle FireFox well.

I'd agree with that, up to a point. The main win with Win9x is none
of that Lovesan, Sasser etc. "global in 20 minutes" clickless attack.

...so far.

I never forgot about Blaster, and how Win98 was not affected by it.

There's a case to be made for IE 3.00 with pre-HTM email app :-)
I use that solution a lot, with 486DXn and early Pentium Win95 PCs.

Now we're talking antiques, although I remember buying similar
machines new for here back in those days.

Of course, I still have my Apple ][ machine (dinosaur). Hasn't been
turned on in decades however. A past life of mine i've left behind
and never looked back. Lots of progress since then.

But 600mhz, 128 megs ram & Windows 98se? Still "widely" in use, and
redicuous to have to replace just because Microsoft wants to force us
to upgrade. Most of our apps require 1/3 of that.

If they get away with it this time, you can bet in a couple more years
they'll say we need to upgrade every other year if we want "safe"
networks & computers
.

.

Relevant Pages

  • Re: Group Policy - Pushing out Software
    ... going to VNC into the computer, log on as the local Admin and do my thing". ... I would suspect that you are familiar with 'updates' via GPO. ... I know the way we access users machines using Remote Desktop ... > life easy for 2 administrators keeping 80 users machines updated. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Tracking down hi-tech crime
    ... Technology Correspondent, BBC News website ... regularly logging how many potential net-borne attacks hit the average ... programs able to recognise when they have trespassed on a honeypot. ... they search for fresh victims and make host machines unstable. ...
    (uk.legal)
  • Tracking down hi-tech crime
    ... Technology Correspondent, BBC News website ... regularly logging how many potential net-borne attacks hit the average ... programs able to recognise when they have trespassed on a honeypot. ... they search for fresh victims and make host machines unstable. ...
    (uk.legal)
  • Re: Is a Windows 98se computer more, or less, of a security threat with IE 5.5 (unused) & Firefo
    ... from drive-by attacks its a closer ... and i'm aware that Win98 doesn't have real security like NT ... It's not only MS that "no longer supports" Win9x; ... So far i've been able to keep most of the old machines running myself. ...
    (microsoft.public.windowsupdate)
  • Re: Exceptional Error - Custom Menus deleted at startup of Access
    ... machines with SIMILAR ... And more precisely I sould say that I have "Microsoft Office 2000 ... * "If updates would be making this kind of problems then why other machines ... > implied that installing the updates would break things. ...
    (microsoft.public.access.formscoding)