Microsoft Refuses To Fix NT 4.0 Exploit

shmigget writes "The Register is reporting that Microsoft is throwing in the towel as far as NT 4 is concerned on the latest security flaw to affect Windows 2000, XP, and NT 4. They quote Microsoft as saying 'The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability.'" There still is a workaround for NT 4.0. Instead of patching the problem, it's advised to firewall off port 135 on an affected machine.

ZoneAlarm

[yycs]

So in effect, ZoneAlarm could be considered as a patch for this problem??

Re:ZoneAlarm

[RayOfLight]

No. Why?

By firewalling, you merely hide the problem, you don't fix it.

Re:ZoneAlarm

[deadsaijinx*]

well, if zomealarm is your bag? ^^ That was kinda a joke, kinda not. After all, the personal firewall edition is very limited (I haven't found a way to block off individual ports, though it may be possible). The Pro edition (or whatever they call it) should adequetly handle it, but I'm sure there are better choices that are OS. Can anyone recommend a good OSS firewall that works under WindersXP?

Moving on: I really don't see what the big deal is, so what if MS doesn't patch NT? The only people using NT are businesses that are reluctant or unable to upgrade. And since a firewall is a must for any business that has a link to the outside world (or even on a closed network for that matter, after all, if the workstations hooked up to the network, it's no longer secure). That being said, any good admin can patch this bugs with their trusty firewall and a few clicks.

Anyway, I'm really looking for a good OSS firewall. So any recommendations would be nice. Thanx!

Re:ZoneAlarm

[gmack]

"Anyway, I'm really looking for a good OSS firewall. So any recommendations would be nice. Thanx!"

Linux: iptables
*bsd: ipfw

Having said that I have a growing dislike of firewalls for the simple reason that they tend to be overused and improperly implemented.

Traffic control is good. Thinking blocked ports or auto firewalling portscanners is going to make your network any more secure is not smart. I've also seen people block potentially insecure ports instead of closing them on the machines. Too often I find firewalls as the justification for the use of insecure crap like Exchange or Lotus Notes.

On the other side firewalls also tend to be set so strictly that they block legitimate traffic. It's getting comon to Block all ICMP messages even though they are needed for things like packet size negotiation and error reporting.

ZoneAlarm is a horrid example of an overzelous firewall blocking legitemate traffic and scaring users on the risks of harmless things like ident checks. Leads to fun things like ISPS shutting off servers over complaints from cluless users armed with Zone Alarm logs.

Re:ZoneAlarm

[kir]

It's getting comon to Block all ICMP messages even though they are needed for things like packet size negotiation and error reporting.

I hate firewall admins that block all ICMP. I hate them. It should be legal to kill them... well... at least hurt them.

I work with the DoD. They use encryption devices quite a bit. These devices always request fragmentation (they need some room too you know). I don't know how many times I've pleaded with a firewall admin to let ICMP type 3 (code 4) through.

I'm star

Re:ZoneAlarm

[caluml]

Imagine for a moment that you have a /19, and some pinhead decides to scan all of those to see who's alive on port 445. You either block it after a few connection attempts, or you suffer with 8192 log entries - one for each host.

That's why you use rate limiting for logging, like this:
$fw -A FORWARD -p icmp -m limit --limit 10/min -j LOG --log-prefix="NEW RAPID ICMP "
will only log 10 outbound ICMPs per minute. Adjust to suit your personal preferences/requirements.

Re:ZoneAlarm

[Alex Belits]

First rule of DoS-resistant network security: system must not change any of its behavior when attacks are present.

Including logging.

What means, never try to log the intrusion attempts, leave alone portscans, every connection, etc. unless for the purpose of studying them.

Re:ZoneAlarm

[foistboinder]

Moving on: I really don't see what the big deal is, so what if MS doesn't patch NT? The only people using NT are businesses that are reluctant or unable to upgrade.

Some businesses are reluctant to upgrade because they are running mission critical apps (even on Windows) where changing the OS may force them to go through some sort of lengthy and expensive tests.

I once worked on software running on an archaic version of Unix. The OS was never upraged because doing so would force them to get the entire system recertified by the FDA (it was a system used in medical diagnostics). As it was, it was a pain to recertify individual programs on this system.

Re:ZoneAlarm

[$rtbl_this]

And some businesses don't want to upgrade because of the cost. Not only would you be looking at licenses, but also hardware upgrades, retraining of IT staff, taking time out to plan an Active Directory implementation and all the testing involved in seeing if your apps run properly in the new environment. For a medium to large sized company that can represent a huge investment in time and money just to stay supported.

