In the fall of 1999 I got a Windows 2000 computer. This was a huge step up from Windows 98 and from NT, and I rediscovered that Microsoft could get it right sometimes. I ignored the eye candy version when it came out (Windows XP) until SP2 when they actually had something worth upgrading for. But I kept my venerable Windows 2000 box on the older OS where the processor and memory requirements were modest.

I still run that old computer. I’ve replaced the hard drive (not due to failure but as a preventive move), and each year I vacuum the dust, clean the fans, and run SpinRite. The machine does some simple tasks in its old age – it runs my company pop3 server, IIS for some development, hosts several small MySQL databases, acts as a print server, and it serves some files to my network. It also has some older software installed that I need from time to time which doesn’t emulate well in WINE, such as MS Access from the Office 97 suite.

In July of 2010 Microsoft officially stopped all updates for Windows 2000 and XP through SP2, but I figured that since I’ve got this machine fairly well locked down it would be fine running as-is until it breaks down completely. Then the shit hit the fan.

There have been some big security holes found in Windows over time, but the zero-day .lnk exploit is one of the biggest. Just by rendering an evil icon you can be fully infected with remote user control. This can be triggered in many ways including by looking at an email, opening an MS Office doc of any kind, or simply going to a web page, including displaying the .ico file (the web page’s logo icon). It applies to all versions of Windows, from the latest version 7 down to at least 2000 and probably various versions of NT.

Microsoft has released an out-of-cycle patch, and good thing too as it is apparently easy to exploit once you know how to do it, and there are many exploits in the wild now. It fixes XP SP3 and beyond and there are ways of making it run on XP SP2, but Windows 2000 is left out in the cold.

I really like having my zero maintenance machine. I don’t use it to browse the web or consume content, it runs AV software, and I mostly interact with it via the file system or its services and not through the front end. Can I safely continue to use it?

Although they didn’t publish a fix, Microsoft did publish directions on how to turn off the offending rendering code. It mocks what was a great OS, leaving it looking like an original Mac or a pre-Windows 3 desktop, but it does eliminate the security hole. Here’s what my shortcut bar looks like now:
No icons. So sad.

Since it does allow me to put off the upgrade for another day (or hopefully another several years), I think this is the solution for me.