Microsoft Refuses To Fix NT 4.0 Exploit

← Back to Stories (view on slashdot.org)

Microsoft Refuses To Fix NT 4.0 Exploit

Posted by CowboyNeal on Thursday March 27, 2003 @07:38AM from the no-visible-means-of-support dept.

shmigget writes "The Register is reporting that Microsoft is throwing in the towel as far as NT 4 is concerned on the latest security flaw to affect Windows 2000, XP, and NT 4. They quote Microsoft as saying 'The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability.'" There still is a workaround for NT 4.0. Instead of patching the problem, it's advised to firewall off port 135 on an affected machine.

30 of 664 comments (clear)

Min score:

Reason:

Sort:

ZoneAlarm by yycs · 2003-03-27 07:40 · Score: 5, Funny

So in effect, ZoneAlarm could be considered as a patch for this problem??
1. Re:ZoneAlarm by gmack · 2003-03-27 08:30 · Score: 4, Interesting
  
  "Anyway, I'm really looking for a good OSS firewall. So any recommendations would be nice. Thanx!"
  
  Linux: iptables
  *bsd: ipfw
  
  Having said that I have a growing dislike of firewalls for the simple reason that they tend to be overused and improperly implemented.
  
  Traffic control is good. Thinking blocked ports or auto firewalling portscanners is going to make your network any more secure is not smart. I've also seen people block potentially insecure ports instead of closing them on the machines. Too often I find firewalls as the justification for the use of insecure crap like Exchange or Lotus Notes.
  
  On the other side firewalls also tend to be set so strictly that they block legitimate traffic. It's getting comon to Block all ICMP messages even though they are needed for things like packet size negotiation and error reporting.
  
  ZoneAlarm is a horrid example of an overzelous firewall blocking legitemate traffic and scaring users on the risks of harmless things like ident checks. Leads to fun things like ISPS shutting off servers over complaints from cluless users armed with Zone Alarm logs.
2. Re:ZoneAlarm by foistboinder · 2003-03-27 08:46 · Score: 4, Insightful
  
  Moving on: I really don't see what the big deal is, so what if MS doesn't patch NT? The only people using NT are businesses that are reluctant or unable to upgrade.
  Some businesses are reluctant to upgrade because they are running mission critical apps (even on Windows) where changing the OS may force them to go through some sort of lengthy and expensive tests.
  
  I once worked on software running on an archaic version of Unix. The OS was never upraged because doing so would force them to get the entire system recertified by the FDA (it was a system used in medical diagnostics). As it was, it was a pain to recertify individual programs on this system.
  
  --
  Yet Another Web Site
3. Re:ZoneAlarm by $rtbl_this · 2003-03-27 10:50 · Score: 4, Insightful
  
  And some businesses don't want to upgrade because of the cost. Not only would you be looking at licenses, but also hardware upgrades, retraining of IT staff, taking time out to plan an Active Directory implementation and all the testing involved in seeing if your apps run properly in the new environment. For a medium to large sized company that can represent a huge investment in time and money just to stay supported.
  
  --
  "Are you being weird, or sarcastic?" said Emma. I said I didn't know because I get the two feelings mixed up.
4. Re:ZoneAlarm by mwood · 2003-03-28 03:04 · Score: 4, Interesting
  
  "HVAC systems get old and become unsupportable, phone systems get old and become unsupportable, OSs get old and become unsupportable. Businesses understand that infrastructure doesn't last forever. Why all the shock here?"
  
  Because HVAC systems, for example, get old and become unsupportable by wearing out. Through daily operation they become no longer able to do what they once did. This does not happen to OSes; the IBM 1620 monitor still does everything it did on the day it was released, if you can find a 1620 in running condition. 1,000,000 years from today, MS Windows v1 would still function as it always did if someone would provide hardware it can run on.
  
  OSes "become unsupportable" because the vendors get tired of servicing the stuff they sold and would rather play with shiny new stuff (which earns bigger margins). "Unsupportable" actually means "we don't feel like meeting the needs of our customers anymore, unless they pay for our latest innovations whether they want them or not."
  