Re:ZoneAlarm

[Grishnakh]

Maybe, but HVAC and phone systems don't become "old and unsupportable" after only three years. Any system which has such a ridiculously short lifetime should be replaced with something that lasts longer (i.e. a better OS).

MS OSes are unsupportable after three years simply because MS wants you to upgrade fast so they make more money. There are lots of IBM customers running computer systems 10 or 20 years old, and IBM has no problem giving them support. Sun is the same way.

Re:ZoneAlarm

[Grishnakh]

I seem to remember Windows NT being touted as the replacement for Unix when it came out. Well, there's still lots of Unix systems from that time still in use, and still well supported by their vendors.

What did you think Windows ever claimed to be? A cheap, poorly-written OS that aspired to replace Unix but failed miserably? That may be the reality, but MS has been claiming all along that Windows NT and its successors are supposed to replace Unix, VMS, AS/400, and mainframes, so your argument seems to fa

Re:ZoneAlarm

[mwood]

"HVAC systems get old and become unsupportable, phone systems get old and become unsupportable, OSs get old and become unsupportable. Businesses understand that infrastructure doesn't last forever. Why all the shock here?"

Because HVAC systems, for example, get old and become unsupportable by wearing out. Through daily operation they become no longer able to do what they once did. This does not happen to OSes; the IBM 1620 monitor still does everything it did on the day it was released, if you can find a 1620 in running condition. 1,000,000 years from today, MS Windows v1 would still function as it always did if someone would provide hardware it can run on.

OSes "become unsupportable" because the vendors get tired of servicing the stuff they sold and would rather play with shiny new stuff (which earns bigger margins). "Unsupportable" actually means "we don't feel like meeting the needs of our customers anymore, unless they pay for our latest innovations whether they want them or not."

I'm always wary of saying, "we *cannot* do soandso". In software that's usually malarkey; we *can* do that but you won't like the cost. So, be honest and say that, instead of pretending that something is impossible when it clearly is not. "We can fix NT4 for you, but it will cost you $1 million" is honest and at the same time will deter just about anyone pressing for a fix. And if some customer is really ready to pony up $1 million to fix an 8-year-old system, take the $1 million and deliver the fix. Congratulations: you just found a million bucks in unanticipated revenue!

Re:ZoneAlarm

[The Welcome Rain]

Impossible, adj.:

1. I wouldn't like it and when it happens I won't approve;
2. I can't be bothered;
3. God can't be bothered.

Meaning (3) may perhaps be valid but the others are 101% whaledreck.
-- Chad Mulligan, The Hipcrime Vocab
from John Brunner's Stand on Zanzibar

Re:ZoneAlarm

[canadian_right]

Yeah, but I'd guess that 90% of our NT boxes are application servers running big apps that only run on NT. If the app is running OK you don't want to touch anything.

Re:ZoneAlarm

[technos]

Oh.. Oww.. No, you don't want to even break wind in the same room as those. It's hard enough to get them up running stable in the first place

Re:ZoneAlarm

[MultisSanguinisFluit]

Well... yes and no... From MS' security bulletin: The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. So if you block it, RPC clients will likely stop working. But, really, who cares? How many RPC services are running exposed to untrusted environments? If you have such a box connected to the Internet NOT behind a firewall, you've been begging to be DOS-ed all along.

Re:ZoneAlarm

[Erris]

That or IP chains on a 486 could help protect your wimpy little M$ box from the big bad internet. Need help with those pesky chain rules? Try plonk [linux.org]. The best patch I've seen so far is the M$ Offswitch. What was the wonderful New Technology, NT, good for again?

Re:The Ford Version of M$

[macrom]

More like :

Sorry, but due to the design limitation of your 1965 Ford, we are unable to retrofit your car to fix a recently-found problem in the braking system. Third-party companies may provide small fixes that can help alleviate (but not completely fix) the problem. This problem is not present in our current line of products.

Windows NT 4.0 hit end-of-life [microsoft.com] back on December 31, 2002. An IT department should know that commercial software companies, MS included, routinely EOL software and drop support for them. A 7-year-old OS is going to have moth holes in it. If your company cares about security, upgrade to something more modern and (theoretically) secure. If you can't afford it, then evaluate migrating to OSS solutions. If you can't afford that, well, you're in big trouble.

MS makes it clear on their Product Life Cycle pages what support they plan to give for all products. Anyone caught surprised by this probably shouldn't be making IT decisions for an organization any larger than 1.

Re:The Ford Version of M$

[hughk]

This is a very poor analogy.

Sorry, but due to the design limitation of your 1965 Ford, we are unable to retrofit your car to fix a recently-found problem in the braking system.

