Slashdot Mirror
Microsoft Refuses To Fix NT 4.0 Exploit
shmigget writes "The Register is reporting that Microsoft is throwing in the towel as far as NT 4 is concerned on the latest security flaw to affect Windows 2000, XP, and NT 4. They quote Microsoft as saying 'The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability.'" There still is a workaround for NT 4.0. Instead of patching the problem, it's advised to firewall off port 135 on an affected machine.
It seems strange on the surface for them to admit that their product is 'unfixable,' but really, doesn't it make sense as an upgrade-inducer? Granted that in a more competitive market people would be put off by this, but some people don't regard the other choices with which we are so familiar as acceptable options, leaving them sending their checks to Redmond no matter.
Then again, people still buy new models of cars which have had huge saftey problems in the past, even though other choices are availble; perhaps the real phenomenon is that marketing is sometimes more powerful than good judgement.
What other operating systems from back then are still "supported" now ?
Solaris 2.6 maybe ? (Rapidly approaching EOL/EOS)
What else ?
Point is: NT4 is so old (and so BS), I can see why they want it to die (apart from the reason that they want to sell the new OSs)
Windows 2000 - from the guys who brought us edlin
You're kidding, right? The clients I work with are predominantly NT based because the of the license/security issues surrounding Microsoft and they don't want to be lead deeper into the licensing pit that is Microsoft. Granted, NT is very old, but if you have to pay that much for an NT server license, you're going to want to get your moneys worth for it (if that's at all possible).
Very true. I agree that all products have their lifecycles, and NT 4 is most definitely near the end of its cycle.
However, support for NT4 is dropped on June 30th, NOT March 26th. They should still support their products with something better than a half-assed work around.
How can we trust that Win 2003 support will end 4 years after its release, and not when they come across a "really difficult" problem that may require some thought and work?
--My other sig is a ferrari.
Who wants to buy an operating system from a company that lets their OSes die before their EOL? I sure wouldn't. The point of an EOL announcement is telling the world that 'as of xx/xx/xx, this product is dead as far as support goes'. Not 'when date xx/xx/xx is nearish, you're SOL'.
But, then, I'm just an admin, what do I know?
Send your friends messages of love at fuck-you.org
Except that the source code to Red Hat 3.0 is publicly available, so a fix could be made by anybody. The problem here is that the only people who could fix NT4 is Microsoft and they are refusing to do so. Worse, we can only take their word for it that a fix would be nearly impossible.
I'm not a big proponent of open source, but this is a case where there are clear advantages.
--
The internet is the greatest source of biased information in the history of mankind.
Some businesses are reluctant to upgrade because they are running mission critical apps (even on Windows) where changing the OS may force them to go through some sort of lengthy and expensive tests.
I once worked on software running on an archaic version of Unix. The OS was never upraged because doing so would force them to get the entire system recertified by the FDA (it was a system used in medical diagnostics). As it was, it was a pain to recertify individual programs on this system.
Yet Another Web Site
Of course, Red Hat is also phasing out earlier versions of Red Hat Linux, but due to its open source nature you could get security updates from another source (apt-rpm repositories for instance) or make your own patches. Windows users are forced to rely on Microsoft for timely security updates, which they frequently fail to provide even in recent versions of Windows.
Perhaps they had an analyst estimate the time/effort involved in fixing this issue, and found that it's based on such a fundamental flaw in the very foundation of NT 4.0 that it would take until well past June 30th to code a fix. If that's the case, then they're not actually cutting off the support early.
I dunno. Just a thought.
"You cannot simultaneously prevent and prepare for war." -- Albert Einstein
And some businesses don't want to upgrade because of the cost. Not only would you be looking at licenses, but also hardware upgrades, retraining of IT staff, taking time out to plan an Active Directory implementation and all the testing involved in seeing if your apps run properly in the new environment. For a medium to large sized company that can represent a huge investment in time and money just to stay supported.
"Are you being weird, or sarcastic?" said Emma. I said I didn't know because I get the two feelings mixed up.
(Another) security bug is discovered on Microsoft software, which affects Windows NT 4. It also affectes Windows 2000 and Windows XP, which clearly means that the later two are direct derivates of NT 4 (which we all already know).
So now Microsoft is refusing to issue a fix for NT 4, arguing that there is no way they could make it so that no other existing apps stop working. But a fix for 2k and XP has already been done. That's because of the great differences between NT 4 and 2k/xp, nonetheless they are based on the same product.
So how come that, being 2k and xp SO different from NT, that they can still run the same apps without needing any modification? How come there is no way to patch a NT4 system so that it can still run the same apps but they can surely do it over 2k and XP, and the same applications will still run without a problem over the same system.
This is clearly a move from Microsoft to force their customers to either upgrade their NT 4 installations, or else they are left to their own luck. Many people WON'T upgrade their NT 4 because that just works for them, because their hardware is not powerful enough for a 2k/xp system, or because any other reason they can think of.
Windows NT 4 has been in the market for about seven or eight years now (if my memory isn't failing it was released almos alongside with Win95). This recently discovered vulnerability has always been there since then. What would have happened if someone discovered before w2k was released? Would still Microsoft be unable to release a patch for it because it would break the whole system down?
I've seen many posts saying that noone should have port 135 open to the world. That port shouldn't be listening for request from the whole world, in the first place. There is no way you can know which ports that (for some obscure reason, valid for Microsoft of course) are listening represents a threat to the security of the system. Sure, the same could be said (no) about Linux and other systems, but there's always a way to shut them off and not let the system in a non working state.
And that's all I have to say about it.
Articulos para gente geek: Poleras, linux, libros y mas
NT4 came out in September 1996, just three months after Linux 2.0. The last 2.0 version is 2.0.39, which was released January 2001, over two years ago. Both groups have moved on, and aren't willing to spend much effort on the old versions.
If I install a machine with 2.0.39, is there any known big vunerability? If one was discovered would there *then* be a 2.0.40? With free software there's not much interest in backporting features, since upgrading to the latest version is free, should you need those features.
Anything that has outlived it's time as the mainstream stable branch wouldn't normally be updated except for security fixes, so I expect both 2.0 and 2.2 to have very slow release cycles now. Unlike Windows, where you expect some feature creep (for example DirectX upgrades) without having to pay for an OS upgrade.
Anyway, this isn't really about that either, but it's about the EOL date Microsoft has set. What do you think would happen if RedHat said "Uh RedHat 8 is fundamentally flawed, so we won't fix this bug even though its still under support. Block this service, or upgrade to RedHat 9, oh and you'll need a new support contract for that version." Would you find that acceptable?
Kjella
Live today, because you never know what tomorrow brings