This is a community-based project and is actively updated. This project aims at restoring the legacy Windows Update websites, and allows older operating systems (Windows 95, NT 4.0, 98, Me, 2000, and XP) to obtain updates like they used to.
Ever since 2011 when Microsoft pulled the plug on nearly all the Windows Update websites, the Windows Update feature for older Windows operating systems was no longer functional. The only way to install updates after that point was through external third-party installers which didn’t cover all the updates that the operating system would fully support. So, with this project, we can now update operating systems as old as Windows 95 all the way through Windows XP RTM like we used to back in the day.
IT’s still a work-in-progress, as sourcing the various update packages and installers is proving to be quite difficult in some cases, and not all versions of Windows/Microsoft Update have been recreated yet. However, as the ever awesome Michael MJD notes in his video overview of the project, it already works quite well for Windows 95 and Windows 98 and 98SE.
This is obviously extremely useful for anyone who have a reason to run these old operating systems. Operating systems are increasingly reliant on online resources that will all eventually fail.This is clearly a problem with windows, but even FOSS operating systems face the exact same dilemma. When linux repository servers get decommissioned, many users running EOL distros will experience apt/yum update failures such that they cannot obtain the software that used to run on their distros. Once I needed to build new software for an old legacy centos system – something that would have been as trivial as installing a few packages has become an extremely arduous job of tracking down old packages and manually installing them, all because the original software repos are gone.
I don’t know what the answer is, we cannot expect the distros to keep hosting old copies forever. Maybe we need a dedicated organization like archive.org to setup something for this and OS/distros need to officially hand over update functionality at EOL. It’s easy to say this should exist, it’s harder to find ways to shoulder the costs of indefinite storage and infrastructure. Is there a way to crowd source this? If so, would there even be enough users to ensure long term viability of these legacy archives?
Pretty sure this is less useful than it seems as it provides a false sense of security for people running them. While it was a long time ago, the last time I had a Windows 98 machine connect to the internet it was instantly infected. The solution is the same as it was before, air gap the system and keep backups if you want to run past EOL.
dark2,
Well, you could say running an obsolete OS is not so secure, but for those who still want to do it, having updates is still extremely useful to get the system updated to the latest updates available for the OS.
Yes, of course. A firewall can safely eliminate the inbound connection attack surface. That leaves the outbound connection attack surface. IE was a relatively dangerous/vulnerable web browser. A modern browser would help reduce the risk, but of course most modern browsers won’t actually run on such old operating system, so it would be best not to use such a system with untrusted sites.
I would say the biggest threat isn’t actually a network attack at all but simply the trojan horse method where users install malicious software themselves. This is where antivirus provides added protection, typically scanning downloads automatically. This was very important at the time. But it brings up a new problem today: AV software & services that used to support these old operating systems may no longer work anymore. Even if you could still install old AV software, the malware fingerprint database servers for them are likely gone.
Puleaaase…. ” false sense of security” if someone feels secure because they installed a 20 year old update that is on them. If anything this just just a neat nostalgia trip.
Also the only way a machine would get instantly infected is if had no firewall between it and the internet and someone directly attacked it. I’ve ran 98 and XP in VMs with no issues… that said I did install XP once hopped on the internet and had a virus in minutes before (no firewall).
The problem of old repositories disappearing is a real one for supporting old systems. I’ve been bitten by this problem in both RedHat/RHEL and Ubuntu.
The Debian project has that mostly resolved though. Between https://snapshot.debian.org and https://archive.debian.org , installing old debian versions to check compatibility is a breeze (more so by using debootstrap if there is still compatibility between the host kernel and the chroot libc).
If it works, it’s massive!
Must require some preparation though, e.g. importing a REG file or something like that to be used.
Artem S. Tashkinov,
I don’t know. This may be covered somewhere in the links. In the early days of the internet, HTTPS hosting was relatively expensive and plain HTTP was still commonly used to distribute files. Unless the update server was cryptographically authenticated, then DNS redirection, IP forwarding, or even hosts file setting may be all that’s necessary. As long as the update files themselves are unmodified, then conceivably they could be downloaded from a doppelganger server without windows update being any wiser.
If windows update did authenticate the server (and not just the files), then I agree with you that windows would need to be modified to use the new update servers.
I wonder how this compares to Legacy Update – https://legacyupdate.net/
I guess I’m going to spend part of the weekend finding out!