More linke your 1996 Ford only lasts four years, after that, we refuse to maintain it.

Third-party companies may provide small fixes that can help alleviate

Unlike car manufacturers we do not publish full design information or permit reverse engineering. Not only are you on your own, we'll sue your ass off if you even ty to fi

Borg icon

[KingRamsis]

I like the Bill "Borg" icon better than this icon

Re:Borg icon

[sulli]

Borg icon is funny. This one doesn't make sense (sorry Kathleen)

Re:Borg icon

[nomadic]

Borg icon is funny.

Actually, it's not. As a matter of fact, everytime I see it I wince then roll my eyes. It's about as subtle as an iron pipe to the head; hell, I can't remember ever finding it even slightly amusing.

Re:Borg icon

[istartedi]

I never cared for the Borg icon--I think the GPL is just as Borg-like as MS. The new icon is too dark. It looks like a box with some features on it that are difficult to make out. I had to read the alt in the image tag to figure out it was "Windows". I don't see anything wrong with using a window as the icon for Windows, just find one that's lighter. I'm not sure what restrictions MS places on use of the Windows logo, but if they can use it than that's what they should use--just like they do for Apple.

Re:Borg icon

[cymen]

How are we to expect objective news from a site that has these types of things?

Why in the world are you expecting objective news here on /.? Seriously, you are out of your flaming gord to even imagine that /. has any thoughts on the objectivity forefront.

Re:Borg icon

[JonTurner]

I find it interesting that the "Windows" topic has finally been used. This is the first time I can remember seeing it

Me too. However, since we're discussing a Windows security hole, shouldn't one of the glass panes be broken?

Re:Borg icon

[phillymjs]

Close, but here's what they'd really do:

-Announce a 'strategic partnership' with the Plexiglas people
-Send their own team of glaziers to study Plexiglas
-Suddenly announce that they are changing strategic direction and dissolve the partnership
-Six months later, Microsoft ClearPane, which looks remarkably like Plexiglas, is shipped. :-)

~Philly

No surprise

[jawtheshark]

I mean, NT4 is close to it's end of life [microsoft.com].

No, I don't like it... but support for NT4 is dropped at 30 june 2003 and that's not really far away.

Re:No surprise

[MyPantsAreOnFire!]

Very true. I agree that all products have their lifecycles, and NT 4 is most definitely near the end of its cycle.

However, support for NT4 is dropped on June 30th, NOT March 26th. They should still support their products with something better than a half-assed work around.

How can we trust that Win 2003 support will end 4 years after its release, and not when they come across a "really difficult" problem that may require some thought and work?

Re:No surprise

[jaavaaguru]

They should still support their products with something better than a half-assed work around.

Haha, I found that sentence funny.

If you're looking for something better than a "half-assed" work around, why are you using NT4? After the Win9x series, I'd say it's Microsoft's worst product. Windows 2000 replaced it, and is much better.

Re:No surprise

[Frymaster]

After the Win9x series, I'd say it's Microsoft's worst product.

oh, you are so forgetting microsoft bob [telecommander.com].

Re:No surprise

[jaavaaguru]

Access isn't really a product - it's a toy that you get free with Office to teach your children about databases before they get to use a real one.

I can't comment on Word as I rarely use word processors anynway. Developer studio isn't a bad product - despite lacking a few features (including an ANSI C compiler). Windows NT is really not a good product compared to some things they offer.

Re:No surprise

[ceejayoz]

Click the "Processes" tab and close the process there. That works no matter what.

Re:No surprise

[Rary]

According to Microsoft's site: "Microsoft tested Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition. These platforms are vulnerable to the denial of service attack however due to architectural limitations it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability."

Perhaps they had an analyst estimate the time/effort involved in fixing this issue, and found that it's based on such a fundamental flaw in the very foundation of NT 4.0 that it would take until well past June 30th to code a fix. If that's the case, then they're not actually cutting off the support early.

I dunno. Just a thought.

Re:No surprise

[questionlp]

That maybe the case for NT 4.0 Workstation, but NT 4.0 Server has a different EOL/End of Support timeline (according to Microsoft):
http://www.microsoft.com/ntserver/ProductInfo/Avai lability/Retiring.asp [microsoft.com]

The key part of that page is:

January 1, 2005 Beginning on this date, Pay-per-incident and Premier support will no longer be available. This includes security hotfixes.

On the page that you linked to, the end date for System Builder (ie: OEM) availability for NT 4.0 Workstation is 30 June 2003 whereas the end date for online support is 30 June 2004.

