Microsoft Refuses To Fix NT 4.0 Exploit

shmigget writes "The Register is reporting that Microsoft is throwing in the towel as far as NT 4 is concerned on the latest security flaw to affect Windows 2000, XP, and NT 4. They quote Microsoft as saying 'The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability.'" There still is a workaround for NT 4.0. Instead of patching the problem, it's advised to firewall off port 135 on an affected machine.

No surprise

[jawtheshark]

I mean, NT4 is close to it's end of life .

No, I don't like it... but support for NT4 is dropped at 30 june 2003 and that's not really far away.

Re:No surprise

[questionlp]

That maybe the case for NT 4.0 Workstation, but NT 4.0 Server has a different EOL/End of Support timeline (according to Microsoft):
http://www.microsoft.com/ntserver/ProductInfo/Avai lability/Retiring.asp

The key part of that page is:

January 1, 2005 Beginning on this date, Pay-per-incident and Premier support will no longer be available. This includes security hotfixes.

On the page that you linked to, the end date for System Builder (ie: OEM) availability for NT 4.0 Workstation is 30 June 2003 whereas the end date for online support is 30 June 2004.

Re:No surprise

[questionlp]

Whoops... forgot to paste another part of that page:

January 1, 2004 Beginning on this date, non-security hotfixes are no longer available.

Considering that this is a security vulnerability that they are talking about, Microsoft needs to look at what they committed to their customers in that timeline and better get a fix out ASAP!

Re:No surprise

[jaavaaguru]

Access isn't really a product - it's a toy that you get free with Office to teach your children about databases before they get to use a real one.

I can't comment on Word as I rarely use word processors anynway. Developer studio isn't a bad product - despite lacking a few features (including an ANSI C compiler). Windows NT is really not a good product compared to some things they offer.

Re:No surprise

[theblackdeer]

You used to be able to get it (and some other stuff, OS/2, Win3.1, etc) from oldos.org. If you go there now and check the forums, there's a bunch of kids posting ftp logins for downloading old os versions. pretty fun.

Re:No surprise

[ceejayoz]

Click the "Processes" tab and close the process there. That works no matter what.

Just goes to show you should look up your facts

[Neophytus]

I was going to say they had stopped supporting NT4 anyway so were within their rights, but I looked it up and it appears they are providing NT4 hotfixes until the end of 2004. Either way, a service pack or something equally dramatic for one flaw I think is overkill and blocking port 135 on a firewall is a better option.

"Can't" isn't the same as "won't"

[Artifex]

They're not saying (publicly, anyway), "hah, we're not supporting this ancient operating system any more, go away."

The article quotes them saying they can't fix it, there's too much stuff to do.

Using your firewall to block port 135 is fine, unless you actually need RPC for something useful. In that case, I'd say that a firewall that discards all malformed packets (more complicated) is in order. Or an upgrade to Win2K. After all, it's been out for, what, 4 years now?

Re:Borg icon

[istartedi]

I never cared for the Borg icon--I think the GPL is just as Borg-like as MS. The new icon is too dark. It looks like a box with some features on it that are difficult to make out. I had to read the alt in the image tag to figure out it was "Windows". I don't see anything wrong with using a window as the icon for Windows, just find one that's lighter. I'm not sure what restrictions MS places on use of the Windows logo, but if they can use it than that's what they should use--just like they do for Apple. That would seem fair enough to me.

Re:How much

[jawtheshark]

I work currently at a large bank part of the Fortis Group that is entirely based on NT4. As a developper I have a kick-ass new machine, complete with XP sticker on it but it runs NT4.
Mission before that was a local insurance company, also completely NT4 based though left and right Win2000Pro is popping up.

Thanks MS, steal DCE's port and make it insecure

[finkployd]

Way to go MS. Take the port used by the DCE endpoint mapper, use it in your own broken, buggy, and insecure version of DCE RPC (also known as DCOM), then refuse to fix it.

My University uses DCE all over the place, from a financial application to the distributed filesystem. Now people are going to start blocking this port (135) to protect against then start complaining when some of the applications they use and their file system access stops working.

Finkployd

Re:Not until 06/30/03 it isn't!

[Gudlyf]

Here ya go

And here

Re:Please....ths is not that big an issue.

[the+eric+conspiracy]

Microsoft isn't obligated to support old software forever.

Hmmm yes, except they say NT4 IS supported, until 2004. They also sell support contracts for it.

This is very bad because it screws up lifecycle planning.

Holy hell this site pisses me off - posted anon

NT4 is almost seven years old, not four. Big difference. How can you trust that Microsoft will support it? You can't.

That's what it comes down to, really. That is why this whole website is here. A group of folks decided that open and free is better than closed and wildly profitable. Then they set out to prove it. Along the way, community sites like slashdot sprang up. Some communities focus on improving the product and helping the users. This particular one focuses on bashing the competition.

