Slashdot Mirror
Microsoft Refuses To Fix NT 4.0 Exploit
shmigget writes "The Register is reporting that Microsoft is throwing in the towel as far as NT 4 is concerned on the latest security flaw to affect Windows 2000, XP, and NT 4. They quote Microsoft as saying 'The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability.'" There still is a workaround for NT 4.0. Instead of patching the problem, it's advised to firewall off port 135 on an affected machine.
Don't they promise to support products for a given amount of years for some enterprise customers? What will happen in these cases?
You have to wonder how long a company can support an operating system. You have to remember that NT was released in the the mid-90s so its 7+ years old. Microsoft is beginning to put NT4 to end of life and that the people who will really know the code may of left Microsoft or moved on.
I'm mean we all go on about how bad MS is but you can expect them to support everything forever can you?
Rus
Cheap UK and US VPS
It's their right to do so. I don't see a reason how they are doing something "wrong". It's their product, and they have said they have discontinued it. It's up to the users to find a suitable fix for the system.
Kinda makes one think of benefits of open source; if something like this happens, you can always hire some hacker to fix the hole, wherever it is, for the right amount of money.
Save your wrists today - switch to Dvorak
Just as there are over 20 million users of Windows 95, there are numerous (I don't know the estimate) users of Windows NT 4... nuff said.
I think events such as this will be another nail in the coffin of MS simply because if they are so unsure of the current capability of NT and its problems due to a complete lack of engineering and proper design then I am betting that many will rightly ask, "has MS really improved with 2000 and the impending 2003 .NET server?"
Then again, I feel no pity for the fools that chose pretty buzz words and software boxes over stable, secure and extensible solutions. That is the price of business. If you choose to pay more for less then don't come crying to the government or anyone else when your infrastructure begins to collapse from its own bloat.
well, if zomealarm is your bag? ^^ That was kinda a joke, kinda not. After all, the personal firewall edition is very limited (I haven't found a way to block off individual ports, though it may be possible). The Pro edition (or whatever they call it) should adequetly handle it, but I'm sure there are better choices that are OS. Can anyone recommend a good OSS firewall that works under WindersXP?
Moving on: I really don't see what the big deal is, so what if MS doesn't patch NT? The only people using NT are businesses that are reluctant or unable to upgrade. And since a firewall is a must for any business that has a link to the outside world (or even on a closed network for that matter, after all, if the workstations hooked up to the network, it's no longer secure). That being said, any good admin can patch this bugs with their trusty firewall and a few clicks.
Anyway, I'm really looking for a good OSS firewall. So any recommendations would be nice. Thanx!
YOU SUCK BALLS!
This is true. However, as a company, you'd think that MS would feel obligated to support its products until the minute they drop support...which in this case isn't for another couple months. This would be like buying a new TV with a 1 year warrantee and bring it back 11 months into its life for service only to be told, "Sorry, it's just too close to expiration for us to care."
As I type this on my NT box at work (note to self: big HMO's won't spend money on OS upgrades despite making a shitload of money), I wonder how long it'll be until we get slammed by this. It can't be too hard to write up an exploit for this...it is just a jacked RPC anyway, right?
"Hell hath no fury like a woman scorned for SEGA. ..."
at least in terms of PR.
Microsoft: "Um, we don't want to fix this. But here's the kernel source, so why don't you fix it for us?"
Beady-eyed kernel hacker: "OK!"
It's not such a silly idea with a practically end-of-life'd product; bugs and exploits would get found and fixed and since Microsoft doesn't seem to want to support certain OS changes, we'd do it for them. And it would be a great PR boost. "Microsoft supports freedom to innovate!". Hm.
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
NT4 came out in September 1996, just three months after Linux 2.0. The last 2.0 version is 2.0.39, which was released January 2001, over two years ago. Both groups have moved on, and aren't willing to spend much effort on the old versions. It's true there are more recent 2.0 pre-patches, but if you're willing to use one of those, simply adding a port to your firewall block list should be cake.
And yes, with Linux, you have the source, so you could fix this yourself, right? Microsoft says this requires a large architectural changes. I think any person or group willing to re-architect NT4 or the 2.0 kernel would better spend their time and effort upgrading to a newer OS version.
So, here it is from both angles, the way I see it.
Microsoft do have a point, NT 4.0 *is* 7 years old now (released 1996) and supporting it is probably a major headache for them, at least until June when it reaches end of life (bear in mind that end of life for most software is 5 years). How long can you keep patching software? I guarantee that if they did take the time to patch it many other things would break resulting in the need for more patching and more headaches.
On the other hand, they are still going to get a nasty backlash from the millions (billions?) of people still using NT 4.0. Yes, you can laugh at businesses who haven't moved to 2000 or XP yet but if you are a multinational company who depends on NT facing the huge costs of moving to 2000 it's a big deal.
Microsoft recommends we firewal port 135 - which every network administrator with a brain should already be doing! Unfortunately, good network administrators are in very short supply.
You make a good point. If it is infact unreasonable effort for MS to support one of their better products, then maybe, just maybe, the could consider releasing the source code for it, so we could support it for ourselves?? Huh?
Yeah, I know, wishful thinking. Makes no sense if most people would rather just pay for an upgrade.
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
The only problem is that a firewall will only help to block exploits from the outside, but in an academic or in a corporate environment, you are also at risk from being attacked from within the internal network. Think if there was a worm available on the Internet that sits idle on an infected machine and sporadically attacks servers within the same subnet as the machine is configured for... say that an employee's laptop got infected while connected (without protection) to the Internet from home, brought it in, connected it to the corporate network and the worm starts to do it's evil job. Unpatched servers would then be at a high risk if they are not protected in same way...