Re:No surprise

[questionlp]

Whoops... forgot to paste another part of that page [microsoft.com]:

January 1, 2004 Beginning on this date, non-security hotfixes are no longer available.

Considering that this is a security vulnerability that they are talking about, Microsoft needs to look at what they committed to their customers in that timeline and better get a fix out ASAP!

Re:No surprise

[dsplat]

Considering that this is a security vulnerability that they are talking about, Microsoft needs to look at what they committed to their customers in that timeline and better get a fix out ASAP!

Didn't you read the EULA? It specifically said, "This product is supplied without any warrantee for any use whatsoever. Even as a high tech coaster in an oversized box. If the media is damaged, we will replace it with undamaged media, which we also don't guarantee has any usable software on it, within 90 days of the purchase date. Do not use in the presence of electric current. If cough persists, discontinue use."

Re:No surprise

[boinger]

"Close to end-of-life" is not "end-of-life". I'm sure some of their enterprise-level customers (banks, for instance) where "just upgrade the server" isn't an option will have some very favorable (meaning bad for Microsoft) spending decisions next time around.

Who wants to buy an operating system from a company that lets their OSes die before their EOL? I sure wouldn't. The point of an EOL announcement is telling the world that 'as of xx/xx/xx, this product is dead as far as support goes'. Not 'when date xx/xx/xx is nearish, you're SOL'.

But, then, I'm just an admin, what do I know?

Re:No surprise

[zbuffered]

Who wants to buy an operating system from a company that lets their OSes die before their EOL?

For that matter, who wants to buy an operating system whose security fixes can only be released(or not released, as seen here) by a single company, due to it's closed-source nature?

The only fix is to firewall off the server? WTH kind of a fix is that? That's one step away from keeping the network cable unplugged!

Re:No surprise

[EZmagz]

No, I don't like it... but support for NT4 is dropped at 30 june 2003 and that's not really far away.

This is true. However, as a company, you'd think that MS would feel obligated to support its products until the minute they drop support...which in this case isn't for another couple months. This would be like buying a new TV with a 1 year warrantee and bring it back 11 months into its life for service only to be told, "Sorry, it's just too close to expiration for us to care."

As I type this on my NT box

design flaw

[macragge]

"The architectural limitations of Windows"... "do not support the changes that would be required to remove this vulnerability."

So why do they keep trying with NT 6 er.. XP

Re:design flaw

[jaavaaguru]

Windows XP Professional is Windows NT 5.1.
Windows 2000 Professional was Windows NT 5.0

They're not very different from what I've seen. Cleartext, Skinnability, User switching, and a new UI are the only differences I've noticed. ...Things you might get with a new release of GTK rather than a new release of Linux. Not changing the Operating System much.

Hot News...

[Stephen R Hall]

Windows NT 4.0 too broken to fix. Is anyone really surprised? Or, is this a ruse to get everyone to upgrade to the latest version?

Re:Hot News...

[Billly Gates]

Bs.

Funny how w2k was fixed with this vulnerbility. Its not too broken. What is broken as Microsoft's wallet and quarterly expectations. They wanted to end NT4 support back in 2002 but enough people complained so they extended it until this June.

Microsoft does not want to spend money fixing a product in which people no longer buy. To them it just costs money to fix since its no longer on sale. What economic benefit is that?

If customers need the patch fixed then they need to pay Microsoft to fix it. Up

It's old

[Muerto]

I'm not too suprised microsoft isn't going to support it.. it is a 8 year old version of the software.. however they need to decide to drop it and completely stop supporting it... not just decide to support somethings and not others..

Re:It's old

[GQuon]

The point here, I think, is that we haven't yet reached that announced date were they won't be providing support anymore.
And you'd be suprised at how many old systems are churning away in business and industry. The Y2K projects led to scrapping of many old systems, but old systems are still there. Much of a case of "If it's not broke, don't fix it." and getting the highest possible return on investments.

Mmmmm... Money

[alaric187]

Now there's an upgrade strategy.

"Well, it's too hard to fix on your existing install, but if you upgrade to a new OS, we'll be happy to fix it." - MS Exec
"Umm, ok, I guess." - Unwitting companies

There is no step 2, baby, it's all profit!

While I like a good MS bash....

[VinniTheGeek]

It is actually a logical and feasible idea. Why continue supporting a dead / dying OS? As a sys-admin I may not like it, but there has to be a cutoff point somewhere. Makes for more revenue when everyone has to upgrade their software.

Re:While I like a good MS bash....

[luzrek]

The controversy is that Microsoft is commited to support Windows NT 4.0 until June 30th, 2003. They are breaking contract, perhaps this is why they think they need $40Billion to defend themselves from law suits.

