Microsoft has issued patches for two critical holes in Windows NT4 as part of its January patch update.
Microsoft breaks patch deadline to release critical NT4 updates
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
I think that it was the right thing to do. There are a LOT of shops out there still running NT4, and frankly I would like to see more patches released for it.
“The second critical flaw concerns a bug in cursor and icon format handling that Microsoft warned could allow remote code execution.”
A remote exploit in cursor and icon format handling…wow.
That Microsoft in a nutshell…
Right, perhaps as people on Windows become more security conscious, hackers have to get more creative, because an email attachment just doesn’t pack the punch that it used to
That’s the whole thing about alternative operating systems: People say “Oh, this could never happen in my OS of choice because my OS doesn’t do xyz …” and then you look at a security hole via a cursor – I mean, who woulda thunk it? In other words, most operating systems probably have more holes than you can possibly imagine, it’s just that hacking Windows has become a professional sport.
I mean how long is MS supposed to support NT4? These people have been warned for years that support was ending and they had to move on. Why aren’t they? If they have some mission critical app that only runs on NT4 then they should have done something about it instead of hoping MS keeps supporting them.
I will say that this is still one area why OSS has an advantage. Because its open you can fix flaws yourself or hire an engineer to backport fixes. With Closed source that’s just not possible.
btw Darius
“n other words, most operating systems probably have more holes than you can possibly imagine, it’s just that hacking Windows has become a professional sport.”
I agree that there are more holes then the ones that are found but its a falsehood that Windows has more flaws simply because its more popular. That arguement was debunked years ago and I dont’ know why people continue to bring that up. The short version of why you are wrong, Apache v IIS. Apache has way more marketshare, is a much bigger target, you can see the freaking source code, and yet it destroys ISS when you compare their security track records. So no, Windows isn’t being exploited simply because it has more holes. It has more holes period and the ones there are boneheaded.
‘In other words, most operating systems probably have more holes than you can possibly imagine, it’s just that hacking Windows has become a professional sport.’
I agree wth the first part but the second is basically shooting at fish in a barrel.
I agree that there are more holes then the ones that are found but its a falsehood that Windows has more flaws simply because its more popular.
I didn’t say it has more flaws because it is more popular. What I meant was that on average, more of its flaws are being exploited because more people are actively looking for them.
A remote exploit in cursor and icon format handling…wow.
Because it’s not like other OSes ever get buffer overflows in things like, say, graphics libraries, right ?
Remote code execution in cursor/icon format handling?
When Microsoft makes bugs, THEY MAKE BUGS.
Congrats to whoever found this (MS engineer or some pther poor soul still working with NT4)! It’s really fitting that such and obscure bug could have led to he coolest ‘sploit in the world. “CometCursors: now more than just spy/adware!”
Most of the “serious” server OSes I’m aware of don’t typically come with things like “graphics libraries”.
Graphical services are typically used by the interface which is resident on a client box, not a server.
Maybe that’s why Microsoft’s products are seen as the rough equivalent of a “house of cards” by many of us…
IIS’ track record as of late has been very very good (with IIS6 in Win2k3).
That Microsoft in a nutshell…
ha! (-8
“Most of the “serious” server OSes I’m aware of don’t typically come with things like “graphics libraries”. ”
Then most of the servers you’re aware of are crippled products. Whether it tickles your fancy or not, we’re not living in the 1970s and graphics capabilities are an integral part of computing. Any OS not supplying a good set of graphical APIs is only encouraging its developers to create their own when they need it – leading to many APIs and many more vulnerabilities. Servers need graphic tools to provide many services, and all but a quaint group of sysadmins know that the benefits of a GUI do extend to many admin tasks.
Quote: “I mean how long is MS supposed to support NT4? These people have been warned for years that support was ending and they had to move on. Why aren’t they? If they have some mission critical app that only runs on NT4 then they should have done something about it instead of hoping MS keeps supporting them.
”
I totally agree. NT4 is old and outdated, and for those companies that are just being too tight to upgrade their systems I don’t pity them. I mean, if people were using a v.1.1 Linux kernel what would happen? They’d be told to update their kernel.
Let’s be realistic here, NT 4 is circa 1995.
Dave
Quote: “Then most of the servers you’re aware of are crippled products”
Rubbish – they most certainly aren’t crippled. To a Microsoft sysadmin who’s generally incapable of using a command line [i’m generalising here] they feel very comfortable with a GUI and it may seem that way.
Unix has been doing it without a GUI for many years now, and guess what – those servers still did the job. You don’t *need* a GUI for a server, and it’s in fact unwanted. I’d shoot a sysadmin if they put up a Linux server with X Windows on it. It’s a memory hog and a security issue.
I see your point about APIs etc, but hey, if a company develops internal API libraries for THEIR systems it doesn’t have to be compatible with other systems from other companies. It just has to work on THEIR server. Nothing else. That really makes your point moot. Closed src APIs would mostly be safe anyways from a security point of view, as very few would have access to the src code – I guess it all depends on the quality of the programmers, and how well they audit the code etc.
Dave
“It has more holes period and the ones there are boneheaded.”
The most common place for bugs in any software is in the lines of code that look simple but are just complicated enough to avoid being spooted without close examination, this is where people are likely to be the least cautious while coding and where they are likely to skim over the code when reviewing it rather than going through it thuroughly. Even OSS apps have this problem with one difference, since OSS apps are usually seen by a lot of eyes someone is more likely to notice before the software has a stable release.
