Slashdot Mirror
Microsoft Refuses To Fix NT 4.0 Exploit
shmigget writes "The Register is reporting that Microsoft is throwing in the towel as far as NT 4 is concerned on the latest security flaw to affect Windows 2000, XP, and NT 4. They quote Microsoft as saying 'The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability.'" There still is a workaround for NT 4.0. Instead of patching the problem, it's advised to firewall off port 135 on an affected machine.
So in effect, ZoneAlarm could be considered as a patch for this problem??
I like the Bill "Borg" icon better than this icon
No, I don't like it... but support for NT4 is dropped at 30 june 2003 and that's not really far away.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
Don't they promise to support products for a given amount of years for some enterprise customers? What will happen in these cases?
It seems strange on the surface for them to admit that their product is 'unfixable,' but really, doesn't it make sense as an upgrade-inducer? Granted that in a more competitive market people would be put off by this, but some people don't regard the other choices with which we are so familiar as acceptable options, leaving them sending their checks to Redmond no matter.
Then again, people still buy new models of cars which have had huge saftey problems in the past, even though other choices are availble; perhaps the real phenomenon is that marketing is sometimes more powerful than good judgement.
You have to wonder how long a company can support an operating system. You have to remember that NT was released in the the mid-90s so its 7+ years old. Microsoft is beginning to put NT4 to end of life and that the people who will really know the code may of left Microsoft or moved on.
I'm mean we all go on about how bad MS is but you can expect them to support everything forever can you?
Rus
Cheap UK and US VPS
I was going to say they had stopped supporting NT4 anyway so were within their rights, but I looked it up and it appears they are providing NT4 hotfixes until the end of 2004. Either way, a service pack or something equally dramatic for one flaw I think is overkill and blocking port 135 on a firewall is a better option.
It's their right to do so. I don't see a reason how they are doing something "wrong". It's their product, and they have said they have discontinued it. It's up to the users to find a suitable fix for the system.
Kinda makes one think of benefits of open source; if something like this happens, you can always hire some hacker to fix the hole, wherever it is, for the right amount of money.
Save your wrists today - switch to Dvorak
What other operating systems from back then are still "supported" now ?
Solaris 2.6 maybe ? (Rapidly approaching EOL/EOS)
What else ?
Point is: NT4 is so old (and so BS), I can see why they want it to die (apart from the reason that they want to sell the new OSs)
Windows 2000 - from the guys who brought us edlin
say in 97/98/whatever they would of just looked at it and said "well darn...an NT4 bug that just can not be fixed"?
What's sad is that there is a 2k/XP fix...and I bet an NT fix would not be that hard considering they are quite similar OS's.
They're not saying (publicly, anyway), "hah, we're not supporting this ancient operating system any more, go away."
The article quotes them saying they can't fix it, there's too much stuff to do.
Using your firewall to block port 135 is fine, unless you actually need RPC for something useful. In that case, I'd say that a firewall that discards all malformed packets (more complicated) is in order. Or an upgrade to Win2K. After all, it's been out for, what, 4 years now?
Get off my launchpad!
After running this through the honesty filter, we come out with:
"Windows is fundamentally insecure. Suck it up."
Gotta love the honesty.
-Waldo Jaquith
You're kidding, right? The clients I work with are predominantly NT based because the of the license/security issues surrounding Microsoft and they don't want to be lead deeper into the licensing pit that is Microsoft. Granted, NT is very old, but if you have to pay that much for an NT server license, you're going to want to get your moneys worth for it (if that's at all possible).
Ve haf ways of making you upgrade, ya!?!
- - -
"The sixth sick shiek's sixth sheep's sick."
"Windows XP Professional is built upon the rock-solid reliability of Windows NT technology, the architechture that is so fundamentally limited that it does not support the changes required to remove significant vulnerabilities."
Doesn't have quite the same ring to it.
- JoeShmoe
.