Looking at the Windows versions mentioned, Legacy Update only goes back to Windows 2000 whereas this goes back to Windows 95. On the other end, this mentions “Vista or newer” but it is hard to know what that means whereas Legacy Update mentions Windows 7, 8, 8.1 along with Windows Server 2003, 2008, and 2012 explicitly.
Not that I am against this, and correct me if I am wrong, but this software has no practical use on the Internet today; especially Windows 9X. No modern browsers support it, and even if they did, many modern protocols used by the web; not strictly TCP/IP, won’t be supported. I mean you could still connect it to the Internet and maybe use it to join a game of Quake 3 Arena or something, but actually browsing the web on it is a different story. Unless, maybe you are willing to settle for basic text-only browsing and nothing else; which many modern websites don’t even offer either, as more and more of them require full Javascript just to show a few paragraphs.
Not 100% true. Some industries regulated by groups like TUV or FDA make replacing systems very hard and while in most cases I have seen (Work in the medical manufacturing field) the systems are off network in the best case and at least in a restricted separate network that does not cross contaminate (Via Subnetting or flat out separate infrastructure) places that make these updates simpler to find and run can save a production line from being down. Not to say that said equipment should be upgraded but the paperwork required is very time-consuming and engineering + quality departments rarely want to do it. I know this is a very niche case put the point is its a case.
P.S. Some software I have had to work with required specific version numbers of windows to run properly or the validation was too detailed and requires hunting for a specific windows 2000 patch.
>> No modern browsers support it
Actually, if you install KernelEX you can use Firefox 52.0. Not the most modern version but better than IE for sure! There is also Retrozilla which is a bit more recent. Never underestimate the desire of someone to keep their preferred operating system running.
I had never heard of Retrozilla. Thank you for the heads up. When you say it is a “bit more recent”, what does that mean? A quick scan of the GitHub says that it is roughly equivalent to Firefox 2 which is certainly a great deal older than Firefox 52. That said, it has commits as new as May 2021 and so perhaps it has been updated in ways that make it more useful ( security fixes? newer certificates? encryption options? )
You do not get it, it is about reinstalls and not being stuck with the CD version that is not compatible with yor PLC and that is why this exists.
So you can install 20 year old patches on your 30 year old operating system?
Why?
According to the site, they restore Windows Updates all the way up to Vista ( or “newer” which I suppose could be Windows 7 ). So, perhaps not as useless as it sounds.
I guess another factor is that not all the “patches” are simple security updates. Presumably there are some desirable features or behavioural changes that were delivered via Windows update that people may want. A final factor would be driver updates I suppose. If you are trying to run a 30 year old operating system on 20 year old hardware, those 20 year old patches may make all the difference.
It is pretty useless IMHO.
They cannot create new patches for a closed source OS, and as such you should not be running said OS for anything even remotely useful.
Driver updates through windows update were introduced in vista or wnidows 7 iirc, and those will be out of date as well. Better to get them from the manufacturer of whatever peripheral you need drivers for.
IMHO all this does is lull people into a false sense of security.
I understand keeping isos around and software installers and such for the purposes of conservation, but recreating a service that delivers “updates” from eons ago is just a waste of time.
p13.,
Your assuming such a system is going to be used to access the internet, but I don’t think that’s a fair generalization to make without understanding the full circumstances of how people intend to use these older operating systems. Even operating systems with zero security can be safe to use if they’re not on the internet. Many industrial & commercial applications using old systems are only certified to run on specific platforms and are not supported under new platforms. like a hospital MRI or eaglesoft database, etc. A firewall mitigates the inbound risk and many applications of the period didn’t need any outbound internet connections either. IMHO even if they had a new operating system it would be best to keep these systems off the internet anyways if they weren’t specifically designed to be internet facing.
I disagree. If an old system that was running for decades eventually crashes, someone might want to reinstall it. Being able to update it again is objectively valuable to get it back up and running.
You need internet access for windows update, or this replacement, so there goes that whole argument.
The situation you’re describing could easily be resolved using virtualization.
Solves the whole “when it eventually crashes” scenario too. No, you don’t want to rely on a service like this, you want to rely on backups.
p13,
I think it is misleading to give the impression that simply plugging win 9x into a secure lan will get it compromised. In most cases you don’t need to expose computers to any inbound connections to establish outbound connections. I’m not trying to dismiss vulnerabilities, but only point out that mitigations really do help to significantly reduce the attack surface.
