herbalist

I also stopped using resident AVs nearly 3 years ago on all versions of Windows. There's more efficient ways of securing Windows that don't cost anything and don't have impact performance nearly as much as an AV. Rick

Adobe eBook reader 2.2, the last free standing eBook reader they offered is 98 compatible. I don't know if it works with todays eBooks. It is compatible with the PDFs that Adobe reader 5 opens. It also integrates with text to speech software for anyone who wants their 98 box to read PDFs aloud to them. It's freeware and unsupported. I don't have a working link to it, but if anyone is interested I will upload a copy. The installer is 9.76MB. Rick

Assuming that they're all equally vulnerable, equally attacked, and that the tools to secure each are equally available, people will use what they're comfortable with. BSD is more secure than Windows, but I stay with Windows because it's more comfortable to use. It's what I'm used to. People will use what fills their needs and runs the software they use. I have 4 operating systems installed on a multiboot setup. On each one, something I use is installed that won't run on the others, so they all get used. My browser of choice and related software is also installed on each OS so all of them would work equally well for casual use. But whenever I'm just casually on the web, I'm always using the same OS, not because it's the most secured, but because it's the one I find most comfortable to use. I'd expect that to be true for most people. Rick

In its downloaded form, it only works on the user profile that's in use at the time. On systems with more than one user profile, the profile name and path are variables, as is the number of user profiles. You can modify the batch files to include each profile on your PC by adding lines to include each profiles user.dat file. Some time ago, I put a page together which describes how to use a modified version of those batch files to replace the registry and core system files with clean copies on each reboot. It does describe modifying them for more than one user profile and includes their startup folders. Instructions here. Sorry about the ads on the free site. Rick

Getting the targeted application to execute the code is only half the battle. Assuming that the exploit code itself worked on IE6, it would then depend on the command or instructions that it's attempting to execute. The majority of the time, the injected command will direct the browser to download and execute a malicious file from a preset location. Quite often those instructions are to download and execute a single file, which may or may not affect a given OS. At times it's much more involved. The malicious site will attempt to determine the OS and browser of the target and select a payload specific for that target. In this situation, a 9X system can be very vulnerable. PoC demonstrations like the one from you linked to from milworm often fail to show the real abilities of the code because the location of the harmless item they use changes from one OS to another. In your sample, the path is invalid for 9X systems and Win2K. If you'd like to see a better example of how an application exploit works, take a look at this one. This one worked on 98 thru XP as a demonstration because the instructions it injects are understood on all the operating systems. Direct link to the PDF PoC here. awergh, Did you try to open that file with another browser on XP? When I tried to open it with SeaMonkey on both 98 and 2K, I experienced the same memory drain that I did when I used IE6.

Milworm doesn't appear to have a variant that affects other versions of Internet Explorer at present. No, I don't have a sample that does affect IE6. Microsofts own advisory, what you call PR material says: They mentioned IE8, so they're not just steering users away from IE6. Their advisory also mentions More info on this here and here.

I couldn't make it work on 98 or 2000, even after fixing the path to calc.exe. On both it just used up memory. That code appears to be for IE7 only, but there are variants of it that work with IE6. Rick

I can't comment on how it works with DVDs, but BurnAtOnce works well on 98/98SE. I use it for data and music CDs, burning and saving ISOs and CD copying. There are better tools for working with ISOs but it does the basic tasks. I've burnt a lot of CDs with it and have had very few coasters. Rick

Imaging entire drives and partitions is part of what I want to do. I already have Acronis, which does that just fine. I'd also like to be able to image specific folders and subfolders. One of the main reasons I chose to use 7zip archives is so I could access those archives from within Windows or DOS. So far, I haven't found anything else that can open an Acronis image file. There's also a big size difference between an Acronis image and a 7zip image. On its maximum compression, Acronis compressed a drive with 525MB on it down to 260MB. 7zip compressed the same drive to 167MB. If the same ratio applies to all the Acronis images I'm storing, I can recover almost 12GB of space and have the benefit of being able to open those images with conventional archiving software. My external drive is getting quite full and it's going to be a while before I can afford more storage space. I'm also working on another project that requires me to be able to extract such archives in DOS. You joking right? There are thousands of them, here is what I find best one. DDCOPY: http://users.telenet.be/jbosman/applications.html I wish I was joking. This is fairly new to me. I've done very little with boot images, partition tables, etc. For me, fixing the external drive was a major learning experience, some of which was quite surprising. It would seem that using a GParted CD to set up the external drive was the source of most of my problems. When I used GParted to repartition the drive again, I couldn't access the new partitions in DOS again. When I used Partition Table Doctor to fix the boot sectors, then I could access them in DOS. It turns out that I already have an app that could create an .img file but didn't know it. WinISO can make an image from a boot floppy, with a .WBT file extension. I used an existing boot image to make a floppy, then had WinISO save it in its own format. It turns out that their WBT files are img files. The MD5's of the 2 files were exactly the same. I changed the extension and my burner accepted it. The CD works fine. I have made 2 more 7zip images of the "E" drive using different compression levels. Each took about 45 minutes to make, thanks to my underpowered hardware. I'll try extracting them in DOS either tonight or tomorrow and see what happens. Rick

