Windows 98, ME users left vulnerable to WMF bug?

Microsoft on Thursday rushed out an update to address a serious security flaw in Windows. Patches are available for Windows 2000, Windows XP, and Windows Server 2003, but Microsoft left out Windows 98 and Windows Millennium Edition.

The flaw lies in the way the OS software handles Windows Meta File images. Microsoft deems the issue "critical" only for Windows 2000, Windows XP and Windows Server 2003, the problem is not as big for Windows 98 and Windows ME because it is harder to exploit on those OSes, the company said in its MS06-001 security bulletin..

Experts from iDefense, F-Secure and SANS agree that no attacks that target the older Windows versions have surfaced. Yet that might only be a matter of time, said Mike Murray, director of vulnerability and exposure research at nCircle, a vulnerability management company in San Francisco.

Releasing a patch for Windows 98 and Windows ME would be the right thing to do, according to Murray. "Even Microsoft acknowledges that the vulnerability exists in those OSes, someone will figure out how to exploit it," he said.

By not fixing the older versions of Windows, Microsoft is leaving its customers out in the cold, Murray said. "In a way they are forcing customers to upgrade, saying that you can continue to use those older operating systems if you want to be vulnerable," he said.