Slashdot Mirror
Microsoft Refuses To Fix NT 4.0 Exploit
shmigget writes "The Register is reporting that Microsoft is throwing in the towel as far as NT 4 is concerned on the latest security flaw to affect Windows 2000, XP, and NT 4. They quote Microsoft as saying 'The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability.'" There still is a workaround for NT 4.0. Instead of patching the problem, it's advised to firewall off port 135 on an affected machine.
So in effect, ZoneAlarm could be considered as a patch for this problem??
I like the Bill "Borg" icon better than this icon
No, I don't like it... but support for NT4 is dropped at 30 june 2003 and that's not really far away.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
is NT really used these days? I remember some of our management applications (browser based) had to be NT tested a year or two ago.
These days it's all Windows 2000 and XP, and people are considering dropping the 2000 support sometime in the near future.
--------
Free your mind.
Kinda makes you wonder what other fundamental flaws are there in NT4.0 that will prevent fixes from happening. ...And Microsoft wants to be known as a company you can trust with security. This should throw them back a couple of eons.
Don't they promise to support products for a given amount of years for some enterprise customers? What will happen in these cases?
It seems strange on the surface for them to admit that their product is 'unfixable,' but really, doesn't it make sense as an upgrade-inducer? Granted that in a more competitive market people would be put off by this, but some people don't regard the other choices with which we are so familiar as acceptable options, leaving them sending their checks to Redmond no matter.
Then again, people still buy new models of cars which have had huge saftey problems in the past, even though other choices are availble; perhaps the real phenomenon is that marketing is sometimes more powerful than good judgement.
All Microsoft-bashing aside, does anyone else see something majorly wrong when it's impossible to fix a fairly serious exploit due to architecture limitations in the OS??
They're basically saying that they can't fix it because the OS makes it impossible to do so. Not because it's inherent in some protocol, or because it is a natural effect of some kind of desired behavior or something, but because the OS DOESN'T SUPPORT IT?????
That's just wrong.
A Minesweeper clone that doesn't suck
You have to wonder how long a company can support an operating system. You have to remember that NT was released in the the mid-90s so its 7+ years old. Microsoft is beginning to put NT4 to end of life and that the people who will really know the code may of left Microsoft or moved on.
I'm mean we all go on about how bad MS is but you can expect them to support everything forever can you?
Rus
Cheap UK and US VPS
An architecture that doesn't allow a bug/vulnerability to be fixed??? Come on, that clearly shows that its flawed by design. ;-)
I was going to say they had stopped supporting NT4 anyway so were within their rights, but I looked it up and it appears they are providing NT4 hotfixes until the end of 2004. Either way, a service pack or something equally dramatic for one flaw I think is overkill and blocking port 135 on a firewall is a better option.
It's their right to do so. I don't see a reason how they are doing something "wrong". It's their product, and they have said they have discontinued it. It's up to the users to find a suitable fix for the system.
Kinda makes one think of benefits of open source; if something like this happens, you can always hire some hacker to fix the hole, wherever it is, for the right amount of money.
Save your wrists today - switch to Dvorak
M$ Programmers - "But its a product that is still in use, we have a responsibility to our customers."
M$ Exec's - "Wats this respongeability you say?"
If you are still running NT4, you probably are too busy (or lazy) to update security patches anyway.
NT4 needs to DIE. If you prefer the Windows platform, you've had ample time to move to 2K, or else another platform.
What other operating systems from back then are still "supported" now ?
Solaris 2.6 maybe ? (Rapidly approaching EOL/EOS)
What else ?
Point is: NT4 is so old (and so BS), I can see why they want it to die (apart from the reason that they want to sell the new OSs)
Windows 2000 - from the guys who brought us edlin
... open source it.
So maybe they just figure why bother when the end is near for NT4 anyway. Not that that is a good excuse, but it makes sense in the big business world.
And no, I am not sticking up for M$.
MicroSoft uses every dirty trick in the book to escalate their sales. This new exploit now gives NT4 shops an urgent need to upgrade.
Because of the closed source, there is no way to patch a MicroSoft product without MicroSoft. If someone figures out a way to fix it; MS will undoubtably sue the shirt off their backs.
This seems to be an underlying plan for the MS scheme to make money. Two - three years from now they will be pulling the same thing with windows 2000 just to keep a purpetual upgrade going on even though the older systems work perfectly fine.
There are still systems that are 20+ years old that still work and do their purpose, yet the lifespan for anything running MS is only 3-5 years.
Imagine if the stock market was running windows NT!
"Microsoft Refuses To Fix NT 4.0 Bxploit". I think you mean exploit :)
Rus
Cheap UK and US VPS
Why are we not seeing the Bill Gates Borg? Do we need another topic just for windows? If so, it should be a window through which we see the Gates-Borg.
http://www.naildrivin5.com/davec
say in 97/98/whatever they would of just looked at it and said "well darn...an NT4 bug that just can not be fixed"?
What's sad is that there is a 2k/XP fix...and I bet an NT fix would not be that hard considering they are quite similar OS's.
What the hell is that?
They're not saying (publicly, anyway), "hah, we're not supporting this ancient operating system any more, go away."
The article quotes them saying they can't fix it, there's too much stuff to do.
Using your firewall to block port 135 is fine, unless you actually need RPC for something useful. In that case, I'd say that a firewall that discards all malformed packets (more complicated) is in order. Or an upgrade to Win2K. After all, it's been out for, what, 4 years now?
Get off my launchpad!
not sure what a Bxploit is, but it sounds a lot like an exploit.
The security flaw mentioned is a Denial of Service vulnerability. This flaw does NOT allow exploit of the system.
After running this through the honesty filter, we come out with:
"Windows is fundamentally insecure. Suck it up."
Gotta love the honesty.
-Waldo Jaquith
Anyone notice ?
;-)
They changed the icon !!!
Next thing is, the Bill and Melissa Gates Foundation buys Andover and all assets from VA and closes shop...
Windows 2000 - from the guys who brought us edlin
Is that like some sort of exploit of the x86 processor's BX register?
If so, pretty creative name, I must say.
Ve haf ways of making you upgrade, ya!?!
- - -
"The sixth sick shiek's sixth sheep's sick."
"Windows XP Professional is built upon the rock-solid reliability of Windows NT technology, the architechture that is so fundamentally limited that it does not support the changes required to remove significant vulnerabilities."
Doesn't have quite the same ring to it.
- JoeShmoe
.
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
Is this shorthand for Bad exploit?
You are being MICROattacked, from various angles, in a SOFT manner.
Use Linux. It's free and it comes with a lifetime of free updates.
Just as there are over 20 million users of Windows 95, there are numerous (I don't know the estimate) users of Windows NT 4... nuff said.
I think events such as this will be another nail in the coffin of MS simply because if they are so unsure of the current capability of NT and its problems due to a complete lack of engineering and proper design then I am betting that many will rightly ask, "has MS really improved with 2000 and the impending 2003 .NET server?"
Then again, I feel no pity for the fools that chose pretty buzz words and software boxes over stable, secure and extensible solutions. That is the price of business. If you choose to pay more for less then don't come crying to the government or anyone else when your infrastructure begins to collapse from its own bloat.
The other day I read an article that said NT might be a bigger threat to Microsoft sales than Linux, now suddenlt there is this unfixable bug. Hmmmmmmmm.
Insert pithy comment here.
M$ Exec's - "Wats this respongeability you say?"
The kind of product support you would expect from a comercial Unix killer rather than the kind of "support" you got from windoze 3.1. Oh my, the difference was only a matter of time. Pthththfit! That's some kind of incentive to "upgrade" to w2k, I mean XP.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Plus, why are people so irksome in not upgrading to ever newer and more expensive operating systems like they're supposed to? Constantly forcing Microsoft to keep looking back over legacy code. It's ugly, dirty and scary back there, not like in candy XP land.
See above.
You think that I'm crazy, you should see this guy!
If you click on the 'topics' link on the left, you'll see that slashdot has one icon for Microsoft (the borg) and another for Windows (this shitty one.) If you click on the Windows icon, you'll find that this is the only story ever posted with it. So we can probably rule out Bill using his mind control ray to control Taco's mind, and chalk it up to the usual slashdot incompetance.
