Microsoft plugs Windows 95 hole

Microsoft will release a patch for a Windows 95 security bug, but users may not be completely protected.

2 min read
Help is on the way for Windows 95 users whose computers are still vulnerable to "denial of service attacks" from hackers that can cause their computers to crash unexpectedly.

Microsoft (MSFT) said that it will post a patch tomorrow that shields Windows 95 users against the "out of band" attack, a week after posting a similar patch for users of its Windows NT operating system.

But Microsoft's patch may not completely protect its operating systems from being bounced off the Net. According to several users who contacted CNET's NEWS.COM today, Microsoft's Windows NT patch does not shield users from attacks launched from Macintosh computers, though it does appear to prevent Unix and other Windows users from issuing out of band attacks.

In order to exploit the latest vulnerability, Web sites must send a special TCP/IP command known as out of band data to port 139 of a computer running Windows 95 or NT. Hackers could also target users' PCs through a program for Windows, Unix, and Macintosh now circulating on the Net called WinNuke. To crash a PC over the Net, a hacker simply types a user's Internet protocol address into WinNuke and then clicks the program's "nuke" button.

Michael Furdyk, senior editor at MyDesktop.com, a resource site for Windows users, said today that he has received email from more than two dozen Windows NT users who have been successfully nuked in Internet relay chat groups, where many out of band attacks have occurred, even though they have the Microsoft patch installed.

"People are confused about what's happening," Furdyk said.

A Microsoft spokeswoman today could not confirm whether NT users were still vulnerable to Mac attacks, and whether those users who install the Windows 95 patch would also be vulnerable. She also could not confirm whether users of Microsoft's older Windows 3.11 OS were also affected by the problem.

The patches for Windows NT versions 4.0 and 3.51 are available on Microsoft's Web site. Last Thursday, the company also posted a collection of software patches, called service pack 3, that contains the NT out of band fix.