Microsoft has issued patches for two critical holes in Windows NT4, as part of its January patch update.
Support for NT4 officially ended on 31 December 2004, but last week the company appeared to have backed down and offered two critical patches for NT4 server users.
The first concerns users of Internet Explorer 6.0 Service Pack 1, running on any of the supported platforms (NT, Windows 2000 SP3 and SP4, Windows XP SP1 and SP2, Windows 2003 and Windows 98/Me).
The security hole concerns the ActiveX HTML help component in Explorer.
According to Microsoft, "An attacker could exploit the vulnerability by constructing a malicious web page that could potentially allow remote code execution if a user visited that page. An attacker who successfully exploited this vulnerability could take complete control of an affected system."
Microsoft said users of Windows NT Server 4.0 and Windows NT 4.0 Terminal Server Edition not running the affect version of Explorer would not need the patch.
The second critical flaw concerns a bug in cursor and icon format handling that Microsoft warned could allow remote code execution.
The company previously stated that Windows NT Server 4.0 incident and hotfix (both security and non-security) it would continue Windows NT Server 4.0 incident and security hotfix support through 31 December 2004. Support for non-security hotfixes ended on 31 December 2003.
On its security site Microsoft said their engineers had carried out the bulk of the work on fixing the vulnerabilities before the end of 2004. However, Microsoft said it decided to release a security update for this operating system version as part of this security bulletin.
The company said it do not anticipate doing this for future vulnerabilities that may affect NT4 server operating system, but added, "we reserve the right to produce updates and to make these updates available when necessary".
It urged users running NT4 Server migrate to supported operating system versions to prevent potential exposure to vulnerabilities.