Microsoft has learned that features alone haven't been enough to persuade its users to move to newer OS versions, so they are giving the vulnerability angle a try:
"Hey, buy our newest product, we still fix those vulnerabilities. You do still care about the security of your data, don't you?"
I can't see why MS would choose to not support a product that many customers are willing to continue to pay for support for. The support charges should be gaged to cover support costs.
That said, I wonder if it would make sense for them to SELL a patch for older software like that. Just a small fee that effectively says "Oh, ALL RIGHT, if you insist, here. Pay up, you're wasting our time." Maybe something they should try?
i'm amazed that i survived - an airbag saved my life.
OK guys, now's your chance to set up a Linux firewall to protect those poor, insecure little NT boxen. Get to work. It's what I'm going to do.
If Bill of Borg would only release the source to his stuff, these bugs would be fixed real quick like.
This sig no verb.
Why not microsoft ?
Those Eastards!
has port 135 wide open on their firewall?
They use things like this to force customers to upgrade.
They did something similar with Windows 95 to force EDS (a huge customer) to upgrade.
Microsoft wants people to stop using NT 4, so by refusing to apply security fixes they can tell customers "you need to upgrade to fix this" and thus keep revenue coming in.
NT4: I'm not dead yet.
..and on and on.
Microsoft: Yes you are, you just don't know it.
NT4: Really, I'm very much alive.
Microsoft: No, you're very sick and could give over any minute now.
(I'm so ashamed I can't recall that conversation verbatum...
Getting old, I suppose.)
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
The official reason of this decision according to windowsupdate is, NT 4 needed more parts to be recompiled than rest platforms, therefore - as I logically assume - more trouble for them, more trouble for people that download critical updates with slow connections and old hardware.
This is of course unacceptable in the unix world of stability.
In the Windows world of features, this sounds like a normal decision.
Not surprised.
I can't believe what people are saying here. So NT is 10 years old. Lots of places still use it; my work, for one. People pay big bucks for this; why shouldn't they expect exploits to be fixed? It's all very well & good to say, well, Red Hat doesn't fix exploits in its old versions, so why should Microsoft? But people pay MS with the expectation that their payment will lead to fixes, etc. Additionally, it's pretty easy to upgrade Linux (at least Debian is, don't know RH). Upgrading Windows is a lot of trouble. I could prety much upgrade cleanly using apt-get, needing only a reboot for the new kernel, with the expectation that my old software has a good chance of running, and that the new version will run fine on the hardware I have. Windows? Not a chance. Could XP run on the hardware that NT can? I doubt it. But I know that Debian 3 can run on 486s, for example. I've done it.
They are contractually obligated to support NT 4.0 until June 30, 2003. Not forever. Just until then. "It's old and boring and we don't understand it" isn't an acceptable excuse.
...when you can claim it is unfixable and encourage an "upgrade"?
Murphy was an optimist.
at least in terms of PR.
Microsoft: "Um, we don't want to fix this. But here's the kernel source, so why don't you fix it for us?"
Beady-eyed kernel hacker: "OK!"
It's not such a silly idea with a practically end-of-life'd product; bugs and exploits would get found and fixed and since Microsoft doesn't seem to want to support certain OS changes, we'd do it for them. And it would be a great PR boost. "Microsoft supports freedom to innovate!". Hm.
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
>blocking port 135 on a firewall is a better option.
I can't help but wonder how many brainwashed MSCE's will "solve" the problem by setting up a firewall running Win2K.
Microsoft's explanation of why they will not fix the bug, in the security report, uses so many 5-dollar words like "rearchitecting" that I prefer to think it is just a way for them to avoid the effort of making a patch.
:)
Perhaps they don't employ any rearchitects that can do the rearchitecting needed to fix it.
BTW, how does one pronounce "Bxploit?"... I submitted the same story, but spelled correctly
"Alcohol, Tobacco, Firearms, and Explosives" should be a convenience store, not a government agency.
NT4 came out in September 1996, just three months after Linux 2.0. The last 2.0 version is 2.0.39, which was released January 2001, over two years ago. Both groups have moved on, and aren't willing to spend much effort on the old versions. It's true there are more recent 2.0 pre-patches, but if you're willing to use one of those, simply adding a port to your firewall block list should be cake.
And yes, with Linux, you have the source, so you could fix this yourself, right? Microsoft says this requires a large architectural changes. I think any person or group willing to re-architect NT4 or the 2.0 kernel would better spend their time and effort upgrading to a newer OS version.
I bet their not going to batch NT 3.51 either. So what? If you're still using NT 4.0, you knew LONG ago this would happen.
This is just another example of Microsoft displaying it's new philosophy of "Trustworthy Computing".
Ever since they announced their Trustworthy Computing initiative they have been going out of their way to build the publics trust in them...
Oh wait...
Company refuses to support old release. News at 11.
Come on guys, NT4 is damn near EOL, and I have to guess over 75% (BS number, I know) of people use 2000, XP, or the upcoming 2003.
We all bitch about their holes, but we expect them to patch ME, XP, 2000, 2003RC, NT4 and some people still bitch about a lack of 3.51 patches, namely some government types.
I realize they're all big and bad, but really, how many different releases do you support before you start killing some off.
And did it ever occur to you that maybe, just maybe, it really isn't possible to patch NT4 without a drastic architectural change?
We are going to do something unacceptable by the end of June^H^H^H^H March. See there? We told you that we were going to do it, that makes it right. Be greatful, very greatful and send more money.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Instead of patching the problem, format the hard drive and use someone's OS who actually fixes security problems next time.
Your plurals: "Programmers" and "Exec's". How to use the apostrophe!
RedHat doesn't support RedHat 5.2 anymore...sigh...
...and all was laid to burnination!!!!
Why not just tell them to upgrade to windows XP? Then they have solved the problem, and made microsoft money... I don't get it. Why tell them to use a firewall... how does microsoft make money that way???
---
Programming is like sex... Make one mistake and support it the rest of your life.
So, here it is from both angles, the way I see it.
Microsoft do have a point, NT 4.0 *is* 7 years old now (released 1996) and supporting it is probably a major headache for them, at least until June when it reaches end of life (bear in mind that end of life for most software is 5 years). How long can you keep patching software? I guarantee that if they did take the time to patch it many other things would break resulting in the need for more patching and more headaches.
On the other hand, they are still going to get a nasty backlash from the millions (billions?) of people still using NT 4.0. Yes, you can laugh at businesses who haven't moved to 2000 or XP yet but if you are a multinational company who depends on NT facing the huge costs of moving to 2000 it's a big deal.
Microsoft recommends we firewal port 135 - which every network administrator with a brain should already be doing! Unfortunately, good network administrators are in very short supply.
Way to go MS. Take the port used by the DCE endpoint mapper, use it in your own broken, buggy, and insecure version of DCE RPC (also known as DCOM), then refuse to fix it.
My University uses DCE all over the place, from a financial application to the distributed filesystem. Now people are going to start blocking this port (135) to protect against then start complaining when some of the applications they use and their file system access stops working.
Finkployd
There is a 2000 and XP fix, NT is a very old operating system and there was bound to come a point at which a vulnerability would come up that cant be fixed. Lets face it NT 4.0 has to be around 6 years old mac was on OS7 (?) at that point, I dont see Mac even supporting 8 now.
BTW, a fix is available for a charge, it's called: Upgrading to Win2k.
..it isn't Microsoft's fault that people refuse to redesign their company, buy a new licencing scheme, and further Microsoft's evil cause just to ensure the safety of their data.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Kind of like how they threw in the towel at Visual Studio.NET! Its a brand new product and they have only released a minor patch for a very specific problem in it. It still crashes several times a day and we are all going to be forced to upgrade to Visual Studio.NET 2003 instead.
http://www.askthevoid.com
So much for their "you get what you pay for" argument for commercial software...
Liberal (adj.): Free from bigotry; open to progress; tolerant of others.
What seems odd to me is that they can't make a patch for NT4, because the system was changed so much between NT4 and 2000 (for improvements, no less), yet they all happen to have the same vulnerability. Hmm. That sounds like the systems might be sharing something in common...
