Gosh, There’s a Bug in Windows 98

  • Written By:
  • Published:


Event Summary

10 March 2000 (PCWeek) Microsoft Corp. (NASDAQ:MSFT) today admitted it found out months ago that there is a hole in its Windows 95 and 98 operating systems that leads to system crashes, yet decided the problem wasn't serious enough to warrant alerting customers or issuing a patch.

The problem arises when a user goes to a Web page or opens a Web-based e-mail message that contains a hidden string of characters that instructs the computer to use DOS commands for accessing the keyboard, printer and other devices, said Eric Bowden, general manager of BugNet.com, an online bug-tracking service.

"The insidious thing is that you can stick this in a Web page and e-mail it to someone and it will cause their machine to [crash] when they open it," Bowden said. Users could also encounter the hole by typing the string of characters at the DOS prompt in Windows 95 or 98.

Microsoft acknowledges it was alerted to the problem at the end of last year but did nothing to fix it or make customers aware of the problem. "It wasn't considered a serious issue," said a Microsoft spokeswoman.

"It's an inconvenience more than anything. It's not a security issue. No one is reading your e-mail."

But the spokeswoman added that Microsoft, of Redmond, Wash., decided to reconsider its decision this week and is now working on a patch for the problem. The spokeswoman did not know when the fix will be available but said it will be posted to the http://www.microsoft.com/security site.

Market Impact

Further reports have indicated that this crash can occur under Outlook 2000, whether or not the offending message is opened. However, the crash will not occur on Windows NT or Windows 2000 systems. Outlook 98 is also immune to the problem.

If someone can crash your system remotely, that's a lot more than an "inconvenience". It's called a Denial of Service attack.

Microsoft's approach to the problem is less than ideal - it reacts to publicity, not problems. The problem surfaced in late 1999, but wasn't publicized on BugNet until March 2000. Only then did Microsoft move to address the problem. This creates a window of opportunity for alternate OS vendors, such as Red Hat (NASDAQ:RHAT) to distinguish their level of product support from Microsoft's offerings.

User Recommendations

We believe this is yet another reason to favor the Windows NT/2000 operating system family instead of Windows 95/98/Me. It also underlines the importance of antivirus software for corporate email systems.

Monitor http://www.microsoft.com/security, or BugNet for a patch. (Let's hope it's not called Windows Me.) If you have paid Microsoft for any tech support related to this problem in the last three months, demand a refund.

comments powered by Disqus