This is a limitation of Microsoft's business model: stay in business and stay profitable.Linux doesn't have these requirements, so it wins by your standards. Unless you actually use or
develop linux or linux apps then you are a baffoon for speaking out like you do. And the majority of readers of this site are just this; impotent whiners who don't actually support "the cause". I don't think Microsoft is wrong for doing this; I DO think this validates our way of doing things at the OS level.

I write this knowing it will be ignored because I am posting as an AC, but I must say SOMETHING. All this miserable site does is foster zealots.

That being said, see you tomorrow!

Re:nt 4.0 came out 1996

[the+eric+conspiracy]

It's not like Microsoft stopped selling the NT4 product six years ago - in fact, it is still currently sold in the VAR channel. In some sense Microsoft is failing to supply security hotfix support for a product that they are still selling. That is not very good support.

As a matter of fact RedHat 6.2 is still being supported, but not for much longer.

I imagine that you could easily hire somebody to support it for you, which would be quite feasible due to the availability of source code. You aren't tied to the original vendor for fixes as with Microsoft.

Or if you didn't want to go that route with RedHat, you could always upgrade - RadHat ISOs are available for free download, and you should be able to upgrade from 6.2 up through 8.0 using the standard installer.

Re:ZoneAlarm

[caluml]

Imagine for a moment that you have a /19, and some pinhead decides to scan all of those to see who's alive on port 445. You either block it after a few connection attempts, or you suffer with 8192 log entries - one for each host.

That's why you use rate limiting for logging, like this:
$fw -A FORWARD -p icmp -m limit --limit 10/min -j LOG --log-prefix="NEW RAPID ICMP "
will only log 10 outbound ICMPs per minute. Adjust to suit your personal preferences/requirements.

Linux Firewalls

[xneilj]

If you want to quickly turn an old box into a dedicated and very secure firewall, then Smoothwall and a fork of it, IPCop are fine GPL examples. Smoothwall also sells a non-GPL version of their firewall with extra custom functions, but the basic Smoothwall is still GPL.

Both of the above support a load of network cards, and even USB-based ADSL (like the Speedtouch) right out of the box and are an absolute cinch to get running, even if you only have limited networking knowledge. They also provide a simple but powerful browser interface for administration (port forwarding, dyndns registration, squid caching web proxy, etc.).

If you want to add a firewall to an exising Linux box, then a good recommendation is ShoreWall which I've just recently set up on a Mandrake box and been very pleased with. It uses the kernel's Netfilter (iptables) support to do its thing, and is the best option if you want a multi-function firewall/router, etc., since both smoothwall/ipcop are designed to be more restrictive 'all in one' firewall distros where it can get tricky to do things like recompile the kernel without it breaking. Smoothwall and IPCop do provide regular security patches which are very easy to install via the browser admin interface (which even warns you when new ones have become available).

Smoothwall are usually a little quicker than IPCop at getting new patches out. Shorewall is a standalone firewall so it's up to you to keep the other apps updated.

Re:The Ford Version of M$

[macrom]

More like :

Sorry, but due to the design limitation of your 1965 Ford, we are unable to retrofit your car to fix a recently-found problem in the braking system. Third-party companies may provide small fixes that can help alleviate (but not completely fix) the problem. This problem is not present in our current line of products.

Windows NT 4.0 hit end-of-life back on December 31, 2002. An IT department should know that commercial software companies, MS included, routinely EOL software and drop support for them. A 7-year-old OS is going to have moth holes in it. If your company cares about security, upgrade to something more modern and (theoretically) secure. If you can't afford it, then evaluate migrating to OSS solutions. If you can't afford that, well, you're in big trouble.

MS makes it clear on their Product Life Cycle pages what support they plan to give for all products. Anyone caught surprised by this probably shouldn't be making IT decisions for an organization any larger than 1.

Why they aren't making a patch, from Microsoft

[shrikel]

From the faq:

The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture, Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Windows NT 4.0 operating system, and not just the RPC component affected. The product of such a rearchitecture effort would be sufficiently incompatible with Windows NT 4.0 that there would be no assurance that applications designed to run on Windows NT 4.0 would continue to operate on the patched system.

Sure it's idiotic that their system couldn't handle a patch. But if that's how it is, then it's a good thing they made their more recent versions dynamic enough to be fixable!

Re:ZoneAlarm

[technos]

Can always replace the NT 4.0 box with Samba, if it's in a fileserver or network authentication role. Most of the time, it's pretty painless to replace one with the other.

Re:ZoneAlarm

[canadian_right]

Yeah, but I'd guess that 90% of our NT boxes are application servers running big apps that only run on NT. If the app is running OK you don't want to touch anything.