I know it's possible that the rewrite reimplemented the same bug, but it doesn't seem likely.
...is that professional system administrators and network designers still make de desicion to use Microsoft's products. We see it over and over again; huge security flaws in their closed source software while the admins have to wait and wait until someone with cvs access has the time to write a fix and release it.
As long as it would be only their security, I could not care less. However, the recent 1434/udp worm showed us that there are enough clueless admins out there that it is possible for 376 bytes to have networks go down completely because of Microsofts complete irresponsable behaviour.
What would happen if Boeing would stop patching security issues in their airplanes? It's just too sick for words. Everyone using Microsoft products should be asking themselves one question: what if...
Note: this is not a flamebait, it just my observation.
I'm not a complete idiot... Some parts are missing.
You make a good point. If it is infact unreasonable effort for MS to support one of their better products, then maybe, just maybe, the could consider releasing the source code for it, so we could support it for ourselves?? Huh?
Yeah, I know, wishful thinking. Makes no sense if most people would rather just pay for an upgrade.
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
"The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability."
Marketing Engineer:
Uhh, guys, you can't say that - we said this!
Bullshit Engineer?
Microsoft - who would you like to believe today...
The Mothership
But NT 4.0 is technically still supported right?
Depending on who you ask in this thread, until June 1993 or the end of 1994. But there is nor argument that it is still supposed to be supported by Billy and his gang.
Now, if the random car company makes a car that sometimes ejects you from the passenger side for no real reason, then they have to call the automobile back and either fix it or provide you with a new car. So shouldn't Bill have to call back all copies of Win NT 4.0 and either fix it or send them a nice shiny new server?
Just curious...
Instead of patching the problem, it's advised to... ...run linux instead. While it may not be more secure inherently, at least you run less risk of being EOLed.
GF.
Lots of petrified grits
If you use windows NT, your choice is now pay for the next version of windows or live with the hole. Some companies still use NT because they have custom mission critical software that will not work on a newer OS, and some companies still find (found?) that NT 4 met their needs and there was no need to undergo the expense and re-training effort to upgrade.
If the average user had half a brain, they'd see why this is proof that using MS software is too dangerous for their company. I refuse to use XP because of the activation, but I have to use win2k to get along with my clients. What happens when MS says it's time to force everyone off win2k?
Jason
ProfQuotes
You got BASH up on windoze? Cool!
They're basically saying that they can't fix it because the OS makes it impossible to do so.
We all know that nothings less changeable than SOFTWARE. That's why we have such stollid windoze 2000, based on NT Technology or New Technology Technology. That strain of sollid stuff is what makes XP rock too. So you see, we can't change the softwer because we already changed it and changing it twice to support our customers would be like a double negative in the bank. Unix killer, ha ha ha.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Funny first the Microsoft Hacker Proof ad gets pulled by the ASA and now they refuse to fix an exploit in an OS that is still in a majority of the organizations out there. When you look around most people are slowly making the move toward 2k AD setup but most organizations still stand by their NT4 domain setups. Most folks can block the port but the solution isn't coming from Microsoft and when you pay the amount that you do for the licensing you expect the company to actually back you (I know, I know it is M$).
This is actually helping me work linux into our organization. An insurance agency even. And I thought that this task was going to be impossible.
-Eod
What about an attack launched from behind the firewall. The way the article reads to me if port 135 is blocked then anything the depends on RPC, like print services for one, will break. So its not really feasible to block that port off from your local intranet. However if one of your employees decides that they want to make it so that no one can print they could launch an attack using this vulnerability against the print server.
Microsoft said they would be providing security hot fixes through January 1, 2005. They also said that general hotfixes would be available through January 1, 2004. There is an obligation to live up to what you have promised. If you buy a car and there is a 10 year, 100,000 mile warranty on it, the manufacturer can't change things after the fact. This would be like the manufacturer saying that if someone bangs on your hood your car won't start. The design of your car doesn't allow us to fix this, so we recomend that you always park your car in a locked garage.
"You can't fight in here! This is the war room" --Dr. Stra
Step 1. rawrite.exe cdrom.img
Step 2. reboot insert Linux CD-ROM
Step 3. ???
Karma: The shiznight, mostly because I am the Drizzle.
If you have a sun, you will be provided with software with all the fixes free of charge. A friend of mine bought a nice ultraspark on Ebay a while back and he was provided with all that he needed.
If you simply have a 486, all the BSD and Linux distro you want, with all the fixes, are available under the same terms from way back.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Time to roll out the old Microsoft standby: "It's not a bug, it's a limitation".
You should never have port 135 open on a windows system, anyways. Get over it and either upgrade to Win2K server or put together a decent firewall.
i think this is good. people still using nt4 systems will be influenced to upgrade.
say what you want about windows but 2k+ is a lot better than nt4.
anyways, apple is doing the same thing with osx. im all for it
The real issue with Windows is not that they don't patch these bugs - it's that they didn't foresee these bugs. The fact that a pooly implemented, and impossible to understand, DCE-RPC stack is built so heavily into the NT architecture is Window's inherent security weakness compared with Unix, in my opinion.
Don't think I don't have more bugs waiting in the wings...:>
That's what is great about the United States - if you don't like windows DON'T BUY IT and shut up about it.
if you don't like the war in Iraq, and the way it's covered on Fox, DON'T WATCH IT, and shut up about it.
Seriously though.
If nobody were working to provide alternatives, people wouldn't get away from using it.
And if nobody were speaking up against it, all those violations of the law would just be swept under the carpet quietly. It is still being swept under the carpet, but not as quietly.
Irene KHAAAAAAN!
You'd think Microsoft would stop trying to force people to upgrade to the "Next Great Thing"tm , instead, they hold off on a security patch claiming that it's too hard (insert whine here). Just wait, there'll be enough of an uproar that they'll come out with the patch. In the meantime... why not consider upgrading... to Linux?
Visualize Whirled Peas
I'm tired of the MS bashing / karma whoring. Get over it. When was the last time Redhat released a security patch for Redhat 6? Is Redhat expected to patch a security flaw in 6 today, or is it allowed to say "work around it or upgrade to 8 (9, now, I guess)"?
This is an early branch in the software. If you want a flaw fixed, get a later version.
"Times have not become more violent. They have just become more televised."
-Marilyn Manson
Dave Aitel
I'm the head of IT at a somewhat late-adopting company. We are preparing a company wide migration from NT 3.51 to NT4. We have a lot of client machines on Win95 that we hope to have to 98 by Fall and Me by this time next year. I thought that by moving to NT4 and Me that we'd be caught up on all this security hullaballoo. What am I going to tell the CIO?
How are you going to keep them down on the farm once they've seen Karl Hungus?
In all fairness, NT is beyond its life expectancy, its time to retire it.
While i agree its expensive to retire a product that 'still works' and move on, you really cant expect any company to support products this old.. Regardless of who they are, not in this day and age....
---- Booth was a patriot ----
Microsoft strikes another blow for the benefits of closed systems!
(sarcasm)
Isn't is a better idea to firewall ALL ports on ALL machines where a compromise could cause problems (and open up those you need to, when you need to)? This seems to be common sense to me.
This is not the greatest sig in the world, this is just a tribute.
for an upgrade then eh?...
HeY WaIT A MInUtE!!! MAyBE ThAT'S WHaT THeY WAnT!?
I thought they got their hands on Virtual PC and the Virtual Server technology so they could get stalwart non-upgraders running uber-tweaked* NT 4 boxes to upgrade to new hardware running Server 2003, and then run multiple NT 4 virtual servers within it. If NT 4 is unfixably fux0red, doesn't that torpedo the "keep running your old shit virtually on our new shit" strategy?
* uber-tweaked: in this case I'm referring to those servers that come preconfigured by software vendors to run one, and only one, application under NT 4, and if you install anything else on that box they refuse to provide support, period. I have a few clients using those.
Actually, that's only true if you're running the Win2K PDC in Native-Only mode which is NOT the default. The default is to run in Compatability Mode which works great with WinNT 3.5/4 and Win9x clients.