How much

[Gortbusters.org]

is NT really used these days? I remember some of our management applications (browser based) had to be NT tested a year or two ago.

These days it's all Windows 2000 and XP, and people are considering dropping the 2000 support sometime in the near future.

Re:How much

[intermodal]

my wife used to work as a web developer (until six months ago) for a logistics company and they were too cheap to upgrade anything...NT4 everywhere, including the servers.

Re:How much

[G Money]

You're kidding, right? The clients I work with are predominantly NT based because the of the license/security issues surrounding Microsoft and they don't want to be lead deeper into the licensing pit that is Microsoft. Granted, NT is very old, but if you have to pay that much for an NT server license, you're going to want to get your moneys worth for it (if that's at all possible).

Re:How much

[narrowhouse]

Dropping 2000 for XP server? Oh wait there is no XP server... Maybe the people you are talking about don't use severs? Don't get me wrong I would like to see more people consider dropping Windows 2000 servers, they would be switching to UNIX, or LINUX 90% of the time if they did.

Microsoft security

[deanj]

Kinda makes you wonder what other fundamental flaws are there in NT4.0 that will prevent fixes from happening. ...And Microsoft wants to be known as a company you can trust with security. This should throw them back a couple of eons.

Re:Microsoft security

[rastachops]

How many open source companies openly support older products? Dont' they just say upgrade to the latest major revision? I think its unfair picking on Microsoft because they decide to drop an OS that was in development over 10 years ago.

What about Microsoft's SLA's?

[leerpm]

Don't they promise to support products for a given amount of years for some enterprise customers? What will happen in these cases?

Seems strange but...

[mlknowle]

It seems strange on the surface for them to admit that their product is 'unfixable,' but really, doesn't it make sense as an upgrade-inducer? Granted that in a more competitive market people would be put off by this, but some people don't regard the other choices with which we are so familiar as acceptable options, leaving them sending their checks to Redmond no matter.

Then again, people still buy new models of cars which have had huge saftey problems in the past, even though other choices are availble; perhaps the real phenomenon is that marketing is sometimes more powerful than good judgement.

Re:Seems strange but...

[luzrek]

What about Redhat Enterprise Edition? Sure, it cannot play windows games, but for running servers it is certainly a viable alternative to Windows OSs. It sure costs less than 4000$ a license. Perhaps the companies that were too strapped for cash to upgrade their NT servers are still to poor to buy new lisenses for MS server software.

Wow.

[Hanji]

All Microsoft-bashing aside, does anyone else see something majorly wrong when it's impossible to fix a fairly serious exploit due to architecture limitations in the OS??
They're basically saying that they can't fix it because the OS makes it impossible to do so. Not because it's inherent in some protocol, or because it is a natural effect of some kind of desired behavior or something, but because the OS DOESN'T SUPPORT IT?????
That's just wrong.

Re:Wow.

[Steeltoe]

All Microsoft-bashing aside, does anyone else see something majorly wrong when it's impossible to fix a fairly serious exploit due to architecture limitations in the OS??
They're basically saying that they can't fix it because the OS makes it impossible to do so. Not because it's inherent in some protocol, or because it is a natural effect of some kind of desired behavior or something, but because the OS DOESN'T SUPPORT IT?????
That's just wrong.

You're working yourself up here... Consider this like Red Hat

Re:Wow.

[dhovis]

You're working yourself up here... Consider this like Red Hat refusing to patch up Red Hat 3.0 with the latest security fixes.

Except that the source code to Red Hat 3.0 is publicly available, so a fix could be made by anybody. The problem here is that the only people who could fix NT4 is Microsoft and they are refusing to do so. Worse, we can only take their word for it that a fix would be nearly impossible.

I'm not a big proponent of open source, but this is a case where there are clear advantages.

Re:Wow.

[Hayzeus]

I doubt it's impossible. It's just that it may involve more than a trivial number of changes and all the attendant risks and costs that come with making those changes. They're obviously not willing to do this with a product nearing the end of its life cycle.

They should have probably used the word "infeasible" rather than "impossible". But then I'm no marketing weasel. Perhaps they had their reasons.

End of Life

[rf0]

You have to wonder how long a company can support an operating system. You have to remember that NT was released in the the mid-90s so its 7+ years old. Microsoft is beginning to put NT4 to end of life and that the people who will really know the code may of left Microsoft or moved on.

I'm mean we all go on about how bad MS is but you can expect them to support everything forever can you?

Rus

Re:End of Life

[digitalhermit]

I'm mean we all go on about how bad MS is but you can expect them to support everything forever can you?

