Microsoft's decision to end support for Windows 98 could pose significant security challenges for many users, Microsoft customers and security experts report.
On December 8, Microsoft announced its intention to halt further distribution of Windows 98, with the exception of Windows 98 Second Edition, by the end of this month. The move is being made to comply with a legal settlement with Sun Microsystems over a dispute about the Java programming language.
Just days after that announcement, industry experts warned that the operating system is still widely used within organizations. If Microsoft keeps its promise to stop issuing security patches in January, prompting companies worldwide to weigh costly jumps to newer Windows versions, those companies will face serious challenges, experts say.
End of the Road
The Redmond, Washington company ended no-charge incident support for Windows 98 on June 30 and has long warned that it will discontinue paid incident support on January 16.
After that date, Microsoft has no plans to continue producing security patches for Windows 98 even if a virus or worm outbreak targets that platform, according to a company spokesperson.
Should such an outbreak occur, customers should upgrade to a supported Windows operating system, she says. For those who do not upgrade, information and firewall and antivirus software from third-party companies can help protect vulnerable Windows 98 systems, the spokesperson says.
With more than 39 million copies of Windows 98 installed across the globe, according to research group IDC, the impact of Microsoft's policy on Windows 98 will be felt far and wide.
Plugging the Holes
For Atmel, a Colorado Springs, Colorado maker of semiconductors, third-party software products are patching holes left by Microsoft's end of support for Windows 98, says Bill VonDane, a senior systems engineer at Atmel.
Atmel has about 1200 desktop computers running Windows 98, most used by employees for e-mail, word processing, and other office functions. The company also has hundreds of machines in the company's fabrication facility that run test equipment and machines used to create semiconductors, many of them performing critical functions, he says.
Atmel uses antivirus software by Sophos at the network gateway and on user desktops; it updates its virus definitions every hour. The company also has a plan to upgrade desktop users to Windows 2000 or Windows XP Professional machines, VonDane says.
But for many of the machines on the manufacturing floor, migration is not such a simple matter. Often, the software controllers that run the fabrication equipment work on Windows 98 only. In fact, Atmel still has a number of Windows 95 and Windows 3.1 machines running on its production floor for that reason, he says.
Viruses that affect Windows 98 are a concern, VonDane admits. Despite that, he is resigned about the end of support for the OS, and does not consider it a major security issue.
"I don't see problems with running an older OS if it works. The bottom line is that we've had an end-of-life issue with Windows 98 for quite some time," he says. "I'm not looking from support from Microsoft. The only thing I'm concerned with is making sure Sophos [antivirus] is updated."
Atmel's situation is common, according to Steve O'Halloran, managing director of AssetMetrix in Ottawa, which recently conducted research into Windows deployments in 672 companies that use its asset management products.
The review of companies in the United States, Canada, the UK, Australia, and New Zealand found that machines running Windows 95 and 98 accounted for 27 percent of desktop systems studied, or more than 372,000 installations. Windows XP installations, by contrast, accounted for just 7 percent of installations, he says.
AssetMetrix believes many of those installations can be traced to a rush by companies in 1999 to upgrade their computers before the year 2000 shift, O'Halloran says. A slumping economy in 2001 postponed upgrades from Windows 98 to Windows 2000 at many of those companies, he says.
Like Atmel, some of AssetMetrix's customers have Windows 98 deployed in isolated manufacturing environments or on kiosks where they are shielded from Internet attacks, O'Halloran says.
The adage "if it isn't broke, don't fix it" also applies, says Dan Kusnetzky, an analyst at IDC.
"Windows 98 works well enough that people will continue to run it until the machine is so obsolete that it can't run anymore," he says.
Frequently, such systems use software applications or hardware that isn't compatible with newer operating systems. That means that even with the end of support, companies will continue to use the operating system until hardware failures or software limitations force them to move, he says.
That may not be a bad thing. The key is for companies to understand where their Windows 98 machines are deployed and what their exposure to the Internet is, O'Halloran says.
Companies that have "Internet-facing" computers running Windows 98 face an increasing risk of network security breaches from viruses, worms, and Trojan horse programs in 2004, AssetMetrix says in its report.
Many Indian corporations are preparing to upgrade their Windows 98 PCs to newer operating systems from Microsoft, such as Windows XP, according to interviews with technology leaders there. With Microsoft ending support for Windows 98, it makes better sense to upgrade than to try to run newer applications on an earlier operating system, according to Prakash Gurbaxani, chief executive officer of TransWorks Information Services, a Mumbai-based business process outsourcing company.
"As the new stuff gets cheaper and more attractive, folks like us prefer to migrate to the latest versions," Gurbaxani says.
AssetMetrix's O'Halloran agrees, saying that many companies may even be entitled to free upgrades to XP, depending on their license agreement with Microsoft.
Companies with more than 250 employees that renewed their enterprise or volume license agreement with Microsoft since the release of XP may be able to upgrade now and take advantage of Microsoft patches and the improved security features of that operating system, he says.
Smaller companies and individual users cannot take advantage of such agreements and may have to plan upgrades in the form of OEM versions of Windows XP or Windows 2000 that come with new hardware, he says.
In the end, though, security concerns rather than outdated functionality will move most companies and individuals off Windows 98 and to newer Windows operating systems, O'Halloran says.
"We now have this external factor, which is security, that brings the viability of Windows 98 into question. If someone discovers a security exploit and you cannot get a hot fix for it, you have to decide if that's the world you want to live in," he says.