Not necessarily. While I agree there are benefits to virtualization, it’s not more secure than the same software running on a physical machine. Moreover a lot of old industrial systems can’t be virtualized. There’s loads of old specialized ISA/PCI hardware like capture hardware, 3dfx graphics cards, industrial PLC, copy protection dongles, and so on that don’t necessarily work on a virtual host on hardware that can run a modern OS.
A company I interned at developed automated assembly line equipment and had software that took pictures to detect defects. I don’t know if any of these systems are still in use, but it was specialist hardware that wouldn’t be available on a virtual system. Also, it’s not something that was ever designed to run on the internet.
For another company I needed to port 485 serial software to a modern VM, All the emulators we tested officially supported serial port emulation, but it didn’t work! There were timing idiosyncrasies between the virtual CPU, serial port, and physical hardware that were timing critical and there was significant data loss and 485 collisions when the emulated host was connected to a physical 485 network with real devices. Since I was working for the company supporting this hardware & software, I had source code and able to fix the incompatibilities. But if you had been an end user trying to replace the hardware with a VM on your own, it wouldn’t have been possible if you wanted to.
Both can be useful. Even back in the day sometimes it was preferred to reinstall from a clean slate…especially considering how bad the tools were for dealing with the registry. Anyway, realistically many of these ancient systems will not have backups from the day they were new.
Alfman,
Simply plugging it in to a network might not wreck it immediately, but give it a public IP and it will get wrecked very quickly. But that’s not the main concern.
The main concern is local exploits. Old web browsers, old email clients, etc.
You can put a firewall in front of it, but that will not prevent it from getting owned if you visit “the wrong website” or just reading a random email with a bad payload.
PCI/USB/etc passthrough solves the issues you are bringing up, so yes, it is perfectly possible to do this in a VM.
I’ve had experience with this with siemens PLCs and profibus interfaces.
It works fine. We even tried with a USB to ISA adaptor. It worked just fine.
Wincc didn’t complain either, which is a miracle all by itself.
And it is absolutely more secure. You can run the VM in an ephemeral state and reboot it every so often, restoring it to it’s original state every time.
You can take snapshots, backups, etc without interrupting operations.
There just isn’t any excuse to use w9x on bare metal anymore. Industry or not.
p13,
Ok, but that’s not the scenario we’re talking about. The limited IPv4 space today virtually guaranties you will not have public IPv4 addresses to assign to individual computers and ipv6 wasn’t used with win9x. While you could open up and forward ports to it at the router., I don’t think anyone here is suggesting or thinking it’s a good idea to allow public inbound connections.
“local exploits” are technically redundant in operating systems that lack local security. Sure a hacker might find a local bug/exploit to manipulate storage media into installing new malware on the system, but since programs can already perform this action out of the box using the front door, using local exploits to do it is just redundant.
I agree, it is very risky to use old web browsers and email clients today and it wouldn’t be hard to send you an infected email. That said, it’s probably not cost effective for hackers to spend money blasting out millions/billions of emails in hopes of infecting a vulnerable client from the 90s, but there’s no reason to invite that kind of trouble.
I’m glad it worked for you, sometimes the emulation quality is good and I’m not denying that. But as I’ve already specifically mentioned in my post it doesn’t always work. This depends on the nature of software and hardware and OEM certifications. Another example is I used to use impulse tracker in DOS with midi hardware to compose music. It technically ran under emulation, but the timing was off. I managed to get hardware emulators like timidity working, but the results sounded much worse than running the same software & music on my original hardware synthesizer. It was just music so I shrugged it off and moved on to more modern software, but I’m afraid your suggestion that emulation always works as good as the original fails to hit the mark. It could even be catastrophic in the case of industrial or medical applications!
Yes, virtualization absolutely makes it faster to restore snapshots, but it does nothing to improve the win9x exploits. Assuming an attacker were able to use system exploits such that the system needs to be restored,, which is after all the risk you’ve been criticizing in the first place. then I’d say it gives a very false sense of security. The exploits are still there when the OS is restored! Running old software on old hardware is not the cause of the problem, rather the fact that you’ve allowed hackers to reach it is.
I feel the goalposts have been moving with regards to the original topic. You originally asked about the need for 20 year old software updates:
“So you can install 20 year old patches on your 30 year old operating system? Why?”
“It is pretty useless IMHO.”
So while you are not a fan of old systems, do you understand now why old patches are useful for the people who still use them?
Alfman,
Having such a machine merely present and running in a network is enough for it to potentially get infected. SMB, netbios, a severely broken TCP/IP stack by today’s standard … just setting no-fragment and flooding it with pings is enough to cause win9x to freeze btw.