What you’re implying doesn’t seem fair to me since it sounds like you’re putting all the blame on Microsoft’s coders, really I see it as a failure in quality assurance and I think Microsoft should improve their beta testing program. IMO the best way to do that is to stop charging people a subscription fee to beta test early versions, thats like me charging you money for every hour you spend helping me paint a house which I’m then going to sell to you for full price.
What’s wrong with something like webmin?
I applaud them on the one hand, but quite frankly I wish it would die. tbh, I’d prefer to see 9x die. only 21 months to go yippee!
well said, (I really like tkinter for all my dirty hacks) sorta.
FWIW, the network transparent X seems to do the job for application serving in most of the lan topologies where I would use gui tools to perform irregular jobs (for regular jobs I like vixie cron). Of course we don’t have trees and forests for directory services here, so maybe it’s something necessary in the backwoods (teasing).
mind you, application serving is something guys like sun, citrix, and ibm make big dollars at, so maybe I missed something.
“Whether it tickles your fancy or not, we’re not living in the 1970s and graphics capabilities are an integral part of computing. Any OS not supplying a good set of graphical APIs is only encouraging its developers to create their own when they need it – leading to many APIs and many more vulnerabilities. Servers need graphic tools to provide many services, and all but a quaint group of sysadmins know that the benefits of a GUI do extend to many admin tasks.”
Servers need graphics tools?
Just because we can have chrome exhausts on cars, you don’t see them putting them on lorries. If you think a server needs a graphical interface then you have truly been sucked in by the MS bandwagon. Why does a server need a graphical interface? So you can administrate it? Sorry, but I expect my key server admins to be a little more capable than point-and-click.
I would go as far as to say servers need GUIs, but I would expect at least a good ncurses interface.
I would think if you’re been doing command-line administration for years, you probably like it better. But picture yourself in the shoes of a newbie – which would you rather learn? An assload of commands at the CLI, or an intuitive, user-friendly approach?
I wouldn’t go as far as to say servers need GUIs
That’s a little harsh. I know a lot of sysadmins who install xwindows on their servers so that they can start up x and use graphical tools for certain jobs (some things are just quicker that way); as long as you start up in runlevel 3, any security risks from running x are moot (since it’s not running by default). I also don’t have much of a problem with something like webmin; you’re probably going to be running ssh anyway, so what’s wrong with logging in remotely, starting the webmin service, connecting via your favorite browser, getting some work done, and then shutting the service down?
“Then most of the servers you’re aware of are crippled products.”
Not at all — we just keep the GUI functionality on the client side of life.
Core interface elements tend to be handled on the client side even when dealing with X, and in most cases it takes fewer server resources (and less network bandwidth) to send raw data to each client and have them render graphs if required.
“Whether it tickles your fancy or not, we’re not living in the 1970s and graphics capabilities are an integral part of computing.”
Graphics are an integral part of desktop computing, yes. π
“Any OS not supplying a good set of graphical APIs is only encouraging its developers to create their own when they need it – leading to many APIs and many more vulnerabilities.”
Huh? We use standard graphicap APIs which are provided on the client side.
Remember that my commenta are about *SERVER* platforms.
“Servers need graphic tools to provide many services, and all but a quaint group of sysadmins know that the benefits of a GUI do extend to many admin tasks.”
Such as…?
The main reason NT4 is still out there is the domain model. Lot’s of companies are still using NT4 for domain controllers. The upgrade/migration to Active Directory for a medium to large organization is very complex and costly. NT4 will still be floating around for quite some time still….
Webmin is a very good example of the effective use of GUI tools for server administration without needing to burden the server itself with GUI processing.
The web client on the *client box* does most of the work.
Actually, it’s circa 1992 software that was finally released by Microsoft in 1995. π
My home PC is much closer to being a true circa 1996 desktop box, being a PPro/200 with 192MB RAM, an Adaptec 2940U, a 4MB Matrox Millenium, a 12MB Voodoo2 card, and an ISA SoundBlaster AWE32. It dual-boots, mainly running OS/2 Warp 4 released in 1996, but sometimes playing games in Windows 95 OSR2 which was also released in 1996.
I’m still quite pleased with that box. In some respects, it’s considerably more responsive than the 2.66GHz P4 with 256MB running WinXP Pro that I use at work.
Why? Because I’m using tools on my older box which were designed to run efficiently on that level of hardware.
Ageism in a computing context is stupid. We’re talking about tools, not the latest fashion.
Yes – you could run X and webmin etc, log in vis ssh and start it up. The thing is that the vast majority of administration on a Unix or Linux box can be done from the command line without too much difficulty and it’s not a common, daily ‘you must run the full gamut of checks’ [although this comes down to how pedantic you are I guess].
Maybe shooting a sysadmin is a bit harsh – hang him/her up by the ankles or give them the rack might be more appropriate for first offences π
Dave
“Maybe shooting a sysadmin is a bit harsh – hang him/her up by the ankles or give them the rack might be more appropriate for first offences π ”
Now that’s more like it. I agree that a most of the administration can easily be done from the command line (if you know what you’re doing); I just wanted to say that graphical tools can be quite useful on occasion as well. Some days I don’t feel like delving into config files and editing 20 lines of text if there is a graphical tool that automates the job…it’s easier just to check on the tool’s changes and make sure they’re right. Of course, most days I feel like getting my hands dirty; maybe I have a bit of a masochistic streak π
Now that’s more like it. I agree that a most of the administration can easily be done from the command line (if you know what you’re doing); I just wanted to say that graphical tools can be quite useful on occasion as well. Some days I don’t feel like delving into config files and editing 20 lines of text if there is a graphical tool that automates the job…it’s easier just to check on the tool’s changes and make sure they’re right.
There is also one (significant) often overlooked advantage of “graphical” configuration tools – that of input validation.