[Dailydave] The long tail of vulnerable operating systems

[Matt Hargett]

On Monday 12 November 07 07:34:30 Thomas Ptacek wrote:
> We see extensive Solaris deployments. More Solaris than Fedora by far.
>
> We see regular scattered Win2K deployments.

I know of at least 3 different companies here in the Silicon Valley that have 
NT 4.0 deployed and actively used. Unfortunately, Microsoft hasn't silently 
patched NT 4.0 SP6 for bugs like they have with Win2k SP4. (Well, the 
*English* version of Win2k SP4, anyways.)

I've seen some Win98 in state agencies, and my advice to them is always to see 
if it works with CrossOver or to pay the $2500 or whatever to get it working. 
None of the legacy apps, even under NT 4.0, do anything totally crazy that 
would prevent them from working in wine or a newer OS. In most cases the 
customer was told the app would only work on a certain OS and they either 
never tried the app on a newer OS. Or they tried it on a newer OS, had some 
issues, and they didn't try to debug what went wrong. (In one case, they 
tested under WinXP and it didn't work because they only copied the EXE and 
not the supporting DLLs.)

Most of these places still using NT 4.0 or Win2k are just migrating to Linux 
because they are tired of MS abandoning them every time they have a new OS to 
sell. The exception, of course, was XP SP2 which did a wonderful job of 
incorporating a lot of fixes and new technologies to help stem exploitation. 
Here's hoping they recompile the whole OS again using the latest and greatest 
compiler tech from Vista for XP/Win2003 SP3.