NT4.0 too flawed to fix

[cwk9]

The Source: http://www.theregister.co.uk/content/55/29985.html

There's a nasty rider with Microsoft's latest security problem for NT users.

Although a denial of service risk exists in an "important" security vulnerability, publicised yesterday affecting NT 4.0, Redmond tells users not to expect a patch for that operating system anytime soon.

Windows 2000 and XP users do have access to a fix, designed to address a flaw involving Endpoint Mapper, but the best on offer for Win NT users is advice to shelter vulnerable servers behind a firewall.

The vulnerability involves the Microsoft's implementation of Remote Procedure Call protocol, more specifically the component that deals with message exchange over TCP/IP. Malformed messages received by the Endpoint Mapper process, which listens on TCP/IP port 135, might cause a server to hang.

Microsoft has provided patches with this bulletin to correct this vulnerability for Windows 2000 and Windows XP, but not Windows NT 4.0 - even though the OS is affected.

In a surprisingly candid admission, the company states that fixing NT4.0 is simply too difficult.

"The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability," Microsoft says. "Windows NT 4.0 users are strongly encouraged to employ the workaround discussed in the FAQ in the bulletin, which is to protect the NT 4.0 system with a firewall that blocks Port 135."

Firewalling will probably keep external attackers at bay but the flaw gives attackers with intranet access considerable scope to crash, though not (it would seem root), inherently vulnerable NT4 boxes.

I’m sure Microsoft sees this as a blessing. Anything to get people off NT and on to 2003. Odd how Microsoft loses out on making a half decent OS with a long life span.

[ConsummatumEst]

They could always give the source codeto the community and we'll fix it (and dozens of other flaws). But that would be too easy. They want NT to go away so they can seel more OS's like cwk9 said.

[g00n]

other posts in these same forums have already posted this... while I am not a microsoft sales man, but there is not innovation or improvments if we're not willing to let go of the old and move to the new.

I've actually been quite impressed with m$'s improvements over nt4, I have used everthing from windows 1 through xp pro, so i can say that their latest OS's are quite spectacular, even if they are bloated and full of eye candy... they're still necessary.. for without bloated OS's the processor manufacturers would get lazy and not make me faster processors ;D

[ReLik]

This is exactly why a MCP certification is worthless, because in 5 years that certification holds no real value, hence more prefer UNIX certifications as they hold more weight and actually mean something.

[g00n]

that too, same reason i've not wasted mine or my bosses money on microsoft's certs, can't see going through the studying and testing, at anywhere from $100-$250/test for it to be outdated next year. Blah, luckily my bosses don't see them as somthing they NEED to have in their computer department.

[Vigge]

I'm a MCP for WinNT4 server and workstation. Does that mean I rock?
I've got a total of 4 MS certs, They were given to me costing me only time and effort, but really, what a waste that was. The only cert I've had any use of is the one for Networking, but I could have just as easily bought a book for 30 bucks and learnt the same.

[ReLik]

I know someone who has a few, Networking, VB and 2K. He didn't have to pay for them either, it is possible, but I /think/ you may have to be under a certain age and join some kind of goverment training organisation, but I ain't sure.

If the opportunity came to get them for free, I'd take it, they look good on a CV, will help you get a job, but I certainly wouldn't ever pay for one. Not when there's RHCE's, CISCO etc which offer REAL training.