Slashdot Mirror
Microsoft Refuses To Fix NT 4.0 Exploit
shmigget writes "The Register is reporting that Microsoft is throwing in the towel as far as NT 4 is concerned on the latest security flaw to affect Windows 2000, XP, and NT 4. They quote Microsoft as saying 'The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability.'" There still is a workaround for NT 4.0. Instead of patching the problem, it's advised to firewall off port 135 on an affected machine.
I like the Bill "Borg" icon better than this icon
It seems strange on the surface for them to admit that their product is 'unfixable,' but really, doesn't it make sense as an upgrade-inducer? Granted that in a more competitive market people would be put off by this, but some people don't regard the other choices with which we are so familiar as acceptable options, leaving them sending their checks to Redmond no matter.
Then again, people still buy new models of cars which have had huge saftey problems in the past, even though other choices are availble; perhaps the real phenomenon is that marketing is sometimes more powerful than good judgement.
What other operating systems from back then are still "supported" now ?
Solaris 2.6 maybe ? (Rapidly approaching EOL/EOS)
What else ?
Point is: NT4 is so old (and so BS), I can see why they want it to die (apart from the reason that they want to sell the new OSs)
Windows 2000 - from the guys who brought us edlin
say in 97/98/whatever they would of just looked at it and said "well darn...an NT4 bug that just can not be fixed"?
What's sad is that there is a 2k/XP fix...and I bet an NT fix would not be that hard considering they are quite similar OS's.
You're kidding, right? The clients I work with are predominantly NT based because the of the license/security issues surrounding Microsoft and they don't want to be lead deeper into the licensing pit that is Microsoft. Granted, NT is very old, but if you have to pay that much for an NT server license, you're going to want to get your moneys worth for it (if that's at all possible).
Very true. I agree that all products have their lifecycles, and NT 4 is most definitely near the end of its cycle.
However, support for NT4 is dropped on June 30th, NOT March 26th. They should still support their products with something better than a half-assed work around.
How can we trust that Win 2003 support will end 4 years after its release, and not when they come across a "really difficult" problem that may require some thought and work?
--My other sig is a ferrari.
Dropping 2000 for XP server? Oh wait there is no XP server... Maybe the people you are talking about don't use severs? Don't get me wrong I would like to see more people consider dropping Windows 2000 servers, they would be switching to UNIX, or LINUX 90% of the time if they did.
Insert pithy comment here.
All Microsoft-bashing aside, does anyone else see something majorly wrong when it's impossible to fix a fairly serious exploit due to architecture limitations in the OS??
They're basically saying that they can't fix it because the OS makes it impossible to do so. Not because it's inherent in some protocol, or because it is a natural effect of some kind of desired behavior or something, but because the OS DOESN'T SUPPORT IT?????
That's just wrong.
You're working yourself up here... Consider this like Red Hat refusing to patch up Red Hat 3.0 with the latest security fixes.
It's bad news here at work though, we still use NT. No need for an upgrade with all the hassle it brings, we get the development work done just fine. It makes excellent economic sense to skip a few Windows-versions for big businesses. It's just a huge hassle and economic drain to switch to newer versions when what you've got is working.
What should upset us is that Microsoft is refusing to support NT, when they've still committed to supporting the platform..
However, if a work-around is good enough, then it's good enough. This ain't rocket science, it's IT. IT is quite stupid and non-academic unfortunately.
http://www.debunkingskeptics.com/
Who wants to buy an operating system from a company that lets their OSes die before their EOL? I sure wouldn't. The point of an EOL announcement is telling the world that 'as of xx/xx/xx, this product is dead as far as support goes'. Not 'when date xx/xx/xx is nearish, you're SOL'.
But, then, I'm just an admin, what do I know?
Send your friends messages of love at fuck-you.org
Well... yes and no... From MS' security bulletin: The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. So if you block it, RPC clients will likely stop working. But, really, who cares? How many RPC services are running exposed to untrusted environments? If you have such a box connected to the Internet NOT behind a firewall, you've been begging to be DOS-ed all along.
> get tea
No Tea: dropped.
NT4 and Windows 2000 have compatibility issues. For instance, running a PDC controller on NT4 makes it more compatible with NT, Win9x, 2k, and XP. Running a Win2K PDC cuts off functionality from NT and Win9x clients. So why am I running 9x and NT workstations? Some stuff just won't work on new OS's. We've got servers(!!) running on Windows 3.11 because the software is too b0rked to run on anything newer. And besides, there's nothing more fun than showing off our 486 servers :-).
UPGRADING ISN'T ALWAYS THE RIGHT ANSWER.
There is no reasonable defense against an idiot with an agenda
:wq
See above.
You think that I'm crazy, you should see this guy!
Instead of patching the problem, format the hard drive and use someone's OS who actually fixes security problems next time.
