Microsoft Refuses To Fix NT 4.0 Exploit

shmigget writes "The Register is reporting that Microsoft is throwing in the towel as far as NT 4 is concerned on the latest security flaw to affect Windows 2000, XP, and NT 4. They quote Microsoft as saying 'The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability.'" There still is a workaround for NT 4.0. Instead of patching the problem, it's advised to firewall off port 135 on an affected machine.

No surprise

[jawtheshark]

I mean, NT4 is close to it's end of life .

No, I don't like it... but support for NT4 is dropped at 30 june 2003 and that's not really far away.

Re:No surprise

[questionlp]

That maybe the case for NT 4.0 Workstation, but NT 4.0 Server has a different EOL/End of Support timeline (according to Microsoft):
http://www.microsoft.com/ntserver/ProductInfo/Avai lability/Retiring.asp

The key part of that page is:

January 1, 2005 Beginning on this date, Pay-per-incident and Premier support will no longer be available. This includes security hotfixes.

On the page that you linked to, the end date for System Builder (ie: OEM) availability for NT 4.0 Workstation is 30 June 2003 whereas the end date for online support is 30 June 2004.

Re:No surprise

[questionlp]

Whoops... forgot to paste another part of that page:

January 1, 2004 Beginning on this date, non-security hotfixes are no longer available.

Considering that this is a security vulnerability that they are talking about, Microsoft needs to look at what they committed to their customers in that timeline and better get a fix out ASAP!

Just goes to show you should look up your facts

[Neophytus]

I was going to say they had stopped supporting NT4 anyway so were within their rights, but I looked it up and it appears they are providing NT4 hotfixes until the end of 2004. Either way, a service pack or something equally dramatic for one flaw I think is overkill and blocking port 135 on a firewall is a better option.

"Can't" isn't the same as "won't"

[Artifex]

They're not saying (publicly, anyway), "hah, we're not supporting this ancient operating system any more, go away."

The article quotes them saying they can't fix it, there's too much stuff to do.

Using your firewall to block port 135 is fine, unless you actually need RPC for something useful. In that case, I'd say that a firewall that discards all malformed packets (more complicated) is in order. Or an upgrade to Win2K. After all, it's been out for, what, 4 years now?

Thanks MS, steal DCE's port and make it insecure

[finkployd]

Way to go MS. Take the port used by the DCE endpoint mapper, use it in your own broken, buggy, and insecure version of DCE RPC (also known as DCOM), then refuse to fix it.

My University uses DCE all over the place, from a financial application to the distributed filesystem. Now people are going to start blocking this port (135) to protect against then start complaining when some of the applications they use and their file system access stops working.

Finkployd

Re:ZoneAlarm

[caluml]

Imagine for a moment that you have a /19, and some pinhead decides to scan all of those to see who's alive on port 445. You either block it after a few connection attempts, or you suffer with 8192 log entries - one for each host.

That's why you use rate limiting for logging, like this:
$fw -A FORWARD -p icmp -m limit --limit 10/min -j LOG --log-prefix="NEW RAPID ICMP "
will only log 10 outbound ICMPs per minute. Adjust to suit your personal preferences/requirements.

Re:The Ford Version of M$

[macrom]

More like :

Sorry, but due to the design limitation of your 1965 Ford, we are unable to retrofit your car to fix a recently-found problem in the braking system. Third-party companies may provide small fixes that can help alleviate (but not completely fix) the problem. This problem is not present in our current line of products.

Windows NT 4.0 hit end-of-life back on December 31, 2002. An IT department should know that commercial software companies, MS included, routinely EOL software and drop support for them. A 7-year-old OS is going to have moth holes in it. If your company cares about security, upgrade to something more modern and (theoretically) secure. If you can't afford it, then evaluate migrating to OSS solutions. If you can't afford that, well, you're in big trouble.

MS makes it clear on their Product Life Cycle pages what support they plan to give for all products. Anyone caught surprised by this probably shouldn't be making IT decisions for an organization any larger than 1.

Why they aren't making a patch, from Microsoft

[shrikel]

From the faq:

The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture, Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Windows NT 4.0 operating system, and not just the RPC component affected. The product of such a rearchitecture effort would be sufficiently incompatible with Windows NT 4.0 that there would be no assurance that applications designed to run on Windows NT 4.0 would continue to operate on the patched system.

Sure it's idiotic that their system couldn't handle a patch. But if that's how it is, then it's a good thing they made their more recent versions dynamic enough to be fixable!