  I'm always wary of saying, "we *cannot* do soandso". In software that's usually malarkey; we *can* do that but you won't like the cost. So, be honest and say that, instead of pretending that something is impossible when it clearly is not. "We can fix NT4 for you, but it will cost you $1 million" is honest and at the same time will deter just about anyone pressing for a fix. And if some customer is really ready to pony up $1 million to fix an 8-year-old system, take the $1 million and deliver the fix. Congratulations: you just found a million bucks in unanticipated revenue!
No surprise by jawtheshark · 2003-03-27 07:41 · Score: 5, Informative

I mean, NT4 is close to it's end of life .
No, I don't like it... but support for NT4 is dropped at 30 june 2003 and that's not really far away.

--
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
1. Re:No surprise by MyPantsAreOnFire! · 2003-03-27 07:49 · Score: 5, Insightful
  
  Very true. I agree that all products have their lifecycles, and NT 4 is most definitely near the end of its cycle.
  
  However, support for NT4 is dropped on June 30th, NOT March 26th. They should still support their products with something better than a half-assed work around.
  
  How can we trust that Win 2003 support will end 4 years after its release, and not when they come across a "really difficult" problem that may require some thought and work?
  
  --
  --My other sig is a ferrari.
2. Re:No surprise by questionlp · 2003-03-27 07:49 · Score: 5, Informative
  
  That maybe the case for NT 4.0 Workstation, but NT 4.0 Server has a different EOL/End of Support timeline (according to Microsoft):
  http://www.microsoft.com/ntserver/ProductInfo/Avai lability/Retiring.asp
  The key part of that page is:
  January 1, 2005 Beginning on this date, Pay-per-incident and Premier support will no longer be available. This includes security hotfixes.
  On the page that you linked to, the end date for System Builder (ie: OEM) availability for NT 4.0 Workstation is 30 June 2003 whereas the end date for online support is 30 June 2004.
3. Re:No surprise by questionlp · 2003-03-27 07:51 · Score: 5, Informative
  
  Whoops... forgot to paste another part of that page:
  
  January 1, 2004 Beginning on this date, non-security hotfixes are no longer available.
  
  Considering that this is a security vulnerability that they are talking about, Microsoft needs to look at what they committed to their customers in that timeline and better get a fix out ASAP!
4. Re:No surprise by boinger · 2003-03-27 07:52 · Score: 4, Insightful
  
  "Close to end-of-life" is not "end-of-life". I'm sure some of their enterprise-level customers (banks, for instance) where "just upgrade the server" isn't an option will have some very favorable (meaning bad for Microsoft) spending decisions next time around.
  Who wants to buy an operating system from a company that lets their OSes die before their EOL? I sure wouldn't. The point of an EOL announcement is telling the world that 'as of xx/xx/xx, this product is dead as far as support goes'. Not 'when date xx/xx/xx is nearish, you're SOL'.
  But, then, I'm just an admin, what do I know?
  
  --
  Send your friends messages of love at fuck-you.org
5. Re:No surprise by zbuffered · 2003-03-27 08:25 · Score: 4, Interesting
  
  Who wants to buy an operating system from a company that lets their OSes die before their EOL?
  
  For that matter, who wants to buy an operating system whose security fixes can only be released(or not released, as seen here) by a single company, due to it's closed-source nature?
  
  The only fix is to firewall off the server? WTH kind of a fix is that? That's one step away from keeping the network cable unplugged!
  
  --
  Synergy is your friend
6. Re:No surprise by dsplat · 2003-03-27 08:26 · Score: 4, Funny
  
  Considering that this is a security vulnerability that they are talking about, Microsoft needs to look at what they committed to their customers in that timeline and better get a fix out ASAP!
  
  Didn't you read the EULA? It specifically said, "This product is supplied without any warrantee for any use whatsoever. Even as a high tech coaster in an oversized box. If the media is damaged, we will replace it with undamaged media, which we also don't guarantee has any usable software on it, within 90 days of the purchase date. Do not use in the presence of electric current. If cough persists, discontinue use."
  
  --
  The net will not be what we demand, but what we make it. Build it well.
7. Re:No surprise by Frymaster · 2003-03-27 09:21 · Score: 4, Funny
  
  After the Win9x series, I'd say it's Microsoft's worst product.
  oh, you are so forgetting microsoft bob.
  