As for software that will only run with 9x and NT, could you perhaps tell us which software that is? The only reason I ask is because I have a lot of stuff that was built for Win 3.11 and DOS (My father's business accounting software, old HP Scanner software, etc.) that runs great on Win2K.
Windows: Telling Linux to try to keep up since 1991.
Is available for free download here for anyone who wants it.
You can't judge a book by the way it wears its hair.
Consider this like Red Hat refusing to patch up Red Hat 3.0 with the latest security fixes.
Two differences here. First of all, while Red Hat Linux 8 can be slimmed down to run on the machines that Red Hat Linux 3 ran on, Microsoft Windows Server 2003 apparently cannot be slimmed down to run on the machines that Microsoft Windows NT Server 4.0 ran on. Please correct me if I'm wrong.
Second, as dhovis mentioned, Red Hat Linux is free software. Unlike the license on Microsoft Windows operating systems, the license on Red Hat Linux lets anybody provide security patches; if there's still enough demand, some third party will offer maintenance contracts and backport the security patches.
Will I retire or break 10K?
I'm glad it's getting a high profile because people should always realise the consequences of their decisions.
There goes Unix, being more efficient than Windows again!
And MS wonders why people get upset with them!
Anyone with a nice working NT 4 based shop have no choice but to believe MS' explanation, since no one else has access to the source code to verify the story.
It's possible they're being truthful in their explanation, but since there's no conflict-of-interest-free source of independent verification, the paranoid among us will suspect it's all just a plot to get us spending time and money on an otherwise needless upgrade path to XP.
"Provided by the management for your protection."
"The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability," Microsoft says."
So, Microsoft admits finally, that Windows NT (a "SECURE" OS) is fatally flawed from the ground up and there is no way to fix this basic vulnerability.
Ever need an online dictionary?
Of course, Red Hat is also phasing out earlier versions of Red Hat Linux, but due to its open source nature you could get security updates from another source (apt-rpm repositories for instance) or make your own patches. Windows users are forced to rely on Microsoft for timely security updates, which they frequently fail to provide even in recent versions of Windows.
Seriously, how many people are running RH 5.0 or HP-UX 9.x??? Those aren't supported anymore, but they were around (and supported) when NT4 came out
I, like most people on this site, have an intense dislike for Microsoft
See, every cloud can have a silver lining!
HallmarkOrnaments.Com
"The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability."
If proper design practice was followed, this should not happen. The issue is, under proper design practice, all expected features must be designed in from the get-go. If a new feature is thought of later, it usually gets "tacked on" to the existing infrastructure. This is what happens when one constantly adds functionality to the same product, as MS does. You get the benefit of being able to put a feature in with little development time, but every time this happens, you lose some extensibility.
This is essentially the problem with the constantly-evolving upgrade business model Microsoft has used from the get-go. If it's different enough to be a new OS, PLEASE, make it a new OS!
-Amalcon
"it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability"
M$ has billions of dollars and rebuilding software is infeasible? Why didn't they just say it would be a pain in the ass?
Unsupported OSes;
1. Solaris pre 2.6
2. Linux 2.0 kernels
3. Red Hat pre 7
4. OpenBSD 3.0
All of these are a hell of a lot newer than Windows NT 4! Microsoft isn't obligated to support old software forever. Anyone complaining -- tell your execs to start making a real commitment to IT.
Sounds like they're saying NT4 is "Broken by design".
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Get a life and give it a rest. Who envisioned this kind of problem 8 years ago when NT first came out? That's a lifetime in the eAge.
It appears the Microsoft is going the way of so many other vendors in saying that they will no longer support "legacy" software and equipment. I agree that NT4 is at the end of its life cycle but Microsoft isn't. Microsoft should support its products as long as support is requested regardless of how old they are. This is only fuel for the fire. Now the IT directors of the world will think, "Hmm... save the money and not upgrade or save the headache and upgrade." Either way there will be headaches but there is only one way Microsoft gets more money.
I think 'Refuses' is a little different than 'architectural limitation'. They aren't refusing to fix it - they claim that they cannot. The title of this item is a little mis-leading.
The1Genius - Littera Scripta Manet
How stupid are people? If you'd bothered to pay attention the past couple years, your firewall would already be blocking this. Your firewall should already be blocking port 135 -- and every other port that you don't explicitly need. Your outbound connections should be limited to basically HTTP, HTTPS, SMTP, FTP, SSH, POP/IMAP, and perhaps a few others.
Software sucks. Open Source sucks less.
I find Microsoft's explaination for not fixing this RPC problem unconvincing. I suspect that if they wanted to they could add a check for malformed packets in wahtever bit of code listens on port 135. It might not be pretty or high performance but I think it would work. Any experts on windows architecture reading?
NT4 is my favorite version of windows. I keep a sacrficial install around to test new software. By being carefull about what gets installed I'v had uptimes of 100+ days from NT machines and reboots are usually hardware related. It is possible to run NT4 without IE4/5/6 so you don't have IE intergrated into all the system dll's bogging it down.
NT4 workstation is available cheaply. At large computer shows there is usually a trader with a few cd+license packs for about E25 each.
I hope to use NT4 for another five years or so, until I can't buy hardware with NT support.
Hang on a sec, we could really do with more work for geeks at the moment. If a load of corporations are pushed into upgrading their fleets of NT4 machines, with all the attendant problems that go with buggering about with computers, that means more work for geeks. Yah microsoft! Where's that alpha copy of windows longhorn...
MS should just offer all remaining NT 4.0 users a free upgrade to their choice of 2000 or XP server. They would engender much good will and finally be done with the platform they don't want to support.
Of course, this might be sending the wrong message to customers for the next upgrade cycle (just wait until we're tired of supporting it, and you get the upgrade for free), but it seems like the current message is "if you don't like us leaving you stranded, don't use Windows anymore".
So what does this mean for those who use Windows NT4 on their firewall/router box?
"The most sucessful operating system is not one who can eliminate its competitors, but live with them."
Better then the one they use now on NPR. If I remember it is something to the effect of "Your ideas our passion". Makes them sound like IP thieves.
Nice... Another MS basher. I am really sure that was what they *really* meant to say. When you don't know much about business it is easier to just slag it huh?
NT 4.0 is over 7 years old...
NT is still supposed to be supported through June. Arguments that "hey, it's old" are bullshit. My family's business uses NT 4.0 as their primary file and fax server. The machine, while whizzy at the time that NT 4.0 came out, cannot possibly support Win2K. We expect to switch to Linux for our file server by the end of the SLA, and have figured for years that Microsoft would, as per their support agreement, patch security holes until that end of life date. Turns out that they were lying.
"MS basher"? Only because they're a horrible company. What's your excuse for being an apologist?
-Waldo Jaqutih
Then you're a clueless fucking moron.
It seems to me Microsoft has a couple of options here:
1. Open source NT4
2. Free upgrades to Win2k Advanced Server
3. Fix the problem
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Ummm what school do you goto? and whats the IP?
I wonder how Saddam didn't thought of it. "Architectural limitations do not support destroying my illegal al-Samud missiles".
-- Repeat with me: "There is no right to profits".
Ah, I get it now: Trustworthy Computer = firewall the port.
"It's not our software's fault, you've been using it wrong in unsafe manners."
The age of NT 4.0 is not relevant. What is relevant is that Microsft said that they would provide security fixes until a certain date and they aren't. As an IT manager, this tells me that this company is not reliable. If you promise me service, I expect to get that service.
Note that is not possible to verify Microsoft's claims as why they can't fix it, nor is it possible to get anyone else to fix it since the code is not available. This situation is a perfect example of why a business is better off with open source.
i believe ibm still has support contracts out (2004 i believe) for os/2 warp. i had a friend who worked at tivoli and he mentioned it to me. here is ibm's strategy for 2003. i believe os/2 warp 4 has been out since 1996.
-- john
By not fixing it, they're trying to force people to upgrade to Win2k. "If they won't upgrade, let's force them to!"
Nah, I'm just being cynical, but I'm confused about something. I thought Win2k was based on WinNT? So how much of the NT internals were re-designed for Win2k? What I'm saying is, if it's not possible to fix it in NT, why is it possible to fix in Win2k if Win2k is the son of NT?
