Feeds

NT4.0 too flawed to fix – official

Insecure by design

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

There's a nasty rider with Microsoft's latest security problem for NT users.

Although a denial of service risk exists in an "important" security vulnerability, publicised yesterday affecting NT 4.0, Redmond tells users not to expect a patch for that operating system anytime soon.

Windows 2000 and XP users do have access to a fix, designed to address a flaw involving Endpoint Mapper, but the best on offer for Win NT users is advice to shelter vulnerable servers behind a firewall.

The vulnerability involves the Microsoft's implementation of Remote Procedure Call protocol, more specifically the component that deals with message exchange over TCP/IP. Malformed messages received by the Endpoint Mapper process, which listens on TCP/IP port 135, might cause a server to hang.

Microsoft has provided patches with this bulletin to correct this vulnerability for Windows 2000 and Windows XP, but not Windows NT 4.0 - even though the OS is affected.

In a surprisingly candid admission, the company states that fixing NT4.0 is simply too difficult.

"The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability," Microsoft says. "Windows NT 4.0 users are strongly encouraged to employ the workaround discussed in the FAQ in the bulletin, which is to protect the NT 4.0 system with a firewall that blocks Port 135."

Firewalling will probably keep external attackers at bay but the flaw gives attackers with intranet access considerable scope to crash, though not (it would seem root), inherently vulnerable NT4 boxes. ®

External Links

Microsoft's Security Bulletin

Related Stories

Critical Win2K flaw yields multiple attack vectors (different, even more serious, problem)
Too cool for secure code
Windows Root kits a stealthy threat
Small WinXP security glitch, not many dead

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.