Microsoft Leaves Windows 98, Me Users In Lurch Over Metafile Vulnerability

[jcb]

Microsoft Leaves Windows 98, Me Users In Lurch Over Metafile Vulnerability

In an updated security advisory, Microsoft told Windows 98 and Windows Millennium users not to expect a patch against the ongoing Metafile vulnerability because the company's obligated only to fix "critical" bugs, and this one doesn't meet the bar.
Microsoft's advisory, now revised six times since its Dec. 28 debut, puts it clear to Windows 98 and Millennium customers.

"Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions," the advisory read. "Per the support life cycle of these versions, only vulnerabilities of Critical severity would receive security updates."

Some time ago, Windows 98 and Millennium, which were slated to roll off support in mid-2003, got a reprieve; the operating systems will be supported by Microsoft -- to a limited degree -- until June 30 of this year.

By its own policies, however, Microsoft's not obliged to deliver security fixes to problems it says don't meet its "Critical" benchmark.

That doesn't surprise one analyst.

"This whole lifecycle plan of theirs doesn't obligate them to do anything," said Michael Cherry of Directions on Microsoft, a Kirkland, Wash.-based research company. "Look at Windows XP SP2. Microsoft made two major changes to RPC and DCOM [in SP2] for security reasons, but said they were 'architectural changes.' They weren't required, they said, to make those changes available in Windows 2000, which at that time was still in mainstream support."

To read more http://www.techweb.com/wire/security/175801658