Went through the whole process again last night with a few changes. The system I'm copying is the entire "E" drive, which is the primary partition of the primary master hard drive. I extracted the archive to a folder on a logical drive on the external hard drive (J:\Edrive\) using 7zip while in Windows, then compared the 2 with WinMerge. They were identical, so the archive is complete and correct. I erased the external drive, rebooted to DOS, then used 7za to extract the same archive to the same location. This time the extraction process took 3:28 +/- 5 minutes. Most of the extraction process moved fairly quick, except for a couple of subfolders in E:\Program Files\X-Setup Pro. The plugins folder which contained over 900 plugins (*.xpl) was the worst. This folder took over half of the total time, even though it totals only 1.7MB. Why, I don't know, but I will remove X-setup before the next test. WinMerge reports several differences between the two this time. 3 contain characters that are probably a problem in DOS. Norwegian (Bokmål).txt µTorrent.lnk 3½ Floppy (A).lnk These shouldn't be a problem. 2 more may be problems because of the length of the paths. E:\Program Files\Connectix\Virtual PC 5.1 Online Installer\Installer\program files\Connectix E:\WINDOWS\Application Data\Mozilla\Profiles\default\ycmdj0ug.slt\chrome Both of these folders and their contents are missing from the DOS extracted copy. I'm not sure if the fact that the destination was a folder affected this. The next test will extract directly to the "J" drive, not to a folder on it. The last 2 that are missing I have no explanation or ideas for. E:\WINDOWS\Desktop\olddos.exe E:\WINDOWS\Win95_ActiveAccessibility_Redist_13.exe At the moment, I'm not sure if I'm dealing with DOS limitations, limitations or bugs in 7za.exe, DOS USB driver issues, the configuration of my bootdisk, or all of the above combined. Anyone have any ideas? While I'm thinking about it, anyone know of an application or an easy way to convert a boot floppy to an img file that I can use with my burner to make bootable CDs? Thanks Rick

The FreeDos version of p7z that you linked to is the one I'm using. At the moment, I'm running it in MSDOS with cwsdpmi.exe. When I could finally read the entire external drive in DOS, I got into too much of a hurry and didn't set up the next test properly. It does appear that I can restore a functional OS with this setup but it still needs work. It took way too long and some files appear to be missing, about 16MB of them. After waiting for almost 3 hours, I let it run overnight. The process was moving fairly quick at first but slowed way down as it went. Need to repeat the test under more controlled conditions.

I got so frustrated with this job, I had to walk away from it for a week or so. I'd like to thank everyone for all the help, both in this thread and in PMs. This was more than a driver problem. The external drive was full of problems. Bad boot sectors, bad partition table with multiple entries for the same partition, overlapping partitions, and my complete lack of experience in dealing with such problems. It took several days to sort through the data, compress it with 7zip, and copy it to CDRWs, plus a couple more days learning to work with different partitioning and partition repair tools. I now have several boot disks that do everything I need: Read/write access to all partitions on internal and external drives. CD access. Long file name support. Sound. Conventional and USB mouse support. Large Ramdisk. DPMI that enables me to run a version of 7zip in DOS. Once the external drive was fixed, my original bootdisk basically worked, but the files you people sent and linked me to made an even better one. Earlier, I used 7zip on its maximum compression settings to archive an entire internal drive, my lite98SE test system. It compressed the drive contents far better than Acronis did. The next step is to see if I can unpack that archive with the DOS bootdisk and restore a complete operating system with it. If it works (I don't see any more reasons it shouldn't, knock on wood) I can start converting Acronis images to 7zip archives and recover several Gigabytes of disk space. Thanks again. Rick

One item that needs a serious updating or removal is the scheduler. There are free ones available that are far superior. Example: System Scheduler by Splinterware. When a replacement this good is free, why keep the original? Winipcfg is handy when you need to do quick releases and renewals but ipconfig does give more information. The screen savers aren't useful enough to keep. Maybe just one small one. I prefer to power down the monitor after about 10 minutes of idle time. If I really want a screensaver, I'll turn webshots back on.