Except that the source code to Red Hat 3.0 is publicly available, so a fix could be made by anybody. The problem here is that the only people who could fix NT4 is Microsoft and they are refusing to do so. Worse, we can only take their word for it that a fix would be nearly impossible.
I'm not a big proponent of open source, but this is a case where there are clear advantages.
--
The internet is the greatest source of biased information in the history of mankind.
If you have a sun, you will be provided with software with all the fixes free of charge. A friend of mine bought a nice ultraspark on Ebay a while back and he was provided with all that he needed.
If you simply have a 486, all the BSD and Linux distro you want, with all the fixes, are available under the same terms from way back.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Using your firewall to block port 135 is fine, unless you actually need RPC for something useful. In that case, I'd say that a firewall that discards all malformed packets (more complicated) is in order.
If you're doing something useful with RPC, and you are not doing it behind a firewall (that discards all RPC packets), then you are dumb like bricks. RPC isn't something you want to be doing via the internet, afaik.
All their enterprise customers might be annoyed, but this should never affect them. If some bank has NT4 machines outside of a firewall or even many NT4 servers and clients with no firewall between them, their IT department needs to be lined up and shot.
There are no trails. There are no trees out here.
Some businesses are reluctant to upgrade because they are running mission critical apps (even on Windows) where changing the OS may force them to go through some sort of lengthy and expensive tests.
I once worked on software running on an archaic version of Unix. The OS was never upraged because doing so would force them to get the entire system recertified by the FDA (it was a system used in medical diagnostics). As it was, it was a pain to recertify individual programs on this system.
Yet Another Web Site
After the Win9x series, I'd say it's Microsoft's worst product.
You're giving Microsoft far too much credit. =)
Of course, Red Hat is also phasing out earlier versions of Red Hat Linux, but due to its open source nature you could get security updates from another source (apt-rpm repositories for instance) or make your own patches. Windows users are forced to rely on Microsoft for timely security updates, which they frequently fail to provide even in recent versions of Windows.
The thing I find disturbing from MS' KB article is that if it was Win2K or XP that had the architectural problems that would take a lot to fix and would likely break compatibility, what would they do? On the one side, they leave you vulnerable but on the other, they break many/all of your applications. They are 'fortunate' in that the problem is in a legacy OS that is on it's way out the door so people don't get too up-in-arms about it. Of course, I find it difficult to believe that it would be a massive archtectural redesign to patch this problem. I think they just don't want to go through the effort on an old platform.
These days, it doesn't surprise me that even as a company I don't think Microsoft feels 'obligated' to anyone or anything.
-matt
Perhaps they had an analyst estimate the time/effort involved in fixing this issue, and found that it's based on such a fundamental flaw in the very foundation of NT 4.0 that it would take until well past June 30th to code a fix. If that's the case, then they're not actually cutting off the support early.
I dunno. Just a thought.
"You cannot simultaneously prevent and prepare for war." -- Albert Einstein
only people using NT are businesses that are reluctant or unable to upgrade.
Je, I remember too when I was a student and thought that to upgrade software all you needed was to buy the thing and then run a wizard.
Unfortunately, this is not the case for most systems. Upgrading takes much time and puts strain on IT staff to get the monster running on schedule. Last time I upgraded the CEO of the company walked in on me during a sunday to see if the systems would be ready to run on Monday. Must I say more?
My other OS is the MCP!
"what is the point of even trying to do it"
How about "Respect for the customers" as an argument? Yes it's a good probability that there are only a few thousand customers who are still using NT4. But if you respect the customers you will extend the deadline in their favour.
Just my 2 euro cents
/. AC "Concrete lifejackets could get certified under ISO2002"
And some businesses don't want to upgrade because of the cost. Not only would you be looking at licenses, but also hardware upgrades, retraining of IT staff, taking time out to plan an Active Directory implementation and all the testing involved in seeing if your apps run properly in the new environment. For a medium to large sized company that can represent a huge investment in time and money just to stay supported.
"Are you being weird, or sarcastic?" said Emma. I said I didn't know because I get the two feelings mixed up.
*nix RPC runs on port 111. If I don't intend to have outside computers log in and run apps on my linux machine remotely, I shut down RPC, and uninstall it too, as well as blocking *ALL* privileged ports (0..1023) with iptables. It's bad enough that Windows comes with unnecessary stuff enabled. But when *YOU CAN'T TURN IT OFF*, something is drastically wrong.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
This is just part of their plan to force people make costly upgrades.
social sciences can never use experience to verify their statemen
(Another) security bug is discovered on Microsoft software, which affects Windows NT 4. It also affectes Windows 2000 and Windows XP, which clearly means that the later two are direct derivates of NT 4 (which we all already know).
So now Microsoft is refusing to issue a fix for NT 4, arguing that there is no way they could make it so that no other existing apps stop working. But a fix for 2k and XP has already been done. That's because of the great differences between NT 4 and 2k/xp, nonetheless they are based on the same product.
