Microsoft has issued patches for two critical holes in Windows NT4 as part of its January patch update.
Support for NT4 officially ended on 31 December, but last week the company appeared to have backed down and offered two critical patches for NT4 server users.
The first concerns users of Internet Explorer 6.0 Service Pack 1, running on any of the supported platforms (NT4, Windows 2000 SP3 and SP4, Windows XP SP1 and SP2, Windows 2003 and Windows 98/Me).
The security hole concerns the ActiveX HTML help component in Internet Explorer. Microsoft said, "An attacker could exploit the vulnerability by constructing a malicious web page that could potentially allow remote code execution if a user visited that page. An attacker who successfully exploited this vulnerability could take complete control of an affected system."
Microsoft said users of Windows NT Server 4.0 and Windows NT 4.0 Terminal Server Edition not running the affected version of Internet Explorer would not need the patch.
The second critical flaw concerns a bug in cursor and icon format handling that Microsoft warned could allow remote code execution.
The company previously stated it would continue Windows NT Server 4.0 incident and security hotfix support until 31 December 2004. Support for non-security hotfixes ended on 31 December 2003.
On its security site, Microsoft said its engineers had carried out the bulk of the work on fixing the vulnerabilities before the end of 2004 and so it had decided to release a security update for the operating system version as part of its security bulletin.
The company said it did not anticipate doing this for future vulnerabilities that may affect NT4, but added, "We reserve the right to produce updates and to make these updates available when necessary."
It urged users running NT4 Server to migrate to supported operating system versions to prevent potential exposure to vulnerabilities.