Installing these patches does absolutely nothing. Zero.
It does not enhance or improve security at all. Having snapshots and backups does, simply because you restore over it if the machine gets wrecked.
Win9x is not a realtime operating system, so i really don’t see the point of all these remarks with regards to timing. W9x uses co-operative multi tasking. You are not guaranteed any form of real time repsonse. In fact, you are pretty much guaranteed to always miss it, even when using timer interrupts.
DOS? That’s realtime, yes, sure, but then there is freedos, which is uptodate and maintained.
Local exploits are absolutely a problem. Stuxnet anyone?
About blasting out millions/billions of emails. Check your spam folder. That’s pretty much a thing. Has been forever.
The goal posts weren’t moved at all.
Providing patches for old-ass windows machines is not useful. People should not be using this.
Even in industrial settings, there are better alternatives.
The thing you don’t seem to understand is that this is going to entice some people to go ahead and stick with windows xp, or god forbid 9x. They think it’s fine, because they get updates, right?
It’s just not a good thing at all.
p13,
No it isn’t and I wish people would stop propagating these false narratives. That is 100% not going to happen unless your network is already compromised! In that case, yes win9x is vulnerable, but if your network is already compromised then you’ve got other problems.
Nobody here is suggesting these should be run on insecure networks. Firewall, firewall, firewall is the name of the game. Many of these old systems will happily run airgaped too. So let’s please stop pretending everyone running win9x era hardware is stupid and exposing their computers to the internet without any mitigations.
Ah, we seem to be using a different definition of “local exploit”. To me a local exploit is the opposite of a “network exploit”, but now I understand that you mean a network exploit that happens to originate from the same subnet. So yes that’s possible, but again firewalls are your friend!
The vast majority of those spams will be social engineering and to a lessor degree malicious payloads like malformed PDFs or excel documents, etc. I am curious about the stats, if you’ve got them, but it wouldn’t really make sense to spend much money and waste your IP reputation targeting platforms with a minuscule market share.
BTW I scanned web logs for windows 98 got 0 hits. Granted it doesn’t mean they don’t exist, but the point is they are extremely rare. I did see some nokia users running IE 5 though. I feel that unsupported mobile devices would be a better target for hackers.
“Mozilla/4.0 (compatible; MSIE 5.0; Series80/2.0 Nokia9500/4.51 Profile/MIDP-2.0 Configuration/CLDC-1.1)”
Realistically, the people running vulnerable systems in a careless manor over the past 25 years were probably already attacked and those who haven’t been attacked in this time frame are statistically likely to be responsible and using mitigations correctly.
p13,
Oh, if you’d like to agree to disagree with me on this, I’m fine with concluding on that note. It’s not a big deal if we have different opinions this time around
Honestly sometimes when I see companies continuing to maintain legacy systems, possibly at great expense, it makes me wonder why they’re so attached to it. I think if often comes down to management wanting to believe their sunk costs have accumulated value. As a developer I don’t always agree with this, continuing to rely on old software indefinitely can impede progress, but I understand where they’re coming from.
Support contracts in industry is usually 30 years for any big machine.
Good question. I run 9x unpatched and internet connected. Mostly it’s for downloading other obsolete software for other machines, as i keep 9x around to write floppies for other machines. But i’ve never really felt the need to patch it.
Didn’t Microsoft send out a CD/DVD with all updates for 9x and NT when they shut down the update-site?
I believe I have one of them somewhere.
smashIt,
Oh did they? That could have been useful, I think I only had the original install disks without updates.
I just searched through my old disks and found a 2 CD-set from february 2004.
It includes updates for XP, 2k, ME, 98, 98SE.
I also got XP SP1&2 as CDs from MS.
smashIt,
Did you have to request these/pay for these? I’m just wondering how you got a hold of them.
The disks were free, but you did have to fill out a form.
So a few comments mention about older OS having virus/malware the moment they go online. But is this actually true anymore?
Certainly back when these OS has massive marketshare there was value in attackers installing virus, botnets and so on. But is that actually still true in 2023? Without the fleet of infected machines infecting others to aid propagation and lack of profit from targeted attacks… who is even bothering?
Adurbe,
Yep, I reinstalled win98 and 15ms later it was hacked! Haha.
On a serious note, I too am curious. I did try to search for recent stats on win 9x attacks but came up empty handed.