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
Dropping 2000 for XP server? Oh wait there is no XP server... Maybe the people you are talking about don't use severs? Don't get me wrong I would like to see more people consider dropping Windows 2000 servers, they would be switching to UNIX, or LINUX 90% of the time if they did.
Insert pithy comment here.
All Microsoft-bashing aside, does anyone else see something majorly wrong when it's impossible to fix a fairly serious exploit due to architecture limitations in the OS??
They're basically saying that they can't fix it because the OS makes it impossible to do so. Not because it's inherent in some protocol, or because it is a natural effect of some kind of desired behavior or something, but because the OS DOESN'T SUPPORT IT?????
That's just wrong.
You're working yourself up here... Consider this like Red Hat refusing to patch up Red Hat 3.0 with the latest security fixes.
It's bad news here at work though, we still use NT. No need for an upgrade with all the hassle it brings, we get the development work done just fine. It makes excellent economic sense to skip a few Windows-versions for big businesses. It's just a huge hassle and economic drain to switch to newer versions when what you've got is working.
What should upset us is that Microsoft is refusing to support NT, when they've still committed to supporting the platform..
However, if a work-around is good enough, then it's good enough. This ain't rocket science, it's IT. IT is quite stupid and non-academic unfortunately.
http://www.debunkingskeptics.com/
I'm confused at that - those keys aren't even next to each other - how could that typo have existed? Maybe a Dvorak?
Or is it a bizarre acronym? Back-Exploit, 'cause its an old software version?
Plus, why are people so irksome in not upgrading to ever newer and more expensive operating systems like they're supposed to? Constantly forcing Microsoft to keep looking back over legacy code. It's ugly, dirty and scary back there, not like in candy XP land.
See above.
You think that I'm crazy, you should see this guy!
NT4: I'm not dead yet.
..and on and on.
Microsoft: Yes you are, you just don't know it.
NT4: Really, I'm very much alive.
Microsoft: No, you're very sick and could give over any minute now.
(I'm so ashamed I can't recall that conversation verbatum...
Getting old, I suppose.)
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
at least in terms of PR.
Microsoft: "Um, we don't want to fix this. But here's the kernel source, so why don't you fix it for us?"
Beady-eyed kernel hacker: "OK!"
It's not such a silly idea with a practically end-of-life'd product; bugs and exploits would get found and fixed and since Microsoft doesn't seem to want to support certain OS changes, we'd do it for them. And it would be a great PR boost. "Microsoft supports freedom to innovate!". Hm.
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
NT4 came out in September 1996, just three months after Linux 2.0. The last 2.0 version is 2.0.39, which was released January 2001, over two years ago. Both groups have moved on, and aren't willing to spend much effort on the old versions. It's true there are more recent 2.0 pre-patches, but if you're willing to use one of those, simply adding a port to your firewall block list should be cake.
And yes, with Linux, you have the source, so you could fix this yourself, right? Microsoft says this requires a large architectural changes. I think any person or group willing to re-architect NT4 or the 2.0 kernel would better spend their time and effort upgrading to a newer OS version.
Instead of patching the problem, format the hard drive and use someone's OS who actually fixes security problems next time.
I work currently at a large bank part of the Fortis Group that is entirely based on NT4. As a developper I have a kick-ass new machine, complete with XP sticker on it but it runs NT4.
Mission before that was a local insurance company, also completely NT4 based though left and right Win2000Pro is popping up.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
So, here it is from both angles, the way I see it.
Microsoft do have a point, NT 4.0 *is* 7 years old now (released 1996) and supporting it is probably a major headache for them, at least until June when it reaches end of life (bear in mind that end of life for most software is 5 years). How long can you keep patching software? I guarantee that if they did take the time to patch it many other things would break resulting in the need for more patching and more headaches.
On the other hand, they are still going to get a nasty backlash from the millions (billions?) of people still using NT 4.0. Yes, you can laugh at businesses who haven't moved to 2000 or XP yet but if you are a multinational company who depends on NT facing the huge costs of moving to 2000 it's a big deal.