The previous DSL modem my ISP supplied could import and export configuration files via telnet. Had to use it more than once when I made a mess of its settings. When there's Open Source tools like Putty that can do everything that telnet can and so much more, I see no reason to keep it.

I don't know if 98SE behaves differently than FE, but on FE the recycle bin is not recreated at startup. Windows makes a new one when you delete something. It's not that black and white. A lot of legitimate apps are adding undesirable extras. They're usually mentioned in the EULA if you can stand to read those things but are not otherwise obvious. Delivering ads or data mining to boost their income are more common that many realize. If the user doesn't have control over outbound traffic, they're not going to be aware of the data mining. If you have control when your software updates, then unexpected or undesired calling home isn't an issue, but not all apps give you that option. I've had a few that updated without asking or informing me. Kerio immediately blocked their internet access and alerted me that the application had changed. Sounds innocent enough until you find that the "change" they made is delivering ads to your desktop. Even some security app vendors are making deals with advertising companies. I don't remember where I read it, but some big shot in the ad industry made the statement, roughly quoted: AFAIC, my desktop is MY real estate, and whether they like it or not, they will keep their damned billboards off of it. It's also none of their business where I browse, what I see, or what I'm using, and I will not allow anything to send out any data without asking first or sending it in a form that I can't read. Most companies claim ownership of the software and operating systems we use, even after we buy them. It's bad enough when we purchase something but still don't own it. On top of that, these companies assume the right to use our internet connection and bandwidth, which we pay for, to deliver content that we don't want, and using up our disk space and system resources in the process. Some of them like M$ want us to constantly prove that we didn't steal their software. Others assume that they have the right to collect our usage habits and sell that data or to check on all the media on our PC just to make sure they've gotten all the money they think they're entitled to for it. An outbound firewall is one of the primary tools that enable us to draw the line and tell them, "Your rights end here! This is mine" and make it stick. Sorry about the rant. I spent too many years in the anti-spyware community dealing with their underhanded tactics and removing that garbage from far too many PCs to take this subject lightly. Rick

Regarding the windows report tool, it saves the collected info to cab files. When HWinfo is run without the /ui switch, it also saves the data to file, hwinfo.dat in the windows folder. Both of these can be opened with MSInfo. The data they collect can be sent to whoever needs it and opened with MSInfo on their system. Between them, they collect a lot of data that could be very useful for debugging and beta testing. I still use Notepad for little jobs like a quick edit on a batch file or saving text to file. For bigger jobs, I usually use Notepad+, HIEW, or one of several hex editors I need to choose between. Too many installed. I don't know if program.exe is used during the install process or during any normal activity. I was working on stripping down a 98lite install even more as part of another project but haven't had the time to get back to it. Computer projects for me are just like real life. Every year I give myself 2 years worth of projects to do and never get them completely done. From one of my favorite songs Charlotte spelled out the reason for staying with the CD player that I couldn't remember. Quite often I have music playing when I'm working on a project. Some of those projects have caused blue screens or have frozen the system, but the CD keeps playing. I ran a patch cable from the sound card output to the auxiliary input on the stereo. It's not exactly a killer audio system but it's far better than what you get from the average sound card. Makes it easy to play my MP3 collection thru decent speakers instead of those little things. It also lets me convert my tapes and old albums to MP3s or burn them to CDs. Rick

I'd like to see an improved clipboard viewer. I can think of several features that would be useful. The ability to select part of the clipboards contents instead of pasting all of it. The ability to permanently store commonly pasted items. The data would remain after a reboot. Multiple clipboards built in instead of requiring a separate application. The ability to paste a set of locations, such as the individual blocks where you enter IP addresses in network connections. I'm probably wanting too much already.