While internet scans are easy to do, unlike in the past most computers these days don’t have a publicly routeable address so encountering a direct connection to a win 9x box on the internet seems quite unlikely. You could run win 9x for years on a secure network without ever being attacked. but if you were on an unsecured network (ie WEP) or public network (ie hotel/coffee-shop), then the theoretical risk is much higher. but an attacker would have to infiltrate and scan a network undetected for years before seeing a single win 9x victim. High effort/low payout.
Maybe this changes to lower effort and higher payout for an attacker if you are a high value target for them.
https://www.csoonline.com/article/519698/data-protection-microsoft-leaves-windows-98-to-the-hackers.html
There is kind of a problem. In 2006 Microsoft even stops updating CVEs for 9x.
https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/browser/ms14_064_ole_code_execution.md
This is the next bit of O bugger. Windows Update from 9x to XP is in fact operational due to a known security flaw. Fix that flaw Windows 9x to Xp update no longer works.
Rebuilding Windows update like it use to be is in fact a really bad idea. Different attack suites have 9x exploits in them so its a question of where you are and the attacker you come into contact with. Being known exploit in automated solutions it could be very low effort attack for attacker.
Really it would be good to have like WSUS offline update for older versions of windows.
Yes that CVE-2014-6332 is 95 to Windows 10. So that one attacker was just looking for a flawed internet exploiter. Yes the metaspliot framework by default does not include the older 9x/NT attacks but other attack kits do.
Reality old browser to internet website really bad idea.
Yes even if attacker does not get in because they try a windows Xp and new attack on Windows 9x the result can still be a badly messed up install.
Win9x victim might to be the attackers target flaws from Windows 9x happen to exist in newer versions of windows. This is the trap. Attacker can be going after the flaw see flaw attack flaw opps windows 9x does not work need reinstall. Horrible point here is some of the attackers software may still work. So both the attacker and the user end up in a what the hell moment where things are not going right.
oiaohm,
Well sure, I’m aware of the existence of known vulnerabilities. Vulnerabilities with internet explorer aren’t really newsworthy as even in its heyday IE was notoriously fragile and insecure. I certainly don’t think people should be browsing the web using ancient browsers. Unfortunately new & safe browsers are unlikely to run on old operating systems, but that’s a different problem.
I understand this, but as Adurbe mentions it doesn’t necessarily mean it’s worth doing. I remember malformed packets over the network could attacked win95 hosts . This attack probably still works… but the odds of encountering such old systems at a coffee shop are so low that even a near zero effort exploit may not be of interest any more, especially if the traffic needlessly raises suspicion. In any case I wasn’t recommending people operate ancient operating systems on public networks, we’re just curious about whether it would be attacked in real life in that scenario because random attackers could be focusing on newer targets. I’d love to see empirical data on this, but I couldn’t find any.
“I certainly don’t think people should be browsing the web using ancient browsers. ”
Alfman how does Windows update 3.1 to 6 that can be written as 95 to XP/2003 work is bit you are missing. The answer is you take Internet explorer to a web page then use active x plugin to do updates. Its Vista and newer where windows update comes it true own program.
So this project in it current form has people taking ancient known insecure browser on the web. This is truly bad idea.
I would be vastly happier if the project had user install a Local web server(they do exist for 9x Microsoft in fact made one) and run windows update locally.
” I remember malformed packets over the network could attacked win95 hosts . ”
That is the one I don’t class as major problem. Attacker would have to go out of way.
There are a lot of exploits against internet explorer that work 95 to windows 10. Depending on how the attack program is designed it possible that one attack program work on the lot.
Basically I am not against someone making update project for old versions of windows but the way this is done really is playing with fire. Windows 95 to Windows XP you got a lot of updates on magazine book cover disks this is a different experience that could be replicated to update those old versions of windows that would not have the security problem.
Also the make ISO route with web server on would mean that completed iso to update these old versions of windows could go to archive.org. Lets be real here just like windows update sites have gone away so can the replacements this is the web after all. Wayback machine does not cache everything.
Yes the make ISO route can also include a local web server that runs on windows 9x-2003 to replicate the old windows update online experience without taking 9x-2003 online. This would be the secure way todo this.
“Unfortunately new & safe browsers are unlikely to run on old operating systems, but that’s a different problem.”
https://msfn.org/board/topic/157173-kext-diy-kernelex-extensions/
Yes you are right that a different problem. Web browsers under 2 years old do work on windows 9x after you jump though all the kernelex and add-on hoops. Of course windows update is not going to install third party kernelex and kernelex also cease core development over 10 years ago now.