DCE on z/OS didn't seem to fail :)
Finkployd
Microsoft is obviously under breach of contract here since it is suppose to fix all security holes till the end of the year for workstation and a year more for server, but lets consider when NT 4.0 came out, I beleive it was the fall of 1996. Around the same time redhat released version 4.0 (colgate). Is redhat still supporting 4.0 or even 6.2? If I decided to buy a Linux distro in 1996 or even 1997 was there anyone who agreed to provide security updates and paid support for eigth years?
a man has a terminal disease and doctors have said, he would die in 6 months. 2 months later, he breaks his leg. should insurance company pay for his treatment?
That's what it comes down to, really. That is why this whole website is here. A group of folks decided that open and free is better than closed and wildly profitable. Then they set out to prove it. Along the way, community sites like slashdot sprang up. Some communities focus on improving the product and helping the users. This particular one focuses on bashing the competition.
This is a limitation of Microsoft's business model: stay in business and stay profitable.Linux doesn't have these requirements, so it wins by your standards. Unless you actually use or
develop linux or linux apps then you are a baffoon for speaking out like you do. And the majority of readers of this site are just this; impotent whiners who don't actually support "the cause". I don't think Microsoft is wrong for doing this; I DO think this validates our way of doing things at the OS level.
I write this knowing it will be ignored because I am posting as an AC, but I must say SOMETHING. All this miserable site does is foster zealots.
That being said, see you tomorrow!
Why don't y'all make your own patch :D
Exactly right my man, it deserves whatever support MS says it should get, which at this point is none.
And it's too much fun to make all the Linux zealots upset when I say something pro-MS, so *NO* I won't stopAll you have to do is upgrade to XP. It's as simple as that.
Anita Coney
"Now that's sarcasm." Homer Jay Simpson
If someone says he and his monkey have nothing to hide, they almost certainly do.
Wow!
DoD systems are not allowed to run Windows 2000 on the servers. (Well you can, but you can't use AD, just as a stand-alone)
I think that MS just wants one of it's biggist customers to upgrade!
hmm... for fun I enjoy launching DDoS attacks against 127.87.42.5
Not that I think Microsoft should go back and patch an OS that is at EOL (end of life), but saying that NT 4.0 doesn't architecturally support the upgrade makes almost no sense. After all, that NT 4.0 code base is what 2000 and XP are built on still.
Hey, what happened to the nifty little Bill Gates borg picture?
---- "Excuse me. Where's the children's gun section?"
sorry but due to the design limitations of our cars we DO NOT support the brake system required to stop the car! please improve ur driving skills
only people using NT are businesses that are reluctant or unable to upgrade.
Je, I remember too when I was a student and thought that to upgrade software all you needed was to buy the thing and then run a wizard.
Unfortunately, this is not the case for most systems. Upgrading takes much time and puts strain on IT staff to get the monster running on schedule. Last time I upgraded the CEO of the company walked in on me during a sunday to see if the systems would be ready to run on Monday. Must I say more?
My other OS is the MCP!
The whole Windows Family is a half ass work around. Architectrural changes are VERY few and far between with Micrsosoft Products. They are just pretty and easy to use, but are old tired and all patched up since MS ripped off OS/2
I read it as this from Microsoft.
Yes we have a security fix! Its called Windows2k3 or w2k. If you want to be secure give us money and upgrade.
They want corporate customers to upgrade to satisfy their shareholders. Also I am very skeptical of their 40 billion dollars in the bank claim and think Microsoft may be having financial difficulties. Why?
Notice they never list how much profits are made from sales during quarterly briefs? Only units sold. I smell some RIAA and Enron style math.
http://saveie6.com/
Microsoft cannot be trusted. They steal technologies and innovation from other organizations like Xerox, Sun, and the WC3, and use their financial power and lawyers to stomp out competitors. Sometimes, they make modifications to the innovations others have come up with, and modify them so they will not interoperate with the originals. Furthermore, Microsoft has been known to be untrustworthy by employing technologies that are anti-competitive. They also use patent warfare as a way to make themselves money and supress the technological community. Linux is free to use, modify, and distribute, so long as you give authors credit. That is not much to ask. Moreover, there are thousands of great programs and utilities for use with Linux. These are free as well.
If you use Windows, you are doing yourself and the world a major disservice. If your reason for using Windows is because of the application support, you should change your applications or write to vendors encouraging them to port there software. There is no excuse.
If you use Windows because it is user friendly, that may be true in the short term. It is not true in the long term because your dll's will overwrite one another when you install a new program causing binary incompatibitly. Also, programs are free to modify the registry resulting in slower load times and system corruption.
I urge everyone to stop using this Operating system in favor of a *nix OS. Please stop supporting Microsoft and start supporting more viable OSes. Reasons you can't refute have been stated above, and the software is readily available. Now go to www.linuxiso.org and get started.
Apple is no longer going to support MacOS 7.
All Linux kernel development on the 1.0.x kernels are coming to an end.
Commodore doesn't support the C=64 any more.
Atari has dropped support for the 2600.
And finally, the Altair isn't going to have any more significant software development from it's main software vendor.
i have no idea
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
Zone Alarm says they block all by default, unless an application calls for them. But if you are still in Win98 or Win98SE, that means you still have 137-139 open, because Win98 leaves them open by default. You have to rename vnbt.386 to vnbt.old to shut NetBIOS down and close those ports. ZoneAlarm (the free vs.) doesn't warn you about this, obviously, because it "thinks" you want NetBIOS up and listening, even if you aren't using it at all.
Just download a trial vs. of Visualware's Visual Lookout and it will show you what is open. That's what I did, and that's how I learned about this.
I don't know about NT, ME, etc. Paid ZoneAlarms are a different story, but this is just a heads up to free users as to my experience.
But one thing is sure: relying on a firewall instead of fixing a problem isn't the best decision.
You may have a point:
click me
Man, you are some sort of evil genius. Please always use it only for good, not republicans or microsoft.
As yet, no-one's posted a variation on Microsoft's favourite slogan to suit this story.
I'm shocked.
Environmentalism is the new Victorianism. Everyone ties on a green corset and pretends we're virtuous.
If you want to quickly turn an old box into a dedicated and very secure firewall, then Smoothwall and a fork of it, IPCop are fine GPL examples. Smoothwall also sells a non-GPL version of their firewall with extra custom functions, but the basic Smoothwall is still GPL.
Both of the above support a load of network cards, and even USB-based ADSL (like the Speedtouch) right out of the box and are an absolute cinch to get running, even if you only have limited networking knowledge. They also provide a simple but powerful browser interface for administration (port forwarding, dyndns registration, squid caching web proxy, etc.).
If you want to add a firewall to an exising Linux box, then a good recommendation is ShoreWall which I've just recently set up on a Mandrake box and been very pleased with. It uses the kernel's Netfilter (iptables) support to do its thing, and is the best option if you want a multi-function firewall/router, etc., since both smoothwall/ipcop are designed to be more restrictive 'all in one' firewall distros where it can get tricky to do things like recompile the kernel without it breaking. Smoothwall and IPCop do provide regular security patches which are very easy to install via the browser admin interface (which even warns you when new ones have become available).
Smoothwall are usually a little quicker than IPCop at getting new patches out. Shorewall is a standalone firewall so it's up to you to keep the other apps updated.
rm -rf / is the evil of all root
I noticed on another site today (I forgot which one) how MS is selling OS products for installation in cars.
How long will they support those operating systems. Will I be forced to upgrade buy a new Honda after only seven years because MS refuses to support my old one?
I've heard that car manufacturers must support their products with spare parts, etc. for seven years after selling it.
BMW 7 series owners are already sorta bumping up against this issue. They have a MS OS in the newest vehicles and it seems things are very whacky on those cars and the dealer cannot do squat about it.
I think all of this brings up some very serious issues...
Caution: Contents under pressure
we pay for products, or include a buyer agreement. ...
:)
" you are allowed to use this money whilst the product is actively supported"
Frankly as i think copyright should be set to expire after a product is no longer supported, and after a period the source released.
copyright to only be granted iff source is lodged with some repository
my money keeps on working but products keep on dying.