  --
  2 1337 4 u!
What about Microsoft's SLA's? by leerpm · 2003-03-27 07:42 · Score: 4, Interesting

Don't they promise to support products for a given amount of years for some enterprise customers? What will happen in these cases?
Seems strange but... by mlknowle · 2003-03-27 07:42 · Score: 4, Insightful

It seems strange on the surface for them to admit that their product is 'unfixable,' but really, doesn't it make sense as an upgrade-inducer? Granted that in a more competitive market people would be put off by this, but some people don't regard the other choices with which we are so familiar as acceptable options, leaving them sending their checks to Redmond no matter.

Then again, people still buy new models of cars which have had huge saftey problems in the past, even though other choices are availble; perhaps the real phenomenon is that marketing is sometimes more powerful than good judgement.
Just goes to show you should look up your facts by Neophytus · 2003-03-27 07:44 · Score: 4, Informative

I was going to say they had stopped supporting NT4 anyway so were within their rights, but I looked it up and it appears they are providing NT4 hotfixes until the end of 2004. Either way, a service pack or something equally dramatic for one flaw I think is overkill and blocking port 135 on a firewall is a better option.
Please advise me: by rainer_d · 2003-03-27 07:44 · Score: 4, Insightful

What other operating systems from back then are still "supported" now ?
Solaris 2.6 maybe ? (Rapidly approaching EOL/EOS)
What else ?
Point is: NT4 is so old (and so BS), I can see why they want it to die (apart from the reason that they want to sell the new OSs)

--
Windows 2000 - from the guys who brought us edlin
"Can't" isn't the same as "won't" by Artifex · 2003-03-27 07:46 · Score: 4, Informative

They're not saying (publicly, anyway), "hah, we're not supporting this ancient operating system any more, go away."

The article quotes them saying they can't fix it, there's too much stuff to do.

Using your firewall to block port 135 is fine, unless you actually need RPC for something useful. In that case, I'd say that a firewall that discards all malformed packets (more complicated) is in order. Or an upgrade to Win2K. After all, it's been out for, what, 4 years now?

--
Get off my launchpad!
Honesty Filter by waldoj · 2003-03-27 07:46 · Score: 4, Funny

After running this through the honesty filter, we come out with:

"Windows is fundamentally insecure. Suck it up."

Gotta love the honesty.

-Waldo Jaquith
Re:How much by G+Money · 2003-03-27 07:47 · Score: 5, Insightful

You're kidding, right? The clients I work with are predominantly NT based because the of the license/security issues surrounding Microsoft and they don't want to be lead deeper into the licensing pit that is Microsoft. Granted, NT is very old, but if you have to pay that much for an NT server license, you're going to want to get your moneys worth for it (if that's at all possible).
Coming Soon! New Microsoft tagline by JoeShmoe · 2003-03-27 07:50 · Score: 4, Funny

"Windows XP Professional is built upon the rock-solid reliability of Windows NT technology, the architechture that is so fundamentally limited that it does not support the changes required to remove significant vulnerabilities."

Doesn't have quite the same ring to it.

- JoeShmoe
.

--
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
Give them a break. Really. by burgburgburg · 2003-03-27 07:54 · Score: 4, Funny

If you had to deal with half as many security flaws/exploits/holes as Microsoft, you'd be tired too.
Plus, why are people so irksome in not upgrading to ever newer and more expensive operating systems like they're supposed to? Constantly forcing Microsoft to keep looking back over legacy code. It's ugly, dirty and scary back there, not like in candy XP land.
Good opportunity to test open/shared source... by AEton · 2003-03-27 08:05 · Score: 4, Interesting

at least in terms of PR.
Microsoft: "Um, we don't want to fix this. But here's the kernel source, so why don't you fix it for us?"
Beady-eyed kernel hacker: "OK!"
It's not such a silly idea with a practically end-of-life'd product; bugs and exploits would get found and fixed and since Microsoft doesn't seem to want to support certain OS changes, we'd do it for them. And it would be a great PR boost. "Microsoft supports freedom to innovate!". Hm.