There is not really a valid reason to be using internet explorer on these old systems other than demo reasons or lack of knowledge.
Yes you do run into problem of not being able to run the latest web browsers and having to install a stack of third party extensions/updates so you can newer web browsers that can effect OS stability adversely and leave existing OS security flaws in place that it still not recommend with these very old OS to be taking them online.
oiaohm,
Well, there is a difference between using an unsafe browser to visit trusted websites versus browsing untrusted websites. Consider that even if we could use a modern browser, it wouldn’t change the trust dynamic, you’d still have to trust “windows update restored” anyway if you intend to use them for updates.
Yeah, it’s too bad that modern browsers won’t just work out of the box. But you don’t have to use IE for updates though, people have written scripts to download and apply updates without using microsoft’s original active x process.
https://www.youtube.com/watch?v=mjJOS3oLctY
“Well, there is a difference between using an unsafe browser to visit trusted websites versus browsing untrusted websites. Consider that even if we could use a modern browser, it wouldn’t change the trust dynamic, you’d still have to trust “windows update restored” anyway if you intend to use them for updates.”
Its not that simple. Old internet explorer got nicknamed internet exploiter for a reason.
https://www.smh.com.au/technology/flaw-in-ies-ssl-implementation-20020813-gdfjdx.html
You have different SSL flaws. Lots of them allowing different man in middles. Modern browser is not as open to being man in middle.
So you need to trust “windows update restored” and anyone who sharing the connection with you not to be problem using old internet explorer. Remember these man in middle attacks against Internet explorer exist up to Windows 10 installs and they work back to 95. So attacker is likely to have those in toolkit not looking for 9x but looking for people using Windows 10 and earlier still using internet exploiter. 9x user would be just caught in cross fire and most likely worse stuffed over in this case.
“But you don’t have to use IE for updates though, people have written scripts to download and apply updates without using microsoft’s original active x process.”
There is more control over what updates are installed using the original active x process to allow for the optional parts. A script could could also be made to setup Win 9x to XP windows local web server as well to allow using the active x process without using internet explorer on the internet.
For demo to people how windows was a local replication of old windows update would be good as well.
Basically I see reason to remake the Windows Update systems but I don’t see good reason for that to be a public internet web server. I would say WSUS for old windows would be good.
“Windows Server Update Services” something you run in business so you don’t have every computer having to connect to windows servers to get updates all the time and can control what updates are deployed.
The reality with the flaws in IE https SSL it is in theory possible to put up windows update servers again for those old copies of window and use the man in middle flaws to make 9x to me accept all the updates as if they are coming form valid Microsoft servers. The unsigned cab they do could be signed using the validation flaw 9x has so it looks to work exactly like it did back in the day.
This is the problem someone willing to use the more evil methods could make something that seams to function better.
This is just the problem of understanding how flawed the bit they are depend on is. Internet explorer has not been deprecated by Microsoft for that long yet. In 5 to 10 years I would not be as worried by then you could start to suspect attackers would not have the attack sitting active in their auto toolkits.
oiaohm,
I’m aware of the risks of using obsolete browsers but if you are going to use them it’s still better to go to limit their use to known sites even if using insecure connections like HTTP.
Sure, as long as it works well most people wouldn’t mind using a new improved more secure mechanism. But I do question whether how much new engineering effort is worth putting into old platforms like this.
Good part is the processing logic of early windows 9x update system are client side. No product code checking or anything. Even more funny Microsoft use to serve those updates from freebsd and linux boxes yes apache web server.
I never had any problems on my Dell GX1, which i put FF on and used to download some even more obsolete software. It’s passably compatible with most websites, but don’t expect to be watching youtube or doing social media on 9x.
For the most part, 9x is so dead that there’s just no exploits out there for it any more. There will of course always be exceptions to the rule, and infected archived software will always be an issue, but random drive-by attacks aren’t such a problem any more.
The123king,
That intuitively makes sense and I also think trusting the software you download and run is going to be a bigger risk than “drive by attacks” against win9x.
In the same sense I would expect the attacks hitting up webservers for wordpress vulnerabilities, which show up in server logs today, will eventually decrease/stop once the payout/costs ratio becomes too low. After all, even known vulnerabilities requires some resources to attack and present non-zero legal risks for violating computer access laws. Also the chances of finding websites that haven’t already been attacked by a specific point in time vulnerability will naturally approach zero over time, greatly reducing the payout of an exploit.
I wonder if I have enough log data to show the evolution of web attacks over time.