CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Windows 98 vulnerable to hacking

The shared-file feature of Windows 98, which allows access to files without passwords, may open a user's computers to hacks.

An old feature of the Windows operating system which enables networked PCs to access shared files may expose users of the newest Windows software to hackers, although there is disagreement as to how likely the scenario is.

The problem lies in the fact that Windows 98--like Windows 95 and Windows 3.11 before it--allows users to create shared files without passwords, although not easily. But once those files are created, anyone who can access that system's IP (Internet Protocol) address can access private documents, spreadsheets, or other sensitive data residing on that system's hard drive.

While Windows 95 became the operating system (OS) of choice for many in the corporate world, Windows 98 has been targeted more at the less-sophisticated consumer market and, importantly, is more Internet-centric. This means that some consumer users may be more vulnerable to attacks as they are less knowledgeable about creating a secure connection to the Internet.

The issue has been the subject of numerous Internet newsgroup discussions. Michael Scanlen, a CNET News.com reader who stumbled across the problem, symbolizes the anxiety that some consumer users face: "What this all means...If someone can get ahold of your IP address, either via IRC (Internet Relay Chat) or any other methods, and you have shared folders on your PC...they will be able to access it."

Windows 98 users who use online messaging services like ICQ or IRC (Internet Relay Chat) are especially susceptible to such attacks, experts say. Hacking sites and newsgroups feature scripts and programs that gather IP addresses of these users, and some of these programs can determine what level of security the user has set for their shared files.

Microsoft executives declined to be interviewed about the reported security problem, but spokesman Ryan James said that the "feature is in response to customer demand--it was included in Windows 95, and the response was positive that this feature is desired. As a result, it is included in Windows 98."

Additionally, Windows 98 will warn users creating shared files that they are opening their systems up to potential security problems, James said, and other security experts concurred that those warnings should be adequate to protect most unsophisticated users.

But others claim that the Internet is the issue. "Windows 95 and 98 make it very easy to share things, and that sharing is great among a group of people in a trusted network. But now you're providing that sharing capability over the Internet, and you have the capability where someone can see the hard drive," explained Stephen Cobb, director of research and education for Miora Systems Consulting, who added that the shared file feature in Windows 95 raised eyebrows among security experts at the time of its release, as well.

Additionally, Cobb said the warnings may not explain clearly enough that by creating shared files without a password, the user is opening his or her hard drive to anyone who can find the right IP address.

"This is something that people pointed out as a problem area several years ago, and that it still exists is disappointing in terms of Microsoft's security awareness and product development," Cobb said.

"It's kind of irrelevant whether some geek somewhere knew about it before, when half the people on the Internet today just got there last year, and 90 percent of them don't know about this problem."

"It's a legitimate argument for Microsoft to say, 'We can't be held responsible for people doing stupid things with their computers,'" Cobb said. "The other side is that you have a responsibility when you're selling the OS (Operating System) that 90 percent of the people use to warn them more strongly."

Other experts believe the responsibility ultimately falls upon the shoulders of the user.

"Pretty much, it has to do with the way the person has set up the Operating System," said Gerhard Eschelbeck, vice president for Windows NT server development for Network Associates. "If you leave shared files open without the password, they're open. And when you do this setup, you get warnings and dialogue messages that the security is as wide open as it can be."

Windows 95 made it easy to share information among computers on a LAN (Local Area Network) in a corporate or small business setting, and Microsoft included this functionality as a "legacy" (hold-over) feature in Windows 98.

Despite Microsoft's positioning of the upgrade, consumers have already run into problems with Windows 98 when technical sophistication is required. Many PC owners complained of upgrade problems and troubles locating and installing the necessary drivers to get peripheral devices to work with Windows 98.