No fix for 'critical' hole in Windows 98, ME

Microsoft will not fix a serious flaw in Windows 98 and Windows Millennium Edition because a patch could break other applications.

The security bug relates to Windows Explorer and could let an intruder commandeer a vulnerable PC, Microsoft warned in April. The software maker has made fixes available for Windows Server 2003, Windows XP and Windows 2000, but it has found that eliminating the vulnerability in Windows 98 and ME is “not feasible,” it said.

“To do so would require re-engineering a significant amount of a critical core component of the operating system,” Microsoft said in a Thursday update to its MS06-015 security bulletin. “After such a re-engineering effort, there would be no assurance that applications designed to run on these platforms would continue to operate.”

Instead, Microsoft recommends that people who still use the older operating systems protect their PCs by using a network firewall that filters traffic on TCP Port 139. “Such a firewall will block attacks attempting to exploit this vulnerability from outside of the firewall,” it said.

The software maker even had trouble with its fix for Windows XP. It had to revise the update and release it a second time because the patch caused problems for people who used Hewlett-Packard Share-to-Web software or older Nvidia graphics drivers.

Full story: News.com