Windows 98 Users Face Increased Security Risk, Says Study

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,4149,1410097,00.asp

By Peter Galli 
December 11, 2003   
 
A new research paper to be released on Thursday is warning those 
companies still running Microsoft Windows 98 that they face an 
increased risk of a network security breach when Microsoft retires the 
product at the end of this year. 

The study, released by Ottawa-based AssetMetrix Research Labs and 
titled, "Usage Analysis & Risks of Obsolete Operating Systems: 
Microsoft Windows 95 & Windows 98," points out that while Microsoft 
Corp. is preparing to retire a number of its flagship products, there 
are still a large number of PCs in the corporate environment running 
Windows 98 and Windows 95. 

Inventory data of more than 372,000 PCs - from some 670 companies with 
between 10 and 49,000 employees - found that more than 80 percent of 
these companies were still using Windows 98 and/or Windows 95. 

"On January 16th, 2004, Microsoft Windows 98 enters the non-support 
portion of its support lifecycle. Windows 98 is considered obsolete, 
and security-based hot fixes will not be generally available for users 
of Windows 98 or Windows 98-Second Edition," said Steve O'Halloran, 
managing director of AssetMetrix Research Labs. 

With the high trend of security exploits against Windows and 
associated applications and with Microsoft's increased efforts to 
patch security exploits via monthly hot fixes, companies with 
Internet-facing PCs running Windows 95 or Windows 98 will now face an 
ever-increasing risk of a network security breach, he said. 

"As we began to help some of our customers plan to migrate away from 
Windows 98, we noticed that the number of Windows 98-based PCs was 
higher than we would have anticipated. Our data also indicated that 
the major driver is a direct result of delaying PC refreshment 
purchases during the recent economic slowdown," he said. 

The study also found that more than 27 percent of PCs were running 
Windows 95 or Windows 98, compared to only 7 percent for Windows XP, 
while Windows NT4, for which mainstream support ended in 2002, is 
still prevalent in the corporate environment at a rate of over 13 
percent. 

"Companies with a significant investment in Windows 98—and who did not 
purchase an extended hot fix support contract this summer—should 
immediately evaluate strategies to retire all installations of 
'Internet-facing' Windows," the study said. 

The study also suggests that companies ensure that all their PCs, 
regardless of operating system, have the latest Microsoft Security hot 
fixes and that they identify the magnitude of Windows 95 and Windows 
98 via a PC inventory. 

"Any Windows 95 or 98-based PC with access to the Internet (including 
mobiles that leave the company network) should be candidates for 
migrating to Windows XP or Windows 2000. Companies should also 
determine if installations of Windows 2000 or Windows XP are covered 
under a Microsoft Volume Licensing Agreement," it says. 

To help its customers with this, AssetMetrix, the Lab's parent 
company, will on Thursday announce a new asset management service 
known as Win98-Exodus, designed to help corporations identify PCs 
running Windows 98 and Windows 95 and help them develop a migration 
strategy toward Windows 2000 and Windows XP. 

"Companies need to be better informed about the potential security 
risks associated with using Windows 98 or Windows 95 within their 
corporate environment. With Win98-Exodus, AssetMetrix customers can 
view the details of any PC within their organization that is running 
either Windows 95, 98 or NT. 

"They can then drill down to detailed reporting on the individual 
components of each PC, assign pricing values for each required 
hardware or software component upgrade, estimate labor time and cost, 
as well as viewing application compatibility reporting for each PC," 
said Jeff Campbell, the president of AssetMetrix. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.