Slashdot Mirror
Microsoft Refuses To Fix NT 4.0 Exploit
shmigget writes "The Register is reporting that Microsoft is throwing in the towel as far as NT 4 is concerned on the latest security flaw to affect Windows 2000, XP, and NT 4. They quote Microsoft as saying 'The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability.'" There still is a workaround for NT 4.0. Instead of patching the problem, it's advised to firewall off port 135 on an affected machine.
Don't they promise to support products for a given amount of years for some enterprise customers? What will happen in these cases?
You have to wonder how long a company can support an operating system. You have to remember that NT was released in the the mid-90s so its 7+ years old. Microsoft is beginning to put NT4 to end of life and that the people who will really know the code may of left Microsoft or moved on.
I'm mean we all go on about how bad MS is but you can expect them to support everything forever can you?
Rus
Cheap UK and US VPS
It's their right to do so. I don't see a reason how they are doing something "wrong". It's their product, and they have said they have discontinued it. It's up to the users to find a suitable fix for the system.
Kinda makes one think of benefits of open source; if something like this happens, you can always hire some hacker to fix the hole, wherever it is, for the right amount of money.
Save your wrists today - switch to Dvorak
well, if zomealarm is your bag? ^^ That was kinda a joke, kinda not. After all, the personal firewall edition is very limited (I haven't found a way to block off individual ports, though it may be possible). The Pro edition (or whatever they call it) should adequetly handle it, but I'm sure there are better choices that are OS. Can anyone recommend a good OSS firewall that works under WindersXP?
Moving on: I really don't see what the big deal is, so what if MS doesn't patch NT? The only people using NT are businesses that are reluctant or unable to upgrade. And since a firewall is a must for any business that has a link to the outside world (or even on a closed network for that matter, after all, if the workstations hooked up to the network, it's no longer secure). That being said, any good admin can patch this bugs with their trusty firewall and a few clicks.
Anyway, I'm really looking for a good OSS firewall. So any recommendations would be nice. Thanx!
YOU SUCK BALLS!
at least in terms of PR.
Microsoft: "Um, we don't want to fix this. But here's the kernel source, so why don't you fix it for us?"
Beady-eyed kernel hacker: "OK!"
It's not such a silly idea with a practically end-of-life'd product; bugs and exploits would get found and fixed and since Microsoft doesn't seem to want to support certain OS changes, we'd do it for them. And it would be a great PR boost. "Microsoft supports freedom to innovate!". Hm.
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
NT4 came out in September 1996, just three months after Linux 2.0. The last 2.0 version is 2.0.39, which was released January 2001, over two years ago. Both groups have moved on, and aren't willing to spend much effort on the old versions. It's true there are more recent 2.0 pre-patches, but if you're willing to use one of those, simply adding a port to your firewall block list should be cake.
And yes, with Linux, you have the source, so you could fix this yourself, right? Microsoft says this requires a large architectural changes. I think any person or group willing to re-architect NT4 or the 2.0 kernel would better spend their time and effort upgrading to a newer OS version.
Who wants to buy an operating system from a company that lets their OSes die before their EOL?
For that matter, who wants to buy an operating system whose security fixes can only be released(or not released, as seen here) by a single company, due to it's closed-source nature?
The only fix is to firewall off the server? WTH kind of a fix is that? That's one step away from keeping the network cable unplugged!
Synergy is your friend
How are we to expect objective news from a site that has these types of things?
/.? Seriously, you are out of your flaming gord to even imagine that /. has any thoughts on the objectivity forefront.
Why in the world are you expecting objective news here on
"Anyway, I'm really looking for a good OSS firewall. So any recommendations would be nice. Thanx!"
Linux: iptables
*bsd: ipfw
Having said that I have a growing dislike of firewalls for the simple reason that they tend to be overused and improperly implemented.
Traffic control is good. Thinking blocked ports or auto firewalling portscanners is going to make your network any more secure is not smart. I've also seen people block potentially insecure ports instead of closing them on the machines. Too often I find firewalls as the justification for the use of insecure crap like Exchange or Lotus Notes.
On the other side firewalls also tend to be set so strictly that they block legitimate traffic. It's getting comon to Block all ICMP messages even though they are needed for things like packet size negotiation and error reporting.
ZoneAlarm is a horrid example of an overzelous firewall blocking legitemate traffic and scaring users on the risks of harmless things like ident checks. Leads to fun things like ISPS shutting off servers over complaints from cluless users armed with Zone Alarm logs.
NT 4.0 *is* 7 years old now (released 1996) and supporting it is probably a major headache for them, at least until June when it reaches end of life (bear in mind that end of life for most software is 5 years).
I'm always suprised in how much volatility we've come to tolerate in software. In other industries, the customers would be fleeing in hordes.
I take all this as just more evidence that the software industry won't reach maturity for at least several more decades.
Healthcare article at Kuro5hin
"HVAC systems get old and become unsupportable, phone systems get old and become unsupportable, OSs get old and become unsupportable. Businesses understand that infrastructure doesn't last forever. Why all the shock here?"
Because HVAC systems, for example, get old and become unsupportable by wearing out. Through daily operation they become no longer able to do what they once did. This does not happen to OSes; the IBM 1620 monitor still does everything it did on the day it was released, if you can find a 1620 in running condition. 1,000,000 years from today, MS Windows v1 would still function as it always did if someone would provide hardware it can run on.
OSes "become unsupportable" because the vendors get tired of servicing the stuff they sold and would rather play with shiny new stuff (which earns bigger margins). "Unsupportable" actually means "we don't feel like meeting the needs of our customers anymore, unless they pay for our latest innovations whether they want them or not."
I'm always wary of saying, "we *cannot* do soandso". In software that's usually malarkey; we *can* do that but you won't like the cost. So, be honest and say that, instead of pretending that something is impossible when it clearly is not. "We can fix NT4 for you, but it will cost you $1 million" is honest and at the same time will deter just about anyone pressing for a fix. And if some customer is really ready to pony up $1 million to fix an 8-year-old system, take the $1 million and deliver the fix. Congratulations: you just found a million bucks in unanticipated revenue!