Would you agree that from the time that XP was introduced (Fall 2001) up
until well after SP2 was released (say, mid-2006) that during those 5
years, that XP was a horror-show in terms of remote exploitation and
vulnerabilities?
I had a couple-dozen win-98 systems connected directly to the internet
in a corporate setting from 2000 through the end of 2005 (no NAT router,
no firewalls) and NONE of them were ever infected with anything.
Several win-NT and Win-2k systems were infected with network worms
during the same time-frame.

It was a joke that Win-2k and XP-SP0/SP1 systems couldn't be connected
to the internet without going through a NAT-router before they had their
first update or they would be hit by a worm within 10 or 20 minutes
(look up "Internet Survival Time").

I used to keep NAV 2002 up-to-date on my win-98 systems for several
years (from 2002 through 2008) but I gave up that useless excercise
because they never detected anything - because there was never anything
to detect. I never did run firewall software on any win-98 systems -
because it is totally useless. Win-98 was never vulnerable to network
worms, and if you have a NAT-router then you already have an in-bound
firewall anyways.

I agree that XP finally became a stable / secure OS by the time SP3 was
rolled out - ironically about the same time as the general retail
availability of XP came to an end (the summer of 2008).

But XP (and any NT-based OS) is way too over-managed and bloated OS for
the average home or SOHO user. NT and it's varients were designed first
and foremost for institutional and corporate settings and there was no
real reason (or benefit) to force it onto home computers, for example.

I paid close attention to all the CVE's that were announced for windows
up until maybe 2008, and paid close attention to Secunia's list of
security issues for win-98 up until it went EOL in 2006. Also all of
Micro$oft's security bulletins during those years (2002 - 2008).

The absolute fact is that even during the years when win-98 was still in
it's support phase and running on a significant fraction of computers
(and therefore a sufficiently large target for hackers), the fact is
that almost all of the vulnerabilities that were discovered for IE back
during the 2002 - 2006 timeframe applied only to 2k/XP and not to
win-98. There were hardly any non-IE vulnerabilites discovered for
win-98 during that time, but tons for NT-based OS's.

I would argue that home and soho systems running win-98 from 2000 to
2004 would have been EXTREMELY useful to penetrate because (a) there
were a LOT of them in use during those years, and (b) the likelyhood
that they were connected to the net through insecure modems without
NAT. The facts are that pretty much the only way those systems were
exploited was through activation of viral e-mail attachments -
user-facilitated or user-controlled exploitation - which you can't fault
the OS for.

Here are Secunia's reports for win-98 and Win-XP:


Vulnerability Report: Microsoft Windows 98 Second Edition:

=======================
http://secunia.com/advisories/product/13/?task=advisories

Affected By:
33 Secunia advisories
22 Vulnerabilities

Unpatched:
9% (3 of 33 Secunia advisories)

Most Critical Unpatched:

The most severe unpatched Secunia advisory affecting Microsoft Windows
98 Second Edition, with all vendor patches applied, is rated Less
critical.
========================


Vulnerability Report: Microsoft Windows XP Professional:

========================
http://secunia.com/advisories/product/22/?task=advisories

Affected By:
408 Secunia advisories
564 Vulnerabilities

Unpatched: 11% (44 of 408 Secunia advisories)

Most Critical Unpatched:

The most severe unpatched Secunia advisory affecting Microsoft Windows
XP Professional, with all vendor patches applied, is rated Highly
critical.
========================

What a joke.

People were fools to be using Win-XP to connect to the internet and do
anything (e-mail, web-browse) during the years 2002 through 2006 and
arguably through 2008. But they had no choice, because new computers
always came with the most recent, newest version of Windows.

Of the 6 or 7 network worms discovered over the past 12 years, NONE of
them could operate against a win-98 system. Even if that win-98 system
had a direct connection to the internet (no nat router, no firewall).
Even if it was a fresh install of Win-98 from the original CD.

Other vulnerabilities such as IE-based exploits - I think there were a
few. The ANI (animated icon) vulnerability could theoretically exloit
win-98 but it had to be written differently than the ones found in the
wild (targeting XP, of course).

Back in the summer of 2006 (the official end-of-support for win-98)
Secunia.org was listing a grand total of 35 security issues with win-98
- most of which were patched and none of which were "critical". (and
there were hundreds of security issues posted by secunia for win-2k/xp
by July 2006)

In the year or two following that, many or most of the IE patches
released for IE6sp1 for Win-2k were directly usable on win-98. But it's
not clear that win-98 was exploitable to the vulnerabilites being
addressed by those patches in the first place.

I've experimented with several of the java-script-based pdf exploits in
conjunction with acrobat reader 6 (the last version to officially run on
win-98) and the combination of win-98 and reader-6 was not vulnerable to
any pdf exploits I found "in the wild".

You may be aware that there is something called the blackhole (or
blacole) exploit kit, which if you browse to a malicious website your
browser might run some nasty javascript that causes the browser to
download and run arbitrary .exe files (usually fake AV software). I can
tell you that my win-98 system (in combination with Firefox 2.0.0.20)
did actually do that - except the .exe performed an illegal operation
and crashed. In other instances, the .exe file is passed as an argument
to regsvr32 (where it again crashes).

I have since created a "dummy" version of regsvr32 which simply writes
to a log file the argument that was being passed to it. When I want to
install legit software I'll replace the dummy version with the real
one. Apparently this trick of using regsvr32 to invoke malicious files
downloaded with rogue javascript is somewhat common.

Blackhole is the most common vector in use right now to infect people
browsing the internet. It leverages 5 Java JRE vulnerabilities as well
as a "Microsoft Windows Help and Support Center" MS10-042
vulnerability. Windows 98 is completely immune to the MS10-042 issue
(which affects XP). The Java vulnerabilities exist in older versions of
JRE 6, the most recent of those being update 10 (I'm running update 30).