No, you're right. But wouldn't it be great if you could had the source code available so that you could backport a fix? Granted NT is ancient in computer years, but lots of shops still use it extensively.

Fair point. In that case...

[jabber01]

You make a good point. If it is infact unreasonable effort for MS to support one of their better products, then maybe, just maybe, the could consider releasing the source code for it, so we could support it for ourselves?? Huh?

Yeah, I know, wishful thinking. Makes no sense if most people would rather just pay for an upgrade.

Re:Not until 06/30/03 it isn't!

[Gudlyf]

Here ya go [microsoft.com]

And here [microsoft.com]

Just goes to show you should look up your facts

[Neophytus]

I was going to say they had stopped supporting NT4 anyway so were within their rights, but I looked it up [microsoft.com] and it appears they are providing NT4 hotfixes until the end of 2004. Either way, a service pack or something equally dramatic for one flaw I think is overkill and blocking port 135 on a firewall is a better option.

It's ok

[ultrabot]

It's their right to do so. I don't see a reason how they are doing something "wrong". It's their product, and they have said they have discontinued it. It's up to the users to find a suitable fix for the system.

Kinda makes one think of benefits of open source; if something like this happens, you can always hire some hacker to fix the hole, wherever it is, for the right amount of money.

nt

[sirinek]

If you are still running NT4, you probably are too busy (or lazy) to update security patches anyway.

NT4 needs to DIE. If you prefer the Windows platform, you've had ample time to move to 2K, or else another platform.

Re:nt

[Lxy]

NT4 and Windows 2000 have compatibility issues. For instance, running a PDC controller on NT4 makes it more compatible with NT, Win9x, 2k, and XP. Running a Win2K PDC cuts off functionality from NT and Win9x clients. So why am I running 9x and NT workstations? Some stuff just won't work on new OS's. We've got servers(!!) running on Windows 3.11 because the software is too b0rked to run on anything newer. And besides, there's nothing more fun than showing off our 486 servers :-).

UPGRADING ISN'T ALWAYS

Please advise me:

[rainer_d]

What other operating systems from back then are still "supported" now ?
Solaris 2.6 maybe ? (Rapidly approaching EOL/EOS)
What else ?
Point is: NT4 is so old (and so BS), I can see why they want it to die (apart from the reason that they want to sell the new OSs)

be advised

[Erris]

What other operating systems from back then are still "supported" now ? Solaris 2.6 maybe ? (Rapidly approaching EOL/EOS) What else ? Point is: NT4 is so old (and so BS), I can see why they want it to die (apart from the reason that they want to sell the new OSs)

If you have a sun, you will be provided with software with all the fixes free of charge. A friend of mine bought a nice ultraspark on Ebay a while back and he was provided with all that he needed.

If you simply have a 486, all the BSD and Linux

Whats a Bxploit?

[rf0]

"Microsoft Refuses To Fix NT 4.0 Bxploit". I think you mean exploit :)

Rus

Re:Whats a Bxploit?

[Pxtl]

I'm confused at that - those keys aren't even next to each other - how could that typo have existed? Maybe a Dvorak?

Or is it a bizarre acronym? Back-Exploit, 'cause its an old software version?

What's up with the topic and image?

[GusherJizmac]

Why are we not seeing the Bill Gates Borg? Do we need another topic just for windows? If so, it should be a window through which we see the Gates-Borg.

So if it had been found earlier....

[MeanE]

say in 97/98/whatever they would of just looked at it and said "well darn...an NT4 bug that just can not be fixed"?

What's sad is that there is a 2k/XP fix...and I bet an NT fix would not be that hard considering they are quite similar OS's.

"Can't" isn't the same as "won't"

[Artifex]

They're not saying (publicly, anyway), "hah, we're not supporting this ancient operating system any more, go away."

The article quotes them saying they can't fix it, there's too much stuff to do.

Using your firewall to block port 135 is fine, unless you actually need RPC for something useful. In that case, I'd say that a firewall that discards all malformed packets (more complicated) is in order. Or an upgrade to Win2K. After all, it's been out for, what, 4 years now?

Re:"Can't" isn't the same as "won't"

[Elwood P Dowd]

Using your firewall to block port 135 is fine, unless you actually need RPC for something useful. In that case, I'd say that a firewall that discards all malformed packets (more complicated) is in order.

If you're doing something useful with RPC, and you are not doing it behind a firewall (that discards all RPC packets), then you are dumb like bricks. RPC isn't something you want to be doing via the internet, afaik.

