Subj : Family executables again
To   : Mike Luther
From : David Noon
Date : Sun Oct 14 2001 10:59 am

Hi Mike,

Replying to a message of Mike Luther to All:

ML> A friend of mine intensively involved in network support for the
ML> WIN-NT world tonight told me a fascinating tidbit.

ML> He said that after close consultation (but not with whom!) they
ML> removed I think he said four files from all their WIN-NT operations:

ML>      OS2.EXE
ML>      OS2.DLL
ML>      POSIX.EXE
ML>      (?) one more

PINBALL.SYS perhaps? That's the HPFS driver for NT.

ML> Their reasoning was that in the early days of WIN-NT, any program
ML> which was strictly a POSIX compliant code operation that originated
ML> in OS/2,could, for example be run with OS2.EXE and the corresponding
ML> .DLL!

Not quite.

All 16-bit OS/2 programs could be run natively under NT, as 16-bit, protected
mode NT *IS* 16-bit OS/2. There were even DLLs to support 16-bit Presentation
Manager under NT doing the rounds, circa 1993.

ML>   Their security analysis of the threat of OS/2 to them was so
ML> great for simplistic programs which could be uploaded to them which
ML> might be run under OS/2 shim in this way that it was un-acceptable!

How many 16-bit, protected mode OS/2 programs were they expecting?

The most widespread 16-bit OS/2 programs were: MS Word for OS/2; MS Excel for
OS/2; and DeScribe.

The first 2 were never upgraded to 32-bit, but were canned by Microsplat, and
the last was upgraded about 7 or 8 years ago. So these 16-bit programs have
been long extinct.

The attack of the killer tomatoes would be more of a threat to their network
than the attack of the 16-bit, protected mode OS/2 programs.

ML> Similarly, the UNIX game was also something they had to absolutely
ML> block as they had no way of policing or working to figure out what
ML> someone else had done if these other systems' programs could be
ML> executed on their networks.

ML> Most importantly, that could be done from outside the WIN-NT network
ML> through this tactic from an outside connectee across the Internet!

No, the OS/2 programs have to be run from an NT shell: CMD.EXE; PROGMAN.EXE; or
EXPLORE.EXE. There was never any RPC [Remote Procedure Call] support for OS/2
executables under NT, AFAIAA.

ML> I'm supposing that in this case, we are still talking about the
ML> WIN2000/NT use of a default NetBIOS over TCPIP and blanket rights
ML> which, I think I understand now exist courtesy of the Nimda.A
ML> learning experience ...

That's simply a security hole in the NetBIOS shares set-up.

ML> Is this a similar scenario, to what we know, as the early WIN-95
ML> programs which will run under OS/2 vis the WIN32S.DLL if they do not
ML> require, for example, past version 1.25 of it?

Not really.

Under OS/2, Win32s programs need to be run in a WIN-OS/2 session. This means
that a Win16 shell [typically PROGMAN.EXE or WINFILE.EXE] must already be
running, or a WPS "program reference object"  must be created to initiate
WIN-OS/2. Neither of these is performed by Nimda, because it isn't coded for
OS/2. [Yes, I know 4OS2 can start Win16 programs automatically, but Win32s
programs are linked as PE, not NE, load modules.]

The only way you'll get a Nimda infection on an OS/2 machine is if you have an
infected Win32 machine owning filesystem shares with write permissions to your
OS/2 box.

Regards

Dave
<Team PL/I>

--- FleetStreet 1.25.1
* Origin: My other computer is an IBM S/390 (2:257/609.5)

You are viewing proxied material from cvs.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.