One option is to extend what you said and place the server between two sets of firewalls, or at least on the internal side, use port blockers or packet filters if a full-blown firewall is overkill.
Even that could cause problems because port 135 is quite critical for Windows servers providing file/WINS services.
Who wants to buy an operating system from a company that lets their OSes die before their EOL?
For that matter, who wants to buy an operating system whose security fixes can only be released(or not released, as seen here) by a single company, due to it's closed-source nature?
The only fix is to firewall off the server? WTH kind of a fix is that? That's one step away from keeping the network cable unplugged!
Synergy is your friend
How are we to expect objective news from a site that has these types of things?
/.? Seriously, you are out of your flaming gord to even imagine that /. has any thoughts on the objectivity forefront.
Why in the world are you expecting objective news here on
"Anyway, I'm really looking for a good OSS firewall. So any recommendations would be nice. Thanx!"
Linux: iptables
*bsd: ipfw
Having said that I have a growing dislike of firewalls for the simple reason that they tend to be overused and improperly implemented.
Traffic control is good. Thinking blocked ports or auto firewalling portscanners is going to make your network any more secure is not smart. I've also seen people block potentially insecure ports instead of closing them on the machines. Too often I find firewalls as the justification for the use of insecure crap like Exchange or Lotus Notes.
On the other side firewalls also tend to be set so strictly that they block legitimate traffic. It's getting comon to Block all ICMP messages even though they are needed for things like packet size negotiation and error reporting.
ZoneAlarm is a horrid example of an overzelous firewall blocking legitemate traffic and scaring users on the risks of harmless things like ident checks. Leads to fun things like ISPS shutting off servers over complaints from cluless users armed with Zone Alarm logs.
Dave Aitel
They should still support their products with something better than a half-assed work around.
Haha, I found that sentence funny.
If you're looking for something better than a "half-assed" work around, why are you using NT4? After the Win9x series, I'd say it's Microsoft's worst product. Windows 2000 replaced it, and is much better.
Follow me
Borg icon is funny.
Actually, it's not. As a matter of fact, everytime I see it I wince then roll my eyes. It's about as subtle as an iron pipe to the head; hell, I can't remember ever finding it even slightly amusing.
Unsupported OSes;
1. Solaris pre 2.6
2. Linux 2.0 kernels
3. Red Hat pre 7
4. OpenBSD 3.0
All of these are a hell of a lot newer than Windows NT 4! Microsoft isn't obligated to support old software forever. Anyone complaining -- tell your execs to start making a real commitment to IT.
My old boss told me a story about a big bank that was using SQL server, and they were having a problem and couldn't figure it out. Apparently it got so bad that one of the head people of the bank called Microsoft and actually got Bill Gates on the phone. Shortly after, the main guy from the SQL server group and a team of engineers was on a plane to help solve the problem.
Maybe it's not a true story, but I think that in order to get to the place Microsoft is at, you have to do a little listening to your customers.
If enough big clients complain about this, I'm sure Microsoft will react.
Actually NT was named for a different reason - MS was targeting NT to the Intel i860 (code-named 'N-Ten)', a RISC processor that was oft delayed. That's why it was called NT, because it worked on the 'N-Ten. Marketing later said it stood for "New Technology" . . .(post dev). You can read about it here:
http://www.winsupersite.com/reviews/winserver2k3_g old1.asp
.though I do not know the way.
(Enter Frodo) I will deliver the patch for this exploit to Redmond . .
Good riddance you piece of shit with your stompable system32 DLLs and your weak device driver signing requirements. Windows 2000 + is so much better than this relic. I know, I know, ginne a break
Sadly, the glacial pace of the financial service industry's adoption of new technology has left many with this outdated OS. Poor programming techniques (mfc42.dll stomp DLL hell make me wanna pull out my short hairs) combined with upper-mangement risk aversion has led to upgrade paralysis at some companies.
I'm not advocating that everyone immediatley accepts everything comming out of Microsoft's pipeline (if they make a bank-based "agile business" ad i'm gonna puke).
All I'm saying is NT has be hacked to shit. Let it go. Anything that doesn't comply w/ 2000+ should be rewritten/reinstalled/replaced.
DO YOU HEAR ME?!?! YOU GRAY-HAIRED STUFFED SHIRTS IN YOUR CORNER OFFICES! GET A CLUE!
Sorry for the rant. I know many of you are thinking...."Go Linux" or "Thin client". Go0d fucking luck with PHB that can't even navigate his own "Start" menu, nevermind the comprehend the benefits of modern offerings.
"HVAC systems get old and become unsupportable, phone systems get old and become unsupportable, OSs get old and become unsupportable. Businesses understand that infrastructure doesn't last forever. Why all the shock here?"
Because HVAC systems, for example, get old and become unsupportable by wearing out. Through daily operation they become no longer able to do what they once did. This does not happen to OSes; the IBM 1620 monitor still does everything it did on the day it was released, if you can find a 1620 in running condition. 1,000,000 years from today, MS Windows v1 would still function as it always did if someone would provide hardware it can run on.
OSes "become unsupportable" because the vendors get tired of servicing the stuff they sold and would rather play with shiny new stuff (which earns bigger margins). "Unsupportable" actually means "we don't feel like meeting the needs of our customers anymore, unless they pay for our latest innovations whether they want them or not."
I'm always wary of saying, "we *cannot* do soandso". In software that's usually malarkey; we *can* do that but you won't like the cost. So, be honest and say that, instead of pretending that something is impossible when it clearly is not. "We can fix NT4 for you, but it will cost you $1 million" is honest and at the same time will deter just about anyone pressing for a fix. And if some customer is really ready to pony up $1 million to fix an 8-year-old system, take the $1 million and deliver the fix. Congratulations: you just found a million bucks in unanticipated revenue!