Let me get this straight, you have port 135 open to the world and want a software fix? hmmm....
Port 135 is like a directory that the locator (MS service) uses to find out what services are available and what ports they use. The biggest problem is that DCOM uses this port and a hacker can take advantage of it...if it's left exposed to the outside world. A real firewall is the only solution, since shutting down this port is usually not an option. (MS Exchange, etc. use this port) Only port 80 and ssl should be availble from servers on the other side of DMZ. A firewall won't stop someone from accessing the system if someone plugs in a Linksys wireless router w/o security that leaks outside AND is plugged into the corporate network.
The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture, Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Windows NT 4.0 operating system, and not just the RPC component affected. The product of such a rearchitecture effort would be sufficiently incompatible with Windows NT 4.0 that there would be no assurance that applications designed to run on Windows NT 4.0 would continue to operate on the patched system.
Sure it's idiotic that their system couldn't handle a patch. But if that's how it is, then it's a good thing they made their more recent versions dynamic enough to be fixable!
Any sufficiently simple magic can be passed off as mere advanced technology.
Really.
Or more ominously, what if the bug is just as unfixable in 2000/XP/2003? And they just don't want to admit it?
I suspect there will be more trouble in the future. This isn't the last you've heard of this problem.
Knowledge is power. Knowledge shared is power multiplied.
*nix RPC runs on port 111. If I don't intend to have outside computers log in and run apps on my linux machine remotely, I shut down RPC, and uninstall it too, as well as blocking *ALL* privileged ports (0..1023) with iptables. It's bad enough that Windows comes with unnecessary stuff enabled. But when *YOU CAN'T TURN IT OFF*, something is drastically wrong.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Suppose just one of those companies cant account for each and every one of their Windows or Office licences? Can you say MASSACRE? The cost of the audit (mandated by Discovery laws) would be enough for most to take a pass. The cost of fees, penalties, royalties, etc, for so much as a single violation, would wipe out any gains to be made in litigation.
In case you havent noticed, GOVERNMENTS have not been able to hurt Microsoft. Suing Microsoft almost killed Apple, WILL eventually kill Sun Microsystems, and pretty much anyone else who tries. Oracle? Bring it on. That is some nice Bayside property they've got there. Might be nice to see some flying Windows flags north of Mountain View.
Jeez, an explicit block on port 135 was the first rule that goes into any firewall I touch. I always ALWAYS put in explicit blocks for in / out on port 135, 137-139 even when they are redundant Oh right...the noninitiated home users are screwed because they don't even have zonealarm. Well...yeah. They don't install service patches either so what's one more security flaw matter? "You been playin da foosball??"
Actually NT was named for a different reason - MS was targeting NT to the Intel i860 (code-named 'N-Ten)', a RISC processor that was oft delayed. That's why it was called NT, because it worked on the 'N-Ten. Marketing later said it stood for "New Technology" . . .(post dev). You can read about it here:
http://www.winsupersite.com/reviews/winserver2k3_g old1.asp
.though I do not know the way.
(Enter Frodo) I will deliver the patch for this exploit to Redmond . .
This is just part of their plan to force people make costly upgrades.
social sciences can never use experience to verify their statemen
Linus announced last week that there would be no 1.x kernel patch to correct ptrace vulnerability.
0 1 - just my two bits
Number one you say firewall of the port ok then the fix is really simple build a firewall. Why you just taking the lazy way out. Number 2 There is no way that it can be unfixable. Software is software if you can't fixup upgrade every one for free. They bought it in good fath and you have just gone back on your word.
Basicly old versions of linux kernel 2.0 are still geting updates. That is 3 major versions old same as NT.
First rule of software is really simple it is just code. It can be changed. This is security flaw. If other software needs patchs so that when the flaw removed they don't die so be it.
Maybe the need a boot floppy to install the updates. Hmm linux will do it for NT. So I don't see the problem just except that they are lazy and are not prepared to execpt the fault of tampering with unix stardards. There are normally very good reasons why unix does stardard parts partical ways.(break unix was the idea but it seams that it just breaks microsoft) The other thing if They are no longer prepard to fix fault they should hand the code over to open source developers then at least users who are stuck are not stuffed. Firewalls on windows have a bad habit of loading after the network is active so a Firewall may not fix the problem ie machine rebooting person gets in.
(Another) security bug is discovered on Microsoft software, which affects Windows NT 4. It also affectes Windows 2000 and Windows XP, which clearly means that the later two are direct derivates of NT 4 (which we all already know).
So now Microsoft is refusing to issue a fix for NT 4, arguing that there is no way they could make it so that no other existing apps stop working. But a fix for 2k and XP has already been done. That's because of the great differences between NT 4 and 2k/xp, nonetheless they are based on the same product.
So how come that, being 2k and xp SO different from NT, that they can still run the same apps without needing any modification? How come there is no way to patch a NT4 system so that it can still run the same apps but they can surely do it over 2k and XP, and the same applications will still run without a problem over the same system.
This is clearly a move from Microsoft to force their customers to either upgrade their NT 4 installations, or else they are left to their own luck. Many people WON'T upgrade their NT 4 because that just works for them, because their hardware is not powerful enough for a 2k/xp system, or because any other reason they can think of.
Windows NT 4 has been in the market for about seven or eight years now (if my memory isn't failing it was released almos alongside with Win95). This recently discovered vulnerability has always been there since then. What would have happened if someone discovered before w2k was released? Would still Microsoft be unable to release a patch for it because it would break the whole system down?
I've seen many posts saying that noone should have port 135 open to the world. That port shouldn't be listening for request from the whole world, in the first place. There is no way you can know which ports that (for some obscure reason, valid for Microsoft of course) are listening represents a threat to the security of the system. Sure, the same could be said (no) about Linux and other systems, but there's always a way to shut them off and not let the system in a non working state.
And that's all I have to say about it.
Articulos para gente geek: Poleras, linux, libros y mas
With Linux, we have practically unlimited resources. As soon as we jump a kernel version, the last version can be handed off to a new volunteer who will maintain it indefinately. For Microsoft, they have limited engineering resources and, as large as they are, can't afford to expand indefinately to maintain older versions of their OS. Particularly as they feel more and more the pressure from the Free Software movement bearing down on them, they're going to have to devote more and more of their resources to newer versions of their OS and other products, and as FS developers get ever more organized, we're going to get ever harder to compete with. Microsoft is doing the best thing for themselves and for the rest of us, because, frankly, we need the competition to keep us motivated.
I've seen a lantastic 7/ibm netbios dos based casino application (drained the data from the slots to several dos clients) up and running for months at a time. I'm talking token ring, yuch.
I'm not so sure they can fix it.
In the beginning, NT was written on something else (for obvious reasons). Since the first version, Microsoft has probably been rebuilding their toolchains to be hosted on previous NT versions, if not completely self-hosted. This process would have been repeated at least twice since NT 4.0. The current tools might not be able to build low-level NT 4.0 code.
The Hallowe'en documents suggest that building low-level pieces of NT is not a trivial or common endeavor, and supposedly not something that the compiler toolchain usable by typical MS customers is capable of doing. It's very possible that there are only a handful of machines in Microsoft which are set up for building NT 4, and those are probably getting old, crotchety, and fragile, if they haven't broken already...
Try building a working 1.0 or 1.2 Linux kernel on modern binutils and gcc 3.2, or build 2.4.20 on gcc 2.6.3. If you somehow manage to get it to compile and link without patches, it probably still won't work properly without deep understanding of the toolchain and its bugs.
Now consider the same problem, but you only get to use the tools that came with Minix (or worse, SCO). That's probably Microsoft's current situation.
I've seen shops where coders get new computers on their desks after a product release--the old computer, with all the software, source code, development tools, etc, gets locked in a vault. If the company needs to do support work on the product years down the road, they pull the computer out of the vault, do the work, then put it back again. No worries about software rot (although hardware rot is a very real problem), although admittedly it's hard to find someone in 2003 who is fluent in Windows 3.0...
-- I avoid spam by accepting only OpenPGP encrypted or signed email at this address. Clear-signed, RFC2015, heck, even
dont forget 445....
--
Time is on my side
We all feel sooo sorry for you. Primarily because you're not all that bright.
