Microsoft, Windows-98, and the WMF vulnerability revisited

[Virus Guy]

Again, the behavior of Macro$haft regarding win-98 support is
baffling. Here we have MS's announcement of a new (but currently
obscure) vulnerability:

Microsoft Security Bulletin MS06-002
Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution
(908519)
http://www.microsoft.com/technet/security/Bulletin/MS06-002.mspx

Again, no link is provided for Windows 98. Instead we get the typical
verbiage: "Review the FAQ section of this bulletin for details about
these operating systems." This is usually a forboding precursor to a
stark message saying that a patch for Win-98 is not available and may
never come. In this case, suprise suprise - we read "They will be
made available as soon as possible following the release. When these
security updates are available, you will be able to download them only
from the Windows Update Web site."

Ok. Let's go to windowsupdate.

Yes, MS has a security update for 98. Specifically:

Security Update for Windows 98 (KB908519)
Download size: 210 KB

Wow - so why aren't they providing a link to this item so I can
download it myself?

Ok - I selected this item and commenced the downloaded - then pulled a
fast one and cancelled it at the split-second that the download
completed. What I found in my temp directory was this:

Windows98-KB908519-ENU_5a83ea1360d1ebaa28c9b8bd1b389f9[1].EXE

Which Winzip was able to unpack.

The (only) file that seems to have been updated was t2embed.dll.
Curious - it's dated Nov 24/2005.

So, here we see that official hot-fix / security update / extended
support for Windows 98 is not over. MS may not release a fix for
Win-98's GDI32.dll (WMF problem) but as we know by now that
vulnerability is more theoretical than actual (for 98 that is).

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Virus Guy wrote:

Again, the behavior of Macro$haft regarding win-98 support is
baffling.

RTFM.
Windows 98: http://support.microsoft.com/lifecycle/?p1=6513
Windows 98 SE: http://support.microsoft.com/lifecycle/?p1=6898

They have had these Life Cycle policy pages up for so long they've re-done
the layout already; I believe at least three years.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDxNF17uRVdtPsXDkRAjc7AKCTsZMcB27eH1gSy5bU+CCAMneliACgnEI7
OGEquwGL82erVK8zaBw+l9g=
=qRdT
-----END PGP SIGNATURE-----

 

[ABC]

Again, the behavior of Macro$haft regarding win-98 support is
baffling. Here we have MS's announcement of a new (but currently
obscure) vulnerability:

Microsoft Security Bulletin MS06-002
Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution
(908519)
http://www.microsoft.com/technet/security/Bulletin/MS06-002.mspx

Again, no link is provided for Windows 98. Instead we get the typical
verbiage: "Review the FAQ section of this bulletin for details about
these operating systems." This is usually a forboding precursor to a
stark message saying that a patch for Win-98 is not available and may
never come. In this case, suprise suprise - we read "They will be
made available as soon as possible following the release. When these
security updates are available, you will be able to download them only
from the Windows Update Web site."

Ok. Let's go to windowsupdate.

Yes, MS has a security update for 98. Specifically:

Security Update for Windows 98 (KB908519)
Download size: 210 KB

Wow - so why aren't they providing a link to this item so I can
download it myself?

Ok - I selected this item and commenced the downloaded - then pulled a
fast one and cancelled it at the split-second that the download
completed. What I found in my temp directory was this:

Windows98-KB908519-ENU_5a83ea1360d1ebaa28c9b8bd1b389f9[1].EXE

Which Winzip was able to unpack.

The (only) file that seems to have been updated was t2embed.dll.
Curious - it's dated Nov 24/2005.

So, here we see that official hot-fix / security update / extended
support for Windows 98 is not over. MS may not release a fix for
Win-98's GDI32.dll (WMF problem) but as we know by now that
vulnerability is more theoretical than actual (for 98 that is).

Microsoft have not supported Win9x for some time. If you are still using
Win9x on your machines, then I suggest you dump them in the nearest skip.

 

[Virus Guy]

You know, after I post this:

Yes, MS has a security update for 98. Specifically:

Security Update for Windows 98 (KB908519)
Download size: 210 KB

It boggles the mind that some people can say this:

ABC wrote:

Microsoft have not supported Win9x for some time.

You wonder about the thought process of some people - especially when
they go on and say:

If you are still using Win9x on your machines,
then I suggest you dump them in the nearest skip.

Isin't a skip a small, 1 or 2 person sailboat? I don't have one handy
- sorry.

 

[Virus Guy]

Steve Gibson, who's working on a WMF patch for 9X/ME, claims to
have written a PoC which will crash apps.[1]

He states that he has been able to craft a WMF file that will crash
the application performing the rendering. He suspects that the crash
is exploitable - and as you say he hasn't been able to perform a
controlled exploit.