You can start and terminate applications from taskman.exe from the menu, although I don't see why someone would use it unless explorer was completely non-functional. Paintbrush is just a shortcut to paint as far as I can tell, just like write is to wordpad. Program. That brings back some memories. Might be useful to someone who wants an extra light shell. Packager works with Wordpad for inserting certain types of objects. I've never used it. I believe JVIEW and WJVIEW are part of Java. No idea what you'd use them for. The hardware info tool can be handy. Go to Run and type "hwinfo /ui". It gives quite a bit of info on the system. WinFile is better than Explorer for organizing files. The split interface is handy. I used to use it but now I prefer to use NDN. The Windows Report tool might be useful to some program testers. I've never used it. . Welcome should delete itself after the first use. Rick

5.1 will execute code. I have 5.1 installed on my 98FE box. When I open that PoC with it, it tries to launch Internet Explorer, which then tries to launch my mail handler. This particular PoC does use Internet Explorer and will fail to function if it's not present, but only because IE is part of the demonstration. It could just as easily have sent instructions to something else. Internet Explorer is 98s biggest vulnerability and removing it is the single biggest improvement one can make to 98, but it is not a cure-all. 98 has other weaknesses, starting with no real restrictions on what can execute and no limitations on what those processes can do. Rick

I use the clipboard viewer quite heavily, partly because I also use Splinterware's multiple clipboard utility, Clipboards. I don't remember if there was an existing shortcut to it in \Start Menu\Programs\Accessories\System Tools or if I added it, but I use it enough that I also made a keyboard shortcut for it. It's too easy to forget which clipboard I'm using to store which item. The viewer and the keyboard shortcut gives me a quick way to check. I do occasionally use the CD player on those rare occasions I listen to a CD on the PC. Don't remember why I chose to use it instead of playing them through WinAmp. The themes were kinda fun when I first got the PC, especially the sound effects, but definitely not useful. All they do is slow it down. TaskMan might be useful if the user has a problem with Explorer. Might be worth keeping as a backup but that's about it. I'm not sure how useful the phone dialer and hyperterminal are. I haven't used them. I've thought about using the PC as an answering machine and as another phone but haven't got to it. I don't know if the phone dialer would be needed for this so I haven't removed it. Notepad is handy for quick little editing jobs and is small enough to justify keeping it. I use wordpad occasionally, mainly because it's handy. The one that I'd question is write.exe. It's only 20KB but doesn't seem to be anything more than a glorified shortcut to wordpad. Does it do anything else? Everything else you listed can go. I removed all of them from my systems except on a couple of test images. Rick

For the common port scan, that's true. Those ports will respond to other types of scans, so stealth is not total by any means. Stealth may stop a script kiddie with a port scanner from finding you but an experienced cracker with NMAP won't be fooled. Stealth might help reduce the amount of amateur probing your systems gets but I don't see where it gives any real increase in protection. That said, it doesn't hurt anything either, unless you run a server or your ISP insists on being able to ping you. IMO, it's more important for the ports to be closed, even if the firewall is off, than it is for them to be silent. It's also more important that any ports on your system that need to accept incoming traffic for a specific app be limited to only accepting traffic from the IPs that app uses, not from all over. Rick

I forgot all about Steve's little utilities. Ran that a long time ago, 2004 I think, the date of the download CD I found it on. As for Steve Gibson, he's made some mistakes and definitely has a paranoid streak, just as I do. Other security oriented groups have made mistakes too, especially about 98 security. I don't see them being slammed like he has been. I keep evaluating the things he finds on an individual basis instead of labeling him. I find it difficult to understand why a 9x user would not want to control the outbound traffic from their PC. Admittedly, 9X systems don't have all the open ports that are found on an NT system, but applications also open ports. A lot of software tries to update without asking the user. Those updates can be big problems for 9X users. Many such problems have been described in the Last Versions of Software for Windows 98SE thread. I would think that a 9X user would want to be in control of that activity. As light as some of the older firewalls are, resource usage is not much of a reason not to have one. I'm running a 366MHZ Celeron and my security package doesn't slow it down. With all the time and effort the users here put into keeping their 9X systems running smooth, often better than when they were new, I can't understand not wanting to protect that investment and their data in real time. Aloha, Regarding the recycle bin, it's nothing more than another folder that serves no purpose other than making it possible to recover something that's deleted by accident. Items sent to the recycle bin are often forgotten, but they're not deleted and can be recovered and read by anyone. If the user forgets to empty it regularly, it consumes disk space, sometimes a lot of it. That slows a system down. I've seen hundreds of megabytes of forgotten items in recycle bins. Those forgotten items can be a big privacy concern. The "heart attack" he's referring to is accidentally deleting something important and not being able to recover it. If you right click on the recycle bin, you'll see an option to delete files directly and not send them to the bin. TweakUI gives the user the option to remove the bin from the desktop. I stopped using it a long time ago. Instead of deleting files, I overwrite them with Eraser which makes recovery impossible. Version 5.7 is the best for 9X systems. The scheduler that's built into Eraser deserves mention when the security of 9X systems is important. It can be set to overwrite temp folders, the browser cache, "recent" folders, log files, free space, index.dat files on reboot, etc as often as desired. That helps keep down the wasted disk space and cleans many of the locations used by malicious files. The memory usage of the scheduler is under 1MB. The launcher component can be used to make one click shortcuts for cleaning locations on demand, like the browser cache. It also has a component that runs in pure DOS, which I've found very useful. 9X system might not be targeted that much anymore but they're not being completely ignored either. Attacks on specific applications are on the rise, including those that run on 9X systems. When 9X was designed, most of these methods of attack didn't exist. 9X systems have no built in defenses against most of them but they can be easily added with available security-ware, most of which will not hurt it's performance. When the monetary cost is zero and the performance impact is almost nothing, I can't understand not doing using it, unless your system and data are of no value to you. Rick

