Suggested patches for W98SE- OT

M

ms

I asked on a W98 newsgroup, no answer, maybe too general, hope for
advice here.

MS support for W98SE is ending shortly.

I've run W98SE, DUN 1.3 and Netscape for years with no security
problems. I seldom use IE 5.01SP2. WMP is the default W98 version.

I just checked and have the following updates installed previously:
This list came from the Update Availability function.
W98SE:
UPD/Q 238453 Spoofed Route Pointer November 29, 1999
UPD/Q 249973 "Malformed RTF Control Word", January 17, 2000 (MS00-005)
UPD/Q 242975 Storage Supplement 22 Dec 99
W98:
UPD/Q 245729 File Access URL vulnerability
Telnet: UPD 3780

There are many possible patches.

Can I get some guidance from the Windows experts here on what patches
are considered mandatory for security considering the usage shown above?

Mike Sa
 
J

Juzme

I asked on a W98 newsgroup, no answer, maybe too general, hope for
advice here.

MS support for W98SE is ending shortly.

I've run W98SE, DUN 1.3 and Netscape for years with no security
problems. I seldom use IE 5.01SP2. WMP is the default W98 version.

I just checked and have the following updates installed previously:
This list came from the Update Availability function.
W98SE:
UPD/Q 238453 Spoofed Route Pointer November 29, 1999
UPD/Q 249973 "Malformed RTF Control Word", January 17, 2000 (MS00-005)
UPD/Q 242975 Storage Supplement 22 Dec 99
W98:
UPD/Q 245729 File Access URL vulnerability
Telnet: UPD 3780

There are many possible patches.

Can I get some guidance from the Windows experts here on what patches
are considered mandatory for security considering the usage shown above?

Mike Sa

Once again, Fred Langa to the rescue. See his "Not So Subtle..." under:
http://langa.com/newsletters/2003/2003-12-15.htm#1
Good luck, juzme
 
F

Fuzzy Logic

ms said:
I asked on a W98 newsgroup, no answer, maybe too general, hope for
advice here.

MS support for W98SE is ending shortly.

I've run W98SE, DUN 1.3 and Netscape for years with no security
problems. I seldom use IE 5.01SP2. WMP is the default W98 version.

I just checked and have the following updates installed previously:
This list came from the Update Availability function.
W98SE:
UPD/Q 238453 Spoofed Route Pointer November 29, 1999
UPD/Q 249973 "Malformed RTF Control Word", January 17, 2000 (MS00-005)
UPD/Q 242975 Storage Supplement 22 Dec 99
W98:
UPD/Q 245729 File Access URL vulnerability
Telnet: UPD 3780

There are many possible patches.

Can I get some guidance from the Windows experts here on what patches
are considered mandatory for security considering the usage shown above?

Anything under Critical. Note that IE patches are recommended even if you
don't use IE as it's so tightly integrated with the OS. I would also
consider most patches under Recommended as well as any driver updates that
are available.
 
M

ms

Fuzzy said:
Anything under Critical. Note that IE patches are recommended even if you
don't use IE as it's so tightly integrated with the OS. I would also
consider most patches under Recommended as well as any driver updates that
are available.

Thanks for the comments.

This is the link I used:
http://www.microsoft.com/windows98/downloads/corporate.asp

That "seems" to be what you meant, although IE was not mentioned.

Some of the links on that MS page are now dead.

If you have a better URL, please let me know.

Mike Sa
 
F

Fuzzy Logic

ms said:
Thanks for the comments.

This is the link I used:
http://www.microsoft.com/windows98/downloads/corporate.asp

That "seems" to be what you meant, although IE was not mentioned.

Some of the links on that MS page are now dead.

If you have a better URL, please let me know.

http://windowsupdate.microsoft.com/ is the definitive place to go. Not all
the patches are available for download via the link you provided but you
may be able to get them via the 'read more' links on the WindowsUpdate
site. Also check you install history on the WindowsUpdate site to get any
patches you may have already installed.
 
F

Fuzzy Logic

jason said:
I tried following Langa's instructions, but the first step was to select
"Personalize Windows Update" in the left column on the screen, and that
option was grayed out. Anyone else experience this?

Works for me. Maybe you have disabled cookies?
 
M

ms

Fuzzy said:
http://windowsupdate.microsoft.com/ is the definitive place to go. Not all
the patches are available for download via the link you provided but you
may be able to get them via the 'read more' links on the WindowsUpdate
site. Also check you install history on the WindowsUpdate site to get any
patches you may have already installed.

My W98SE and IE 5.01 don't agree with the requirements of that site,
same for Firebird. Too much ActiveX, etc, crap.