All their enterprise customers might be annoyed, but this should never affect them. If some

Honesty Filter

[waldoj]

After running this through the honesty filter, we come out with:

"Windows is fundamentally insecure. Suck it up."

Gotta love the honesty.

-Waldo Jaquith

... ways

[Rock]

Ve haf ways of making you upgrade, ya!?!

Coming Soon! New Microsoft tagline

[JoeShmoe]

"Windows XP Professional is built upon the rock-solid reliability of Windows NT technology, the architechture that is so fundamentally limited that it does not support the changes required to remove significant vulnerabilities."

Doesn't have quite the same ring to it.

- JoeShmoe
.

Bxploit?

[SpaceLifeForm]

Is this shorthand for Bad exploit?

Give them a break. Really.

[burgburgburg]

If you had to deal with half as many security flaws/exploits/holes as Microsoft, you'd be tired too.

Plus, why are people so irksome in not upgrading to ever newer and more expensive operating systems like they're supposed to? Constantly forcing Microsoft to keep looking back over legacy code. It's ugly, dirty and scary back there, not like in candy XP land.

Done supporting it? Release the code!

[Angry White Guy]

See above.

An explanation

[Henry V .009]

If you click on the 'topics' link on the left, you'll see that slashdot has one icon for Microsoft (the borg) and another for Windows (this shitty one.) If you click on the Windows icon, you'll find that this is the only story ever posted with it. So we can probably rule out Bill using his mind control ray to control Taco's mind, and chalk it up to the usual slashdot incompetance.

Bring out your dead...

[A_Non_Moose]

NT4: I'm not dead yet.

Microsoft: Yes you are, you just don't know it.

NT4: Really, I'm very much alive.

Microsoft: No, you're very sick and could give over any minute now. ..and on and on.

(I'm so ashamed I can't recall that conversation verbatum...
Getting old, I suppose.)

Good opportunity to test open/shared source...

[AEton]

at least in terms of PR.
Microsoft: "Um, we don't want to fix this. But here's the kernel source, so why don't you fix it for us?"
Beady-eyed kernel hacker: "OK!"
It's not such a silly idea [everything2.com] with a practically end-of-life'd product; bugs and exploits would get found and fixed and since Microsoft doesn't seem to want to support certain OS changes, we'd do it for them. And it would be a great PR boost. "Microsoft supports freedom to innovate!". Hm.

NT4 is as old as Linux 2.0.0

[MagPulse]

NT4 came out in September 1996, just three months after Linux 2.0. The last 2.0 version is 2.0.39, which was released January 2001, over two years ago. Both groups have moved on, and aren't willing to spend much effort on the old versions. It's true there are more recent 2.0 pre-patches, but if you're willing to use one of those, simply adding a port to your firewall block list should be cake.

And yes, with Linux, you have the source, so you could fix this yourself, right? Microsoft says this requires a large architectural changes. I think any person or group willing to re-architect NT4 or the 2.0 kernel would better spend their time and effort upgrading to a newer OS version.

It's not the number of releases....

[Kjella]

NT4 came out in September 1996, just three months after Linux 2.0. The last 2.0 version is 2.0.39, which was released January 2001, over two years ago. Both groups have moved on, and aren't willing to spend much effort on the old versions.

If I install a machine with 2.0.39, is there any known big vunerability? If one was discovered would there *then* be a 2.0.40? With free software there's not much interest in backporting features, since upgrading to the latest version is free, should you need those features.

Anything that has outlived it's time as the mainstream stable branch wouldn't normally be updated except for security fixes, so I expect both 2.0 and 2.2 to have very slow release cycles now. Unlike Windows, where you expect some feature creep (for example DirectX upgrades) without having to pay for an OS upgrade.

Anyway, this isn't really about that either, but it's about the EOL date Microsoft has set. What do you think would happen if RedHat said "Uh RedHat 8 is fundamentally flawed, so we won't fix this bug even though its still under support. Block this service, or upgrade to RedHat 9, oh and you'll need a new support contract for that version." Would you find that acceptable?

Kjella

Another workaround for NT4

[jasonditz]

Instead of patching the problem, format the hard drive and use someone's OS who actually fixes security problems next time.

MS is right... and wrong.

[Zerbey]

So, here it is from both angles, the way I see it.

Microsoft do have a point, NT 4.0 *is* 7 years old now (released 1996) and supporting it is probably a major headache for them, at least until June when it reaches end of life (bear in mind that end of life for most software is 5 years). How long can you keep patching software? I guarantee that if they did take the time to patch it many other things would break resulting in the need for more patching and more headaches.