Where would you do this?

That's quite true. When a specific application is targeted, like Adobe Reader, it doesn't usually matter what OS it's running on. The code will work on that application. This page describes just such an exploit for Adobe Reader and contains a harmless Proof of Concept towards the bottom. It demonstrates very well how code contained in a file can use that application to launch and send commands to another. The PoC works on 9X and NT systems alike. The one exception I found was a 98lite testbox without Internet Explorer installed. The PoC wouldn't function there. Using code to exploit a specific application like Adobe Reader is only the first step in the infection process. The PoC works by using the exploited application to gain access to another or to an OS component. Most application specific exploits will use a similar method. Whether that exploit code results in a compromised PC depends on what it does next. If the attacker assumes the user has an NT system and tries to compromise the OS directly, it will probably fail on a 9X system. If the code directs the browser to a malicious server that uses scripting to determine the OS, browser, etc of the intended victim, then selects a payload for that system, the chances of its being successful are pretty good. Leaving AV detection and "don't open the unknown" out of the picture, when a vulnerable application like Adobe Reader for 98 has to be used to open documents that may or may not be infected, the only real way to prevent the apps vulnerabilities from resulting in a compromised system is to isolate the vulnerable application as much as possible from the OS and from other applications. Browser integration, especially with Internet Explorer is a major risk. A malicious PDF opened in Internet Explorer has free access to the core of the operating system. Open PDFs with the reader as a separate process, not in the browser. On NT systems, the user has many options that can contain or defeat such malicious code, sandboxing apps, HIPS, virtualization software. Many of the available firewalls have application control components that can be used to limit the access of each application to the OS and to other applications. AFAIK, almost all of them will not run on a 9X system. To my knowledge, there's only one security application that can control individual processes and their access to others that runs on 9X, the free version of System Safety Monitor. If anyone knows of another that runs on 9X systems, I'd like to test it. It's hard to avoid suggesting a specific brand when there's only one 9X compatible option. Quite often SSM is described as classic HIPS. IMO, the best way to describe it is a rule based firewall for controlling applications, processes and their interprocess activities. Classic HIPS does not use detections or any kind of definition files. The user has to decide what to allow and block. When configured tightly enough, it can be used to prevent a vulnerable application like Adobe Reader from launching any other process. This would be done in the parent-child settings for that specific process. SSM and other HIPS software are not total solutions by themselves by any means. They're tools that give the user a level of control over processes that's not otherwise possible in Windows and its "allow anything" design. By making that control part of a policy that blocks the unknown from executing and isolates the attack surfaces as much as possible, it can quite often prevent a compromised application from becoming a compromised system, provided that the user apps and the operating system are configured with the same goal in mind. It's not the easiest program to set up and learn. It requires that the user knows their system and understands what the different processes do and how they interact well enough to make rules that govern their behavior. It will enforce the rules you make without exception. Block a necessary system process and you can lock up your system completely. If you mistake a trojan for a needed system process, it will allow it. That's more than most people want to deal with and is definitely not for the average or casual user. I don't know your abilities or if this is an option you'd want to consider. Before you decide, SSM will not work if KernelEX is installed and it conflicts with Media Player Classic. Rick

Firefox 3 has the same memory usage problems on 98 as version 2.3. Scrolling a document rapidly consumes your physical memory, then starts using up the swap file. My system became unstable before I scrolled halfway thru a 31 page document. Version 2.2 seems to be the last one that's compatible with 98. Last Versions of Software for 98SE. Rick