Which is sort of surprising, seeing how fast some example WMF files
were created to test the exploit on XP systems.

Given your interest in maintaining Win98's stellar reputation
as a secure OS, I thought you might want to follow along.

Hey, it's MS that is maintaining 98's reputation all by themselves.
They keep releasing strategic security patches for it (very rare
patches for core files - not counting all the patches for IE or OE).

What Gibson should put more effort into is trying to determine just
how a Win-98 system behaves when a WMF file (rogue or not) is
encountered during activities such as web browsing, e-mail reading, or
file/directory browsing or indexing. He should also try to determine
ME's vulnerability status (for which, I think, MS has not supplied a
fix for).

 

[BC]

This whole WMF thing is looking more and more
as being exclusive to XP and with Microsoft Picture
and Fax Viewer (present on XP -- Win98 uses instead
one supplied by Kodak) being more and more the
prime suspect:
http://www.informationweek.com/news/showArticle.jhtml?articleID=175802831
http://arstechnica.com/news.ars/post/20060111-5950.html

I've read of one tech-ish people who avoids using
XP altogther for web browsing, using instead Win98
since it inherently has less programming hooks
exposed. Not a bad idea -- that's what I do as well.
I have some high-powered XP Pro PC's but I feel
more and more exposed using them for any sort of
extensive web surfing, even with Firefox, regardless
of whatever security I put on them. I spent an entire
afternoon fairly recently cleaning up an XP belonging
to a friend's mom that was so saturated with worms
and spyware that I ended up using about a dozen
or so different products, along with some manual
removals, before I got it cleaned. I got lucky with
the very last product (a modified version of
Kaspersky) that I was only using to try to detect
one more elusive spyware bug that I was sure was
still present -- it detected that but also a rootkit as
well that the others missed. I was still feeling a
little antsy that everything that everything was truly
got when I dropped it off.

When Vista comes out, it'll likely be the XP's that
get dumped first and not the Win98's

-BC

 

[Art]

When Vista comes out, it'll likely be the XP's that
get dumped first and not the Win98's

Nor the Win MEs and 2Ks that just keep on purring along without
any problems.

Art

http://home.epix.net/~artnpeg

 

[* * Chas]

Microsoft have not supported Win9x for some time. If you are still using
Win9x on your machines, then I suggest you dump them in the nearest

skip.

Research your information and hopefully gain knowledge before placing
foot in mouth.

There was so much uproar when MS tried to end update support for
Win98/98SE that they were forced to extend support until June 20, 2006.
In their own words, 25% of business users were still running Win98/98SE.

I have just about every version of Windows from 3.1, Win95, Win98, NT
3.1 to Win2003 (except ME).

I have Win2k on one system for running programs that no longer work with
Win98SE and I have several laptops with XP for wireless support.

Several reasons that I still like Win98SE:

1. When a program freezes and the system locks up (maybe once a month),
I can do a 3 finger reboot or a reset and be back to work in 1-2
minutes. When any NT based system freezes it can take up to 10 minutes
to recover.

2. When I've had problems with Win98SE I've usually been able to fix
them in a short period of time. On the other hand, I've spent days
trying to fix bunged up NT based systems including doing restores from
tape back up and Ghost images.

3. There seems to be less malware directed at Win98SE.

My company is a wholesale hardware vendor with 6 branch offices. We run
the company off of an IBM AIX Unix network through terminal emulated PCs
plus we still have a number of dumb terminals. We have a lot of sales
engineers and other high end geeks in the company. Our most experienced
person still uses a Win98SE PC and laptop to connect to our Unix network
because he says it's less trouble than Win2k or XP.

We update to XP Pro when we replace our PCs. To update or replace 150+
PCs at one time is very time consuming and expensive. We still have a
few Win98SE PCs and a lot of Win2k boxes. For what most of our people
use them for - terminal emulation, Word, Excel, Internet and E-mail,
they work fine and are a lot simpler to keep running than the XP boxes.

A lot of businesses have taken this tact.

If it ain't broke, don't fix it!

Chas.

 

[BC]

When Vista comes out, it'll likely be the XP's that

Nor the Win MEs and 2Ks that just keep on purring along without
any problems.

I don't know about the ME's, but yeah, the 2K's have
been pretty well-behaved too.

-BC

 

[Offbreed]

I've read of one tech-ish people who avoids using
XP altogther for web browsing, using instead Win98

Oh, great.

Back to being "Target Number One".

 

[BC]

Tar-shay Numero Uno?

-BC