On the other hand, they are still going to get a nasty backlash from the millions (billions?) of people still using NT 4.0. Yes, you can laugh at businesses who haven't moved to 2000 or XP yet but if you are a multinational company who depends on NT facing the huge costs of moving to 2000 it's a big deal.

Microsoft recommends we firewal port 135 - which every network administrator with a brain should already be doing! Unfortunately, good network administrators are in very short supply.

Re:MS is right... and wrong.

[pmz]

NT 4.0 *is* 7 years old now (released 1996) and supporting it is probably a major headache for them, at least until June when it reaches end of life (bear in mind that end of life for most software is 5 years).

I'm always suprised in how much volatility we've come to tolerate in software. In other industries, the customers would be fleeing in hordes.

I take all this as just more evidence that the software industry won't reach maturity for at least several more decades.

Comment removed

[account_deleted]

Comment removed based on user account deletion

The crucial difference. -- open source

[Linux-based-robots]

Of course, Red Hat is also phasing out earlier versions of Red Hat Linux, but due to its open source nature you could get security updates from another source (apt-rpm repositories for instance) or make your own patches. Windows users are forced to rely on Microsoft for timely security updates, which they frequently fail to provide even in recent versions of Windows.

Why they aren't making a patch, from Microsoft

[shrikel]

From the faq:

The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture, Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Windows NT 4.0 operating system, and not just the RPC component affected. The product of such a rearchitecture effort would be sufficiently incompatible with Windows NT 4.0 that there would be no assurance that applications designed to run on Windows NT 4.0 would continue to operate on the patched system.

Sure it's idiotic that their system couldn't handle a patch. But if that's how it is, then it's a good thing they made their more recent versions dynamic enough to be fixable!

Translation.

[miffo.swe]

'The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability.'

Translated:


You will upgrade when i tell to you evil communist!

bullshit

[dh003i]

This is just part of their plan to force people make costly upgrades.

So let me get this straight

[PinkX]

(Another) security bug is discovered on Microsoft software, which affects Windows NT 4. It also affectes Windows 2000 and Windows XP, which clearly means that the later two are direct derivates of NT 4 (which we all already know).

So now Microsoft is refusing to issue a fix for NT 4, arguing that there is no way they could make it so that no other existing apps stop working. But a fix for 2k and XP has already been done. That's because of the great differences between NT 4 and 2k/xp, nonetheless they are based on the same product.

So how come that, being 2k and xp SO different from NT, that they can still run the same apps without needing any modification? How come there is no way to patch a NT4 system so that it can still run the same apps but they can surely do it over 2k and XP, and the same applications will still run without a problem over the same system.

This is clearly a move from Microsoft to force their customers to either upgrade their NT 4 installations, or else they are left to their own luck. Many people WON'T upgrade their NT 4 because that just works for them, because their hardware is not powerful enough for a 2k/xp system, or because any other reason they can think of.

Windows NT 4 has been in the market for about seven or eight years now (if my memory isn't failing it was released almos alongside with Win95). This recently discovered vulnerability has always been there since then. What would have happened if someone discovered before w2k was released? Would still Microsoft be unable to release a patch for it because it would break the whole system down?

I've seen many posts saying that noone should have port 135 open to the world. That port shouldn't be listening for request from the whole world, in the first place. There is no way you can know which ports that (for some obscure reason, valid for Microsoft of course) are listening represents a threat to the security of the system. Sure, the same could be said (no) about Linux and other systems, but there's always a way to shut them off and not let the system in a non working state.

And that's all I have to say about it.

ding dong the bitch is dead,

[Erris]

the cheap old bitch is dead.

M$ Exec's - "Wats this respongeability you say?"

The kind of product support you would expect from a comercial Unix killer rather than the kind of "support" you got from windoze 3.1. Oh my, the difference was only a matter of time. Pthththfit! That's some kind of incentive to "upgrade" to w2k, I mean XP.

Re:Please....ths is not that big an issue.

[the eric conspiracy]

Microsoft isn't obligated to support old software forever.

Hmmm yes, except they say [microsoft.com] NT4 IS supported, until 2004. They also sell support contracts for it.

This is very bad because it screws up lifecycle planning.

Re:nt 4.0 came out 1996

[the eric conspiracy]

It's not like Microsoft stopped selling the NT4 product six years ago - in fact, it is still currently sold in the VAR channel. In some sense Microsoft is failing to supply security hotfix support for a product that they are still selling. That is not very good support.

As a matter of fact RedHat 6.2 is still being supported, but not for much longer.

I imagine that you could easily hire somebody to support it for you, which would be quite feasible due to the availability of source code. You aren't tied to