Subj : Family executables again To : Mike Luther From : David Noon Date : Sun Oct 14 2001 10:59 am Hi Mike, Replying to a message of Mike Luther to All: ML> A friend of mine intensively involved in network support for the ML> WIN-NT world tonight told me a fascinating tidbit. ML> He said that after close consultation (but not with whom!) they ML> removed I think he said four files from all their WIN-NT operations: ML> OS2.EXE ML> OS2.DLL ML> POSIX.EXE ML> (?) one more PINBALL.SYS perhaps? That's the HPFS driver for NT. ML> Their reasoning was that in the early days of WIN-NT, any program ML> which was strictly a POSIX compliant code operation that originated ML> in OS/2,could, for example be run with OS2.EXE and the corresponding ML> .DLL! Not quite. All 16-bit OS/2 programs could be run natively under NT, as 16-bit, protected mode NT *IS* 16-bit OS/2. There were even DLLs to support 16-bit Presentation Manager under NT doing the rounds, circa 1993. ML> Their security analysis of the threat of OS/2 to them was so ML> great for simplistic programs which could be uploaded to them which ML> might be run under OS/2 shim in this way that it was un-acceptable! How many 16-bit, protected mode OS/2 programs were they expecting? The most widespread 16-bit OS/2 programs were: MS Word for OS/2; MS Excel for OS/2; and DeScribe. The first 2 were never upgraded to 32-bit, but were canned by Microsplat, and the last was upgraded about 7 or 8 years ago. So these 16-bit programs have been long extinct. The attack of the killer tomatoes would be more of a threat to their network than the attack of the 16-bit, protected mode OS/2 programs. ML> Similarly, the UNIX game was also something they had to absolutely ML> block as they had no way of policing or working to figure out what ML> someone else had done if these other systems' programs could be ML> executed on their networks. ML> Most importantly, that could be done from outside the WIN-NT network ML> through this tactic from an outside connectee across the Internet! No, the OS/2 programs have to be run from an NT shell: CMD.EXE; PROGMAN.EXE; or EXPLORE.EXE. There was never any RPC [Remote Procedure Call] support for OS/2 executables under NT, AFAIAA. ML> I'm supposing that in this case, we are still talking about the ML> WIN2000/NT use of a default NetBIOS over TCPIP and blanket rights ML> which, I think I understand now exist courtesy of the Nimda.A ML> learning experience ... That's simply a security hole in the NetBIOS shares set-up. ML> Is this a similar scenario, to what we know, as the early WIN-95 ML> programs which will run under OS/2 vis the WIN32S.DLL if they do not ML> require, for example, past version 1.25 of it? Not really. Under OS/2, Win32s programs need to be run in a WIN-OS/2 session. This means that a Win16 shell [typically PROGMAN.EXE or WINFILE.EXE] must already be running, or a WPS "program reference object" must be created to initiate WIN-OS/2. Neither of these is performed by Nimda, because it isn't coded for OS/2. [Yes, I know 4OS2 can start Win16 programs automatically, but Win32s programs are linked as PE, not NE, load modules.] The only way you'll get a Nimda infection on an OS/2 machine is if you have an infected Win32 machine owning filesystem shares with write permissions to your OS/2 box. Regards Dave --- FleetStreet 1.25.1 * Origin: My other computer is an IBM S/390 (2:257/609.5) .