If you’re still using Windows 98 or Windows Me on a computer that’s connected to the Internet, you’re either crazy or suicidal. Maybe both.
The Windows flaw described in Microsoft Security Bulletin MS06-015 is the worst type of all. If you visit a website that exploits this vulnerability, it’s game over. As Microsoft’s bulletin explains, “An attacker who successfully exploited this vulnerability could take complete control of an affected system.”
A patch released at the end of April fixed this issue for anyone running Windows XP, Windows 2003, or Windows 2000. But if you’re running Windows 98 or Windows Me, you’ve got a problem:
Microsoft has found that it is not feasible to make the extensive changes necessary to Windows Explorer on Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) to eliminate the vulnerability. To do so would require reengineer a significant amount of a critical core component of the operating system. After such a reengineering effort, there would be no assurance that applications designed to run on these platforms would continue to operate on the updated system.
Microsoft has extensively investigated an engineering solution for Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME). We have found that these architectures will not support a fix for this issue now or in the future.
Now, these older Windows versions are at the end of their life cycle anyway, and the explanation in this security bulletin isn’t just an excuse: The amount of effort required to patch this vulnerability for older versions of Windows Explorer would be overwhelming, and it would break lots of apps (look at the list of troubles that occurred with supported Windows versions when the patch was first released, and then imagine an order of magnitude more grief). [Update 14-Jun 7:00AM: Even the Open Source community agrees that maintaining older versions of Windows is a burden. That's why the next release of Firefox won't support Windows 98.]
So, Microsoft says, “Sorry, you’re out of luck. Time to upgrade.” But for many people, especially those on fixed incomes, the cost of upgrading is nontrivial. And so we have a standoff, with the most vulnerable computer users stuck with an insecure operating system, and Microsoft looking like Snidely Whiplash.
I think I have a solution, one that I’ve been pushing for a while now: Microsoft should release a version of Windows XP Starter Edition in North America and Europe and target it specifically at people who are unwilling or unable to upgrade to a more expensive version.
When I first offered this suggestion last year, I suggested that Microsoft sell the package for $29.99 and throw in a free six-month subscription to its new OneCare Live service. Now that Windows 98 and Windows Me are officially unsupported and certifiably dangerous, it’s time for Microsoft to consider this suggestion even more seriously.
As I wrote last year, I don’t believe that selling Starter Edition would cannibalize sales of existing Windows versions:
The operating system has some serious limitations that would rule out its use by any computer enthusiast:
- Only three programs run at a time. (Hey… You can’t reliably run more than a handful of programs on Windows 9X anyway.)
- The display runs only at 800 X 600 resolution. Most people who are stuck with old hardware and an old version of Windows are probably running at this resolution anyway.
- No home networking or multiple user accounts.
- Settings are preconfigured for novices.
But think of the serious advantages. Upgraders would have all the security fixes of Service Pack 2. They’d be able to run IE7 when it’s available later this year. They could run Windows AntiSpyware [now Windows Defender]. They’d have an easier time with digital cameras and portable music players.
I think this solution would go a long way toward fixing the real problem of people running older, insecure operating systems. It would also give Microsoft an answer to the accusation that they’ve abandoned a core group of customers.
Hey, Scoble’s still in Redmond for another few weeks. Maybe he can talk Steve Ballmer into doing something bold like this.