I'll do some more searching on the MS site.

Mike Sa
 
J

jason

Fuzzy said:
Works for me. Maybe you have disabled cookies?

Hmmm. I don't know. I tried using IE (since I had no success with other
browsers in the past), but most of the options were greyed out and I got
a message about not having ActiveX enabled. I never use IE, so I'm not
sure what my settings are.

I just now tried pasting the Windows Update URL into Mozilla. It said I
need IE to update, but if I wanted to use another browser to go to
another page. I went to the other page, and it's nothing like the
example given in the Langa report. This is the page:

http://www.microsoft.com/downloads/search.aspx?displaylang=en&categoryid=
7
 
M

ms

Fuzzy said:
http://windowsupdate.microsoft.com/ is the definitive place to go. Not all
the patches are available for download via the link you provided but you
may be able to get them via the 'read more' links on the WindowsUpdate
site. Also check you install history on the WindowsUpdate site to get any
patches you may have already installed.

From a MS W98 ng, it turns out that the update site requires that IE be
the default browser on my computer, and it won't accept IE ver. 5.01,
has to be at least ver. 5.5.

I don't need the patches that bad.

MS
 
J

jason

ms said:
From a MS W98 ng, it turns out that the update site requires that IE
be the default browser on my computer, and it won't accept IE ver.
5.01, has to be at least ver. 5.5.

I don't need the patches that bad.

Thanks Mike. I guess that explains why I've never been able to update
Windows.

I don't need the patches that bad either.
 
M

ms

jason said:
Thanks Mike. I guess that explains why I've never been able to update
Windows.

I don't need the patches that bad either.
Hello Jason:
And mine continues to work, 4 years since install, basically unpatched.
The first 3.5 years were flawless, now that the countless
install/uninstall garbage is present, it's showing signs of age.
Someday, I'll do a fresh install. The custom PC lasts a long time, but
OS install is always a headache.

Mike Sa
 
B

bassbag

Thanks Mike. I guess that explains why I've never been able to update
Windows.

I don't need the patches that bad either.
You could always use a cover disk off a mag to put a newer version
on.Make it default until you update windows then make your usual browser
default?
me
 
J

jason

bassbag said:
You could always use a cover disk off a mag to put a newer version
on.Make it default until you update windows then make your usual browser
default?

I could do that, but is it worth it? I haven't kept up on this stuff, so
what am I missing by not having the patches? I use Proxomitron, Zone Alarm,
keep javascript turned off (most of the time), don't use IE, have file-
sharing disabled, am "sort of" up-to-date in the anti-virus department, and
periodically run SpyBot/Adaware. So where are the risks?
 
R

REMbranded

I could do that, but is it worth it? I haven't kept up on this stuff, so
what am I missing by not having the patches? I use Proxomitron, Zone Alarm,
keep javascript turned off (most of the time), don't use IE, have file-
sharing disabled, am "sort of" up-to-date in the anti-virus department, and
periodically run SpyBot/Adaware. So where are the risks?

I recall an exploit that keys on IE even if you are not using it. I
don't recall if it was the buffer overflow or another exploit.

I'm unsure if the various utilities that you are running will protect
against this or not. I'll bet that you will be safer in giving IE/OE
no permissions whatsoever. Or better, get the updates and install them
and grab the MS CD if it is offered.

I'm searching for more info, but so far I haven't found it.
..
 
R

REMbranded

I'm searching for more info, but so far I haven't found it.

Ah, here it is. And there are several more patches for exploits that
can bite you in the form of reading a mal-formatted email or in
visiting a mal-designed web site if you're unpatched, according to MS.

"Cumulative Security Update for Internet Explorer 5.5 SP2 (KB824145) -
(Posted Date: November 06, 2003)
Download size: 2.2 MB, < 1 minute

Security issues identified in Internet Explorer could allow an
attacker to compromise systems with Internet Explorer installed (even
if it is not used as the Web browser). For example, an attacker could
run programs on a computer used to view the attacker's Web site.
Download this update from Microsoft to help protect your computer.
After installation, you may have to restart your computer."


More details:

<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-048.asp>
 
J

John Corliss

(snip)
Ah, here it is. And there are several more patches for exploits that
can bite you in the form of reading a mal-formatted email or in
visiting a mal-designed web site if you're unpatched, according to MS.

"Cumulative Security Update for Internet Explorer 5.5 SP2 (KB824145) -
(Posted Date: November 06, 2003) Download size: 2.2 MB, < 1 minute

Security issues identified in Internet Explorer could allow an
attacker to compromise systems with Internet Explorer installed (even
if it is not used as the Web browser). For example, an attacker could
run programs on a computer used to view the attacker's Web site.
Download this update from Microsoft to help protect your computer.
After installation, you may have to restart your computer."