MS isn't going to fix ONE security problem that wont' even affect your File or Fax server's unless you have them on the Internet like an a$$ (you probably do don't you?) and you're going to switch to Linux.
We expect to switch to Linux for our file server by the end of the SLA...I would wait until you get a bigger brain to attempt that. If you haven't gotten NT to work as a simple File and Fax server by now, then you won't be able to do anything with Linux. It requires reading. Furthermore, if it does work why are you switching at all??
I will say though, wonderful troll! I applaude your efforts! Your post was on topic and sprinkled with just enough "fact" for people to really believe you and you only used the word Linux one time.
I say again, excellent job!
with SuSEfirewall2 config scripts absolutely rocks. Very easy to set up and so flexible as a front-end to iptables. I knew absolutely nothing about how to set up Linux iptables, and after just only one weekend of installing SuSE 8.1 and reading the SuSEfirewall2 FAQ pdf file written by a fellow named Togan Muftuoglu, I had my firewall aerver set up perfectly, doing NAT and reverse masquerading for multiple internal pcAnywhere boxes, a postfix mailserver, and apache webserver and keeping the outside from ever even seeing my Samba and Webmin stuff running on the inside nic of the same box. This is professional grade stuff all for free from an FTP download install of SuSE 8.1
Good riddance you piece of shit with your stompable system32 DLLs and your weak device driver signing requirements. Windows 2000 + is so much better than this relic. I know, I know, ginne a break
Sadly, the glacial pace of the financial service industry's adoption of new technology has left many with this outdated OS. Poor programming techniques (mfc42.dll stomp DLL hell make me wanna pull out my short hairs) combined with upper-mangement risk aversion has led to upgrade paralysis at some companies.
I'm not advocating that everyone immediatley accepts everything comming out of Microsoft's pipeline (if they make a bank-based "agile business" ad i'm gonna puke).
All I'm saying is NT has be hacked to shit. Let it go. Anything that doesn't comply w/ 2000+ should be rewritten/reinstalled/replaced.
DO YOU HEAR ME?!?! YOU GRAY-HAIRED STUFFED SHIRTS IN YOUR CORNER OFFICES! GET A CLUE!
Sorry for the rant. I know many of you are thinking...."Go Linux" or "Thin client". Go0d fucking luck with PHB that can't even navigate his own "Start" menu, nevermind the comprehend the benefits of modern offerings.
A Perfect example for corporations. And, they call the GPL a virus. M$ is the carrier of the freakin' black death, and its proprietary software should be avoided like the plague it is.
Makes them sound like IP thieves.
We are talking about MS, right? Sounds bang-on.
Ummm what school do you goto?
10 PRINT "Chestertonfieldville High"
20 GOTO 10
In English, 'go' and 'to' are two words. Just like 'a' and 'lot'.
netbsd uses ipf, freebsd uses ipfw/ipfw2/ipf, and openbsd uses pf (although darren has patches for ipf to work)
pedantic jackass
No way to tell if it's really "impossible" to do it, or just "nobody in MS team can see a way to do it" (I'm not going to suggest that MS isn't interested in keeping NT4 useable in order to drive people to upgrade and pay more $$; however I do find it interesting that they've refused to roll up all their post SP6a + SRP patches into one easy-to-apply package). MS does not have a monopoly on smart people. It does have a monopoly on the source code... Anyone wonder if the source was available someone would have piped up and said "no, you CAN fix it by ..." ?
Anyone still using NT 4.0 shouldn't be using a computer.
... and that's fine. If NT4 is filling the role you want and you have no need to expand any time soon, then great. Leave it at NT4.
:)
Only problem with that is detailed by this story: when a vuln is discovered and does affect your server in the future... you're screwed.
Good It was IBM's fault anyway. :)
NT4 came out in September 1996, just three months after Linux 2.0. The last 2.0 version is 2.0.39, which was released January 2001, over two years ago. Both groups have moved on, and aren't willing to spend much effort on the old versions.
If I install a machine with 2.0.39, is there any known big vunerability? If one was discovered would there *then* be a 2.0.40? With free software there's not much interest in backporting features, since upgrading to the latest version is free, should you need those features.
Anything that has outlived it's time as the mainstream stable branch wouldn't normally be updated except for security fixes, so I expect both 2.0 and 2.2 to have very slow release cycles now. Unlike Windows, where you expect some feature creep (for example DirectX upgrades) without having to pay for an OS upgrade.
Anyway, this isn't really about that either, but it's about the EOL date Microsoft has set. What do you think would happen if RedHat said "Uh RedHat 8 is fundamentally flawed, so we won't fix this bug even though its still under support. Block this service, or upgrade to RedHat 9, oh and you'll need a new support contract for that version." Would you find that acceptable?
Kjella
Live today, because you never know what tomorrow brings
That's not a sentence. You forgot both the subject and the verb. You also forgot to capitalize the first letter and put a period at the end. You should be ashamed of yourself.
...it is also advised you switch to linux.
Just as an interesting aside:
What other products that implement DCE RPC are broken? (It isn't a MS only protocol)
A second point if I may:
There are other RPC like protocols besides DCE RPC.
SUN RPC (used by NFS, i.e. Linux)
JAVA RMI / CORBA (more correctly IIOP / GIOP)
to name a few
Are they all secure. Nobody knows. Code review can not catch all bugs.
Borg Unit 8156783168
A friend bought the pro version of zonealarm for an NT server ... it kept crashing.. so he went back to the free version - cool...not.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Okay, so it does suck a little that Microsoft is not supporting their software before they officially said they would stop supporting it.
However...
NT? That's like the 95 of the NT Kernel. Please move on...there is nothing else there. Microsoft seems to realize this. They're just trying to kill it off. (Much like they are working to kill of 95/98/ME by writing applications that DO NOT WORK for those systems. Ex. Office 11)
This may not be popular but I was never a fan of win95/98/me to many problems NT 4 was the biggest step windows ever made. I worked with it a bit today and after about sp3 their was really nothing wrong with it. I have many customers who have been using it for years and lots that really would have no benifit to upgrading. It really was the last really good change microsoft made and was a quantum leap over win9x.
Nobody ever had to change the architecture to fix bugs. M$ is indirectly trying to force people to dump old OSes and upgrade to the new. They're just lying.. and you're stupid if you can't see that.
Microsoft isn't saying (well maybe they're thinking it) "We won't fix this vulnerability because NT4 support is running out soon", they are saying "We CAN'T fix this vulnerability", so what's next?
An unfixable bug in Windows 2000/XP/.NET? How can any bug be unfixable?
Does anyone remeber the first Ping of Death "fixes" by Microsoft? They sure didn't fix the problem, they just fixed the symptom, but that didn't stop them from releasing a goddamn fix.
...you're a clueless fucking moron.
Quite frankly, Windows NT 4 is why spaghetti coding is BAD. Earlier operating systems created by Microsoft show lack of focused planning and eagerness to create something new. I supposed the debugging/patching team finally had the last straw and had subsequent OSes built with more stable kernels. Developers: Always comment your code and begin coding with a well-thought out plan. Even with RAD, know what your doing before you start!
I remember the days of the antitrust suit against Microsoft... it was because everything was too integrated. Microsoft swore up and down that their severe integration was good. You decide that for yourself - especially in light of the current situation.
Although you may think I am simply another Linux proponent, I do not believe that a flaw would be simply unfixable with Linux. Distributions are highly modular, and although spaghetti code is inevitable, it is minimal in the Linux kernel and important services - namely because hundreds, perhaps thousands of developers contribute and sloppy base code is not an option. In no way am I saying Linux is for grandmas, however I would never entrust my business/server to Windows. It simply seems imprudent.
*flamebate warning*
"Windows XP Professional is built upon the rock-solid reliability of Windows NT technology"
New Technology technology. Hard to trust an OS when even the marketing has bloat in it.
In this case, even when NT4 seems to be terminally broken, there's no reason whatsoever to believe that 2k/xp aren't even after MS has provided it's stinky useless patches for those.