Microsoft recommends we firewal port 135 - which every network administrator with a brain should already be doing! Unfortunately, good network administrators are in very short supply.
Except that the source code to Red Hat 3.0 is publicly available, so a fix could be made by anybody. The problem here is that the only people who could fix NT4 is Microsoft and they are refusing to do so. Worse, we can only take their word for it that a fix would be nearly impossible.
I'm not a big proponent of open source, but this is a case where there are clear advantages.
--
The internet is the greatest source of biased information in the history of mankind.
Way to go MS. Take the port used by the DCE endpoint mapper, use it in your own broken, buggy, and insecure version of DCE RPC (also known as DCOM), then refuse to fix it.
My University uses DCE all over the place, from a financial application to the distributed filesystem. Now people are going to start blocking this port (135) to protect against then start complaining when some of the applications they use and their file system access stops working.
Finkployd
You make a good point. If it is infact unreasonable effort for MS to support one of their better products, then maybe, just maybe, the could consider releasing the source code for it, so we could support it for ourselves?? Huh?
Yeah, I know, wishful thinking. Makes no sense if most people would rather just pay for an upgrade.
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
If you have a sun, you will be provided with software with all the fixes free of charge. A friend of mine bought a nice ultraspark on Ebay a while back and he was provided with all that he needed.
If you simply have a 486, all the BSD and Linux distro you want, with all the fixes, are available under the same terms from way back.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Dave Aitel
And here
Trolls lurk everywhere. Mod them down.
Of course, Red Hat is also phasing out earlier versions of Red Hat Linux, but due to its open source nature you could get security updates from another source (apt-rpm repositories for instance) or make your own patches. Windows users are forced to rely on Microsoft for timely security updates, which they frequently fail to provide even in recent versions of Windows.
Unsupported OSes;
1. Solaris pre 2.6
2. Linux 2.0 kernels
3. Red Hat pre 7
4. OpenBSD 3.0
All of these are a hell of a lot newer than Windows NT 4! Microsoft isn't obligated to support old software forever. Anyone complaining -- tell your execs to start making a real commitment to IT.
It's not like Microsoft stopped selling the NT4 product six years ago - in fact, it is still currently sold in the VAR channel. In some sense Microsoft is failing to supply security hotfix support for a product that they are still selling. That is not very good support.
As a matter of fact RedHat 6.2 is still being supported, but not for much longer.
I imagine that you could easily hire somebody to support it for you, which would be quite feasible due to the availability of source code. You aren't tied to the original vendor for fixes as with Microsoft.
Or if you didn't want to go that route with RedHat, you could always upgrade - RadHat ISOs are available for free download, and you should be able to upgrade from 6.2 up through 8.0 using the standard installer.
only people using NT are businesses that are reluctant or unable to upgrade.
Je, I remember too when I was a student and thought that to upgrade software all you needed was to buy the thing and then run a wizard.
Unfortunately, this is not the case for most systems. Upgrading takes much time and puts strain on IT staff to get the monster running on schedule. Last time I upgraded the CEO of the company walked in on me during a sunday to see if the systems would be ready to run on Monday. Must I say more?
My other OS is the MCP!
If you want to quickly turn an old box into a dedicated and very secure firewall, then Smoothwall and a fork of it, IPCop are fine GPL examples. Smoothwall also sells a non-GPL version of their firewall with extra custom functions, but the basic Smoothwall is still GPL.
Both of the above support a load of network cards, and even USB-based ADSL (like the Speedtouch) right out of the box and are an absolute cinch to get running, even if you only have limited networking knowledge. They also provide a simple but powerful browser interface for administration (port forwarding, dyndns registration, squid caching web proxy, etc.).