So how come that, being 2k and xp SO different from NT, that they can still run the same apps without needing any modification? How come there is no way to patch a NT4 system so that it can still run the same apps but they can surely do it over 2k and XP, and the same applications will still run without a problem over the same system.
This is clearly a move from Microsoft to force their customers to either upgrade their NT 4 installations, or else they are left to their own luck. Many people WON'T upgrade their NT 4 because that just works for them, because their hardware is not powerful enough for a 2k/xp system, or because any other reason they can think of.
Windows NT 4 has been in the market for about seven or eight years now (if my memory isn't failing it was released almos alongside with Win95). This recently discovered vulnerability has always been there since then. What would have happened if someone discovered before w2k was released? Would still Microsoft be unable to release a patch for it because it would break the whole system down?
I've seen many posts saying that noone should have port 135 open to the world. That port shouldn't be listening for request from the whole world, in the first place. There is no way you can know which ports that (for some obscure reason, valid for Microsoft of course) are listening represents a threat to the security of the system. Sure, the same could be said (no) about Linux and other systems, but there's always a way to shut them off and not let the system in a non working state.
And that's all I have to say about it.
Articulos para gente geek: Poleras, linux, libros y mas
No way to tell if it's really "impossible" to do it, or just "nobody in MS team can see a way to do it" (I'm not going to suggest that MS isn't interested in keeping NT4 useable in order to drive people to upgrade and pay more $$; however I do find it interesting that they've refused to roll up all their post SP6a + SRP patches into one easy-to-apply package). MS does not have a monopoly on smart people. It does have a monopoly on the source code... Anyone wonder if the source was available someone would have piped up and said "no, you CAN fix it by ..." ?
Maybe, but HVAC and phone systems don't become "old and unsupportable" after only three years. Any system which has such a ridiculously short lifetime should be replaced with something that lasts longer (i.e. a better OS).
MS OSes are unsupportable after three years simply because MS wants you to upgrade fast so they make more money. There are lots of IBM customers running computer systems 10 or 20 years old, and IBM has no problem giving them support. Sun is the same way.
NT4 came out in September 1996, just three months after Linux 2.0. The last 2.0 version is 2.0.39, which was released January 2001, over two years ago. Both groups have moved on, and aren't willing to spend much effort on the old versions.
If I install a machine with 2.0.39, is there any known big vunerability? If one was discovered would there *then* be a 2.0.40? With free software there's not much interest in backporting features, since upgrading to the latest version is free, should you need those features.
Anything that has outlived it's time as the mainstream stable branch wouldn't normally be updated except for security fixes, so I expect both 2.0 and 2.2 to have very slow release cycles now. Unlike Windows, where you expect some feature creep (for example DirectX upgrades) without having to pay for an OS upgrade.
Anyway, this isn't really about that either, but it's about the EOL date Microsoft has set. What do you think would happen if RedHat said "Uh RedHat 8 is fundamentally flawed, so we won't fix this bug even though its still under support. Block this service, or upgrade to RedHat 9, oh and you'll need a new support contract for that version." Would you find that acceptable?
Kjella
Live today, because you never know what tomorrow brings
I seem to remember Windows NT being touted as the replacement for Unix when it came out. Well, there's still lots of Unix systems from that time still in use, and still well supported by their vendors.
What did you think Windows ever claimed to be? A cheap, poorly-written OS that aspired to replace Unix but failed miserably? That may be the reality, but MS has been claiming all along that Windows NT and its successors are supposed to replace Unix, VMS, AS/400, and mainframes, so your argument seems to fall flat on its face givent that it sure isn't living up to those claims.
First rule of DoS-resistant network security: system must not change any of its behavior when attacks are present.
Including logging.
What means, never try to log the intrusion attempts, leave alone portscans, every connection, etc. unless for the purpose of studying them.
Contrary to the popular belief, there indeed is no God.
Quite frankly, Windows NT 4 is why spaghetti coding is BAD. Earlier operating systems created by Microsoft show lack of focused planning and eagerness to create something new. I supposed the debugging/patching team finally had the last straw and had subsequent OSes built with more stable kernels. Developers: Always comment your code and begin coding with a well-thought out plan. Even with RAD, know what your doing before you start!
I remember the days of the antitrust suit against Microsoft... it was because everything was too integrated. Microsoft swore up and down that their severe integration was good. You decide that for yourself - especially in light of the current situation.
Although you may think I am simply another Linux proponent, I do not believe that a flaw would be simply unfixable with Linux. Distributions are highly modular, and although spaghetti code is inevitable, it is minimal in the Linux kernel and important services - namely because hundreds, perhaps thousands of developers contribute and sloppy base code is not an option. In no way am I saying Linux is for grandmas, however I would never entrust my business/server to Windows. It simply seems imprudent.
See my journal, I write things there