What's the point of MS's pro-secure(haha) stance if it's unwilling to patch even one of it's products so long as it takes to make it bulletproof? NT4 is old but proven and been around so long that seems foolish to throw it away and bring in new OSes with new flaws. Doesn't help much if 2k/xp are "based on NT technology" because at the same time the get bloated with all kinds of new stuff.
One thing MS can't do is keeping it's OSes simple. Unfortunately simplicity is one of the requirements of secure software.
Preserve old classics: copy your collection onto all hard drives.
It's not a matter of if you must upgrade, but when. However, realize that buying new products from the same company will not necessarily protect from this happening again. It would be a bad idea not to use the situation to explore options. Many are making the move.
There may be some ideological reasons to try Microsoft's server experiments, but no technical ones. Even the ideological ones don't float: no matter how much you admire Bill G's enormous personal wealth, giving him more of your company's money is not going to make you rich(er).
So many corners have been cut on service and products that it looks like Microsoft may not live out the summer. WinNT and other legacy software can keep running with the help of work-arounds as long as no one was dumb enough to sign a subscription.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
It's pretty amazing, but the hotel company that I work at, 95% of the users still uses Windows 95, an 8 year old operating system! It really becomes a problem when software developers write applets that require Java 1.4 and 1.4 doesn't support Win95. Yeah, the applets don't even run under Win95. Surprisingly enough, they have decent hardware here (Pentium 4s) but their operating system is about the oldest thing here.
If NT 4.0 is fundamentally flawed, and Microsoft do not believe there is any merit in supporting it, then why not replace the source ?
:-P
:-P
After all, if there is no reasonable commercial gain to be had what do they have to lose ?
It's not like anyone else has the necessary expertise to fix it, ist it
Although it would be bad news for the Linux crowd - all those people jumping off Linux and spending their time and effort hacking around in NT would be really bad for them
Change your first period to a comma and your third to a semicolon if you wish to be pedantic about the grammar of others ;)
Ths famous Opera/MS/CSS bug is still wide spread.
Try setting Opera to report as "Opera" and clicking on the "the latest security flaw" link on the front page.
Haven't got time to fix _that_, eh?
Peder
Of course, since Win NT was written/managed by a former DEC operating systems designer, it has been rumored that you just start with VMS (DEC's Virtual Memory System) and take the next letter, to get WNT!
Just remembered the name - Dave Cutler was the operating system designer. Had his name all over RSX-11M sources (hey - was that the first open source operating system? You had to recompile it whenever you added drivers or patched it)
Best examples are bars - if you had come when it was open you may well end up being there even hours after official closing hour if you are "making business" with bar. :)
So, such cases IMO pretty clearly illustrate how each business value their customer.
hany
You got in Informative?
I did some development of NT services, spooler modules and such, and I can tell you that this is not true. 1st it is difficult to kill process owned by SYSTEM account. If it is a service, you can stop it - if it is not hung. If it is a system process and it is hung/consuming much resources or is not a service, or is owned by not your account, it get's pretty resistant to such attempts. Sometimes you can attach by debugger and kill it - but not always. What works for me is Process explorer
The exploit consists of a problem with malformed packets arriving on port 135 and it is blatantly obvious that this can be fixed by inserting a simple filter the throws away malformed packets.
It is perfectly clear that M$ wants ppl to upgrade and this is the real reason for not fixing the problem.
You would think that someone who had been lying for so many years were at least able to do it in a semi-convincing manner...
I'll set up a Linux firewall, it's the only reasonable option. It's fast, easy, free. I won't buy new 2K licenses to deal with this - I'm definitely not upgrading six NT servers, buying a new version of our $10,000 accounting software to work properly with Win2K, or upgrading Exchange 5.5. I just won't - not because of this, anyway.
MS will never see another nickel from me for as long as I live. I understand the EOL issue, but EOL doesn't exist with open source, and MS simply can't compete with that concept.
I hate this business sometimes.
# Erik
What Microsoft means to say is that it previously introduced a flaw to bolster later excuses for not supporting legacy software, thus pressuring businesses to invest in the next 'buggy' that comes along. Time to ramp up the marketing for 2003.
What those who want activist courts fear is rule by the people.
'I cannot read the fiery letters,' said Frodo in a quavering voice.
'No,' said Gandalf, 'but I can. The letters are Microsish, of an ancient mode, but the language is that of Mordor, which I will not utter here. But this in the Common Tongue is what is said, close enough:
Beware the RPC subsystem. Deep inside it's lair lies the sleeping beast, that is:
SQL Server
Besides which, the folks that haven't upgraded to something else are still not likely to upgrade, for the same reasons. They'll just be more vulnerable.
BTW, does anyone know if the US Navy is still using NT servers?
Personally, I've had great experiences with Tiny Personal Firewall.
http://www.tinysoftware.com
Same thing regarding OS...works great on 98, 200, XP. Same thing regarding application limiting. Also does nice things like MD5 sum checking to see if an application has changed and then prompts you if you want to accept the new application.
They refuse to release samba and openssl patches for their 10.1 server forcing users to upgrade to 10.2.
And this is after only one year!
In other areas, say cars, even if the maker drops support it's simple and legal for a 3rd party to do maintainence (though not for much longer if engine management becomes totally s/w based and DCMA remains in force.)
In closed source software, when the supplier drops support you are fscked. Even if you can find someone with the skills, the components are not available and you can't even look at the broken bits to see how to make new ones.
Dear Microsoft,
It has come to my attention that the recent DCE RPC bug which might result in a DoS on port 135 Windows NT machines has labelled "unfixable". I therefore offer royalty-free and without restriction (BSD-style license, not Evil Viral GPL!) some pseudo-code which will successfully implement a fix to this problem:
Sincerely,A. Haxor
PS Do you have any job openings?
Hmm, I never thought of that. And even if they did release the code, they probably would still own it.
You think that I'm crazy, you should see this guy!
I know the software industry isn't really cut out for this, but why the hell can't they make a solid product and support it indefinitely? If it ain't broke, don't fix it! For example, my father's company still runs a DOS application programmed in the late 80's that is STILL SUPPORTED. It works *perfectly*. If it aint' broke, why fix it? The major problems we run into are because M$ forces us to upgrade operating systems ever 4 years and getting the DOS app to work again becomes increasingly difficult.
We are seriously considering a platform change to linux.
What incentive is there for a company to make a sometimes multi-million dollar investment in a product that isn't guaranteed but for four years? My uncle runs a manufacturing plant, and has machines in there built in the *1920's* that are still on the line. Whenever they break, his shop fixes them now (see an open source link here?).
Get with it Microsoft. Build a product for companies to use long term. We don't ALL need the latest 'features'.
The EOL for NT4 Workstation is in June. This isn't June, if I'm not mistaken, nor is it June for another couple of months. Furthermore, NT4 Server has a much longer lifespan than Workstation does.
It, according to MS, is still supported.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Vulnerability has two i's. Good job M$.
No chance of this happening: 2k/xp are built on NT tech. Releasing code would give too much (read: any at all) insight into some of the xp/2k internal protocols.
or they're embarassed
well, it looks like new o.s. time. all support required nt 4.x shops will have to change o.s.'s by july. a lot of those nt managers have thought that just buying new licences for win-2k will be good enough. but what advantages would exist if relicensing was taken out of the mix. i know its worth a persons job to suggest this, but sometimes demoing a linux solution, using the same application software can have positive results. espiceally during these very hard economic times. there aren't that many businesses that can 'just pass the cost on to the customer'.
i wish all nt managers luck, the above worked for me and doubled my salary.
1. The real system administrators. They use what is stable and what has proven to work. While it has had quite a few problems in the past, NT currently is stable and has proven to work.
2. The wannabee system admins. "If it's less than three years old, it's not good!" Wrong!!! When it comes to real systems, bleeding edge sucks. You have to move, reinstall, and reconfigure stuff all the time. When real system admins set stuff up, they set it up to work. They do not set it with alpha video drivers, just so they can see their game of quake get 4 more fps. It's like Debian stable. You may make fun of it because "it's old," but at least it works. Problems aren't going to suddenly pop up. To all those who are number twos, I have this to say to you: WRONG!!!
3. Microsoft just wants more money. Hrmph. Can't really disaggree with you there, can I? ^_^
westlord