--
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
Re:Borg icon by JonTurner · 2003-03-27 08:11 · Score: 4, Funny

I find it interesting that the "Windows" topic has finally been used. This is the first time I can remember seeing it

Me too. However, since we're discussing a Windows security hole, shouldn't one of the glass panes be broken?
Re:Wow. by dhovis · 2003-03-27 08:15 · Score: 4, Insightful

You're working yourself up here... Consider this like Red Hat refusing to patch up Red Hat 3.0 with the latest security fixes.

Except that the source code to Red Hat 3.0 is publicly available, so a fix could be made by anybody. The problem here is that the only people who could fix NT4 is Microsoft and they are refusing to do so. Worse, we can only take their word for it that a fix would be nearly impossible.

I'm not a big proponent of open source, but this is a case where there are clear advantages.

--
--
The internet is the greatest source of biased information in the history of mankind.
Thanks MS, steal DCE's port and make it insecure by finkployd · 2003-03-27 08:16 · Score: 4, Informative

Way to go MS. Take the port used by the DCE endpoint mapper, use it in your own broken, buggy, and insecure version of DCE RPC (also known as DCOM), then refuse to fix it.

My University uses DCE all over the place, from a financial application to the distributed filesystem. Now people are going to start blocking this port (135) to protect against then start complaining when some of the applications they use and their file system access stops working.

Finkployd
Re:Borg icon by cymen · 2003-03-27 08:28 · Score: 4, Interesting

How are we to expect objective news from a site that has these types of things?

Why in the world are you expecting objective news here on /.? Seriously, you are out of your flaming gord to even imagine that /. has any thoughts on the objectivity forefront.
Re:The Ford Version of M$ by macrom · 2003-03-27 10:56 · Score: 4, Informative

More like :

Sorry, but due to the design limitation of your 1965 Ford, we are unable to retrofit your car to fix a recently-found problem in the braking system. Third-party companies may provide small fixes that can help alleviate (but not completely fix) the problem. This problem is not present in our current line of products.

Windows NT 4.0 hit end-of-life back on December 31, 2002. An IT department should know that commercial software companies, MS included, routinely EOL software and drop support for them. A 7-year-old OS is going to have moth holes in it. If your company cares about security, upgrade to something more modern and (theoretically) secure. If you can't afford it, then evaluate migrating to OSS solutions. If you can't afford that, well, you're in big trouble.

MS makes it clear on their Product Life Cycle pages what support they plan to give for all products. Anyone caught surprised by this probably shouldn't be making IT decisions for an organization any larger than 1.
Why they aren't making a patch, from Microsoft by shrikel · 2003-03-27 11:00 · Score: 4, Informative

From the faq:
The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture, Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Windows NT 4.0 operating system, and not just the RPC component affected. The product of such a rearchitecture effort would be sufficiently incompatible with Windows NT 4.0 that there would be no assurance that applications designed to run on Windows NT 4.0 would continue to operate on the patched system.
Sure it's idiotic that their system couldn't handle a patch. But if that's how it is, then it's a good thing they made their more recent versions dynamic enough to be fixable!

--
Any sufficiently simple magic can be passed off as mere advanced technology.
It's not the number of releases.... by Kjella · 2003-03-27 14:47 · Score: 4, Insightful

NT4 came out in September 1996, just three months after Linux 2.0. The last 2.0 version is 2.0.39, which was released January 2001, over two years ago. Both groups have moved on, and aren't willing to spend much effort on the old versions.

If I install a machine with 2.0.39, is there any known big vunerability? If one was discovered would there *then* be a 2.0.40? With free software there's not much interest in backporting features, since upgrading to the latest version is free, should you need those features.

Anything that has outlived it's time as the mainstream stable branch wouldn't normally be updated except for security fixes, so I expect both 2.0 and 2.2 to have very slow release cycles now. Unlike Windows, where you expect some feature creep (for example DirectX upgrades) without having to pay for an OS upgrade.

Anyway, this isn't really about that either, but it's about the EOL date Microsoft has set. What do you think would happen if RedHat said "Uh RedHat 8 is fundamentally flawed, so we won't fix this bug even though its still under support. Block this service, or upgrade to RedHat 9, oh and you'll need a new support contract for that version." Would you find that acceptable?

Kjella

--
Live today, because you never know what tomorrow brings