If you want to add a firewall to an exising Linux box, then a good recommendation is ShoreWall which I've just recently set up on a Mandrake box and been very pleased with. It uses the kernel's Netfilter (iptables) support to do its thing, and is the best option if you want a multi-function firewall/router, etc., since both smoothwall/ipcop are designed to be more restrictive 'all in one' firewall distros where it can get tricky to do things like recompile the kernel without it breaking. Smoothwall and IPCop do provide regular security patches which are very easy to install via the browser admin interface (which even warns you when new ones have become available).
Smoothwall are usually a little quicker than IPCop at getting new patches out. Shorewall is a standalone firewall so it's up to you to keep the other apps updated.
rm -rf / is the evil of all root
More like :
Sorry, but due to the design limitation of your 1965 Ford, we are unable to retrofit your car to fix a recently-found problem in the braking system. Third-party companies may provide small fixes that can help alleviate (but not completely fix) the problem. This problem is not present in our current line of products.
Windows NT 4.0 hit end-of-life back on December 31, 2002. An IT department should know that commercial software companies, MS included, routinely EOL software and drop support for them. A 7-year-old OS is going to have moth holes in it. If your company cares about security, upgrade to something more modern and (theoretically) secure. If you can't afford it, then evaluate migrating to OSS solutions. If you can't afford that, well, you're in big trouble.
MS makes it clear on their Product Life Cycle pages what support they plan to give for all products. Anyone caught surprised by this probably shouldn't be making IT decisions for an organization any larger than 1.
The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture, Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Windows NT 4.0 operating system, and not just the RPC component affected. The product of such a rearchitecture effort would be sufficiently incompatible with Windows NT 4.0 that there would be no assurance that applications designed to run on Windows NT 4.0 would continue to operate on the patched system.
Sure it's idiotic that their system couldn't handle a patch. But if that's how it is, then it's a good thing they made their more recent versions dynamic enough to be fixable!
Any sufficiently simple magic can be passed off as mere advanced technology.
*nix RPC runs on port 111. If I don't intend to have outside computers log in and run apps on my linux machine remotely, I shut down RPC, and uninstall it too, as well as blocking *ALL* privileged ports (0..1023) with iptables. It's bad enough that Windows comes with unnecessary stuff enabled. But when *YOU CAN'T TURN IT OFF*, something is drastically wrong.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Actually NT was named for a different reason - MS was targeting NT to the Intel i860 (code-named 'N-Ten)', a RISC processor that was oft delayed. That's why it was called NT, because it worked on the 'N-Ten. Marketing later said it stood for "New Technology" . . .(post dev). You can read about it here:
http://www.winsupersite.com/reviews/winserver2k3_g old1.asp
.though I do not know the way.
(Enter Frodo) I will deliver the patch for this exploit to Redmond . .
This is just part of their plan to force people make costly upgrades.
social sciences can never use experience to verify their statemen
(Another) security bug is discovered on Microsoft software, which affects Windows NT 4. It also affectes Windows 2000 and Windows XP, which clearly means that the later two are direct derivates of NT 4 (which we all already know).
So now Microsoft is refusing to issue a fix for NT 4, arguing that there is no way they could make it so that no other existing apps stop working. But a fix for 2k and XP has already been done. That's because of the great differences between NT 4 and 2k/xp, nonetheless they are based on the same product.
So how come that, being 2k and xp SO different from NT, that they can still run the same apps without needing any modification? How come there is no way to patch a NT4 system so that it can still run the same apps but they can surely do it over 2k and XP, and the same applications will still run without a problem over the same system.
This is clearly a move from Microsoft to force their customers to either upgrade their NT 4 installations, or else they are left to their own luck. Many people WON'T upgrade their NT 4 because that just works for them, because their hardware is not powerful enough for a 2k/xp system, or because any other reason they can think of.
Windows NT 4 has been in the market for about seven or eight years now (if my memory isn't failing it was released almos alongside with Win95). This recently discovered vulnerability has always been there since then. What would have happened if someone discovered before w2k was released? Would still Microsoft be unable to release a patch for it because it would break the whole system down?