More details:

<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-048.asp>

This really made me laugh:

"Who Should Read This Document: Customers who have Microsoft® Internet
Explorer® installed"

as if the bulk of the user community has a #$%@*?! choice.

I simply am not buying into it. My belief is that Microsoft is pushing
these "patches" in order to modify older versions of their OS so that
they don't work as well, more actively use DRM and-or can't be
end-user modified in certain areas. It wouldn't surprise me a bit if
THEY are the ones starting such things as the MBlast virus in order to
scare everybody into patching.

Also, notice what it is that's causing the security "vulnerabilities":

ActiveX controls and active scripting.
 
R

REMbranded

This really made me laugh:
"Who Should Read This Document: Customers who have Microsoft® Internet
Explorer® installed"
as if the bulk of the user community has a #$%@*?! choice.

That's pretty bad, I admit.
I simply am not buying into it. My belief is that Microsoft is pushing
these "patches" in order to modify older versions of their OS so that
they don't work as well, more actively use DRM and-or can't be
end-user modified in certain areas. It wouldn't surprise me a bit if
THEY are the ones starting such things as the MBlast virus in order to
scare everybody into patching.

I dunno John. I think that it is common knowledge that many people
despise MS and enjoy watching it squirm like a beached whale when
simple exploits are passed about. I get a kick out of watching myself
<G>. But I don't want to get burned in the process. 98SE serves me
very well and I intend to run it as long as I can; then it's farewell
to MS!

Common sense can prevent many exploits. But, an ill-formatted email or
web page is tough to guard against in everyday computing. The fact
that someone can run programs on my machine if I come across one of
these is enough to make me patch. It's the principle of the thing. I
want to be in complete charge and I feel that I am since installing
all security patches and running several programs to protect and
inform me of anything funny going on. I did the recommended "network
unbinding" at grc.com. I keep all security programs updated, usually
checking everytime I boot up. Collectively I think doing all of this
leaves me in complete control... until the next 98 exploit anyway that
is not addressed by MS.

I think the entire problem was Bill's schedule; he actually named 95
and 98 for the years they were to come out. There was insufficient
security studies. The poor programmers had time only to keep the
darned things from blue screening when released. Money talks, security
walks. At least they did address the most important flaws. I don't
think that running connected to the internet without the updates is
wise myself.

I'm pretty sure that nothing was changed in updating that gives MS a
poker in my fire. 98SE (fully patched) is mine as far as I can tell.
There is no spyware. I've removed the ads. There is no registration
crap like I got in purchasing Excel. The OS does my bidding and not
that of MS.
Also, notice what it is that's causing the security "vulnerabilities":
ActiveX controls and active scripting.

A completely bad plan by MS, for certain.

http://www.grc.com/default.htm

"Introducing the DCOMbobulator

400,178 downloads (1,490 per day) The DCOMbobulator allows any
Windows user to easily verify the effectiveness of Microsoft's recent
critical DCOM patch. Confirmed reports have demonstrated that the
patch is not always effective in eliminating DCOM's remote exploit
vulnerability.

But more importantly, since DCOM is a virtually unused and unneeded
facility, the DCOMbobulator allows any Windows user to easily disable
DCOM for significantly greater security"

My patching was successful. I did use this program to 'further"
disable it.

http://www.grc.com/dcom/

"The strange history of DCOM
Many years ago, Microsoft began modularizing Windows and their Windows
applications by breaking them into functional components with
well-defined, "version safe" interfaces. The idea was to allow pieces
of Windows and applications to inter-operate.

The name first given to this effort was "OLE", which stood for Object
Linking and Embedding. OLE suffered nearly terminal birthing pains and
developed a reputation for being a bad idea. Undaunted, Microsoft
renamed it COM for "Component Object Model". This was still the same
old OLE, but Microsoft appeared to hope no one would notice. COM fared
somewhat better, but it wasn't until Microsoft gave it the sexy name
"ActiveX", and built it into virtually everything, that developers
finally gave up trying not to use it.

What does all this have to do with you?

Absolutely nothing . . . and that's the point...."
 
J

jason

Common sense can prevent many exploits. But, an ill-formatted email or
web page is tough to guard against in everyday computing.

But if the common denominator is scripting, shouldn't something like
ScriptTrap (which I also use and forgot to mention), along with keeping
scripting turned off in the browser do the trick? Obviously, I'd rather be
completely safe, but it goes against everything I believe in to have to
make IE my default and get an updated version of it, just to "patch" an IE
(or other) exploit.
 
Top