I've seen many posts saying that noone should have port 135 open to the world. That port shouldn't be listening for request from the whole world, in the first place. There is no way you can know which ports that (for some obscure reason, valid for Microsoft of course) are listening represents a threat to the security of the system. Sure, the same could be said (no) about Linux and other systems, but there's always a way to shut them off and not let the system in a non working state.
And that's all I have to say about it.
Articulos para gente geek: Poleras, linux, libros y mas
Good riddance you piece of shit with your stompable system32 DLLs and your weak device driver signing requirements. Windows 2000 + is so much better than this relic. I know, I know, ginne a break
Sadly, the glacial pace of the financial service industry's adoption of new technology has left many with this outdated OS. Poor programming techniques (mfc42.dll stomp DLL hell make me wanna pull out my short hairs) combined with upper-mangement risk aversion has led to upgrade paralysis at some companies.
I'm not advocating that everyone immediatley accepts everything comming out of Microsoft's pipeline (if they make a bank-based "agile business" ad i'm gonna puke).
All I'm saying is NT has be hacked to shit. Let it go. Anything that doesn't comply w/ 2000+ should be rewritten/reinstalled/replaced.
DO YOU HEAR ME?!?! YOU GRAY-HAIRED STUFFED SHIRTS IN YOUR CORNER OFFICES! GET A CLUE!
Sorry for the rant. I know many of you are thinking...."Go Linux" or "Thin client". Go0d fucking luck with PHB that can't even navigate his own "Start" menu, nevermind the comprehend the benefits of modern offerings.
No way to tell if it's really "impossible" to do it, or just "nobody in MS team can see a way to do it" (I'm not going to suggest that MS isn't interested in keeping NT4 useable in order to drive people to upgrade and pay more $$; however I do find it interesting that they've refused to roll up all their post SP6a + SRP patches into one easy-to-apply package). MS does not have a monopoly on smart people. It does have a monopoly on the source code... Anyone wonder if the source was available someone would have piped up and said "no, you CAN fix it by ..." ?
NT4 came out in September 1996, just three months after Linux 2.0. The last 2.0 version is 2.0.39, which was released January 2001, over two years ago. Both groups have moved on, and aren't willing to spend much effort on the old versions.
If I install a machine with 2.0.39, is there any known big vunerability? If one was discovered would there *then* be a 2.0.40? With free software there's not much interest in backporting features, since upgrading to the latest version is free, should you need those features.
Anything that has outlived it's time as the mainstream stable branch wouldn't normally be updated except for security fixes, so I expect both 2.0 and 2.2 to have very slow release cycles now. Unlike Windows, where you expect some feature creep (for example DirectX upgrades) without having to pay for an OS upgrade.
Anyway, this isn't really about that either, but it's about the EOL date Microsoft has set. What do you think would happen if RedHat said "Uh RedHat 8 is fundamentally flawed, so we won't fix this bug even though its still under support. Block this service, or upgrade to RedHat 9, oh and you'll need a new support contract for that version." Would you find that acceptable?
Kjella
Live today, because you never know what tomorrow brings
Quite frankly, Windows NT 4 is why spaghetti coding is BAD. Earlier operating systems created by Microsoft show lack of focused planning and eagerness to create something new. I supposed the debugging/patching team finally had the last straw and had subsequent OSes built with more stable kernels. Developers: Always comment your code and begin coding with a well-thought out plan. Even with RAD, know what your doing before you start!
I remember the days of the antitrust suit against Microsoft... it was because everything was too integrated. Microsoft swore up and down that their severe integration was good. You decide that for yourself - especially in light of the current situation.
Although you may think I am simply another Linux proponent, I do not believe that a flaw would be simply unfixable with Linux. Distributions are highly modular, and although spaghetti code is inevitable, it is minimal in the Linux kernel and important services - namely because hundreds, perhaps thousands of developers contribute and sloppy base code is not an option. In no way am I saying Linux is for grandmas, however I would never entrust my business/server to Windows. It simply seems imprudent.
See my journal, I write things there