G
Guest
Can anyone tell me which vulnerabilites remain in Windows NT 4 that require
an upgrade to Windows 2000 to be fixed?
an upgrade to Windows 2000 to be fixed?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
K
Karl Levinson
Rebootski said:Can anyone tell me which vulnerabilites remain in Windows NT 4 that
require
an upgrade to Windows 2000 to be fixed?
Um, all of them?
Do you mean Server or workstation? NT workstation hasn't been patched for
quite a long time.
Anyone using NT nowadays is choosing cost over security, so it seems a bit
of a waste to spend too much of your time and money counting patches. The
big problem is that there is no more development or support for NT, so when
things start breaking, you're out of luck, and could have your server
services become unavailable for who knows how long.
Once Microsoft stops patching an OS, they stop testing to confirm which
vulns affect it. You could guesstimate by looking at the number of Windows
2000 patches released since NT support was retired that don't have patches
for NT, but that's not 100% accurate.
G
Guest
Thanks Karl. I was asked to provide one example of a patch provided by MS
that impacts NT and 2000, but "can't" be installed on NT, therefore requiring
an upgrade.
Are you sure all 2000 patches cannot be installed on NT 4? Would that be
because of the upgrades included in 2000 that may be required for the patches
to work?
Thanks in advance!
Rebootski
that impacts NT and 2000, but "can't" be installed on NT, therefore requiring
an upgrade.
Are you sure all 2000 patches cannot be installed on NT 4? Would that be
because of the upgrades included in 2000 that may be required for the patches
to work?
Thanks in advance!
Rebootski
G
Guest
Thanks again Karl.
Regards,
Rebootski
Regards,
Rebootski
Karl Levinson said:Rebootski said:Thanks Karl. I was asked to provide one example of a patch provided by MS
that impacts NT and 2000, but "can't" be installed on NT, therefore requiring
an upgrade.
Yeah, it's an educated guess on anyone's part, because Microsoft doesn't
test or announce those vulns on retired OSes.
The last NT Server update was released Feb 8, 2005. You can go to
http://www.microsoft.com/technet/security/current.aspx
to see all the updates since then that affect Windows 2000 [remembering that
updates often represent more than one vulnerability]. You can also search
for all the NT 4 Server updates that were released after support for NT 4
workstation expired - last update appears to be Jul 30, 2004.
http://support.microsoft.com/gp/lifewinfaq#Windows NT Server
Anyways, even if the number was zero, which I doubt it is, a risk assessment
like this would ask, "What if a vuln is discovered tomorrow?" Of course,
given that NT patches ended in 2004, your risk tomorrow is probably about the
same as it was over the past year and a half.
Are you sure all 2000 patches cannot be installed on NT 4? Would that be
because of the upgrades included in 2000 that may be required for the patches
to work?
Windows 2000 patches are executables that check the currently running OS
version. If you're running NT, the patch won't install. You could extract
the files and manually copy them over, but the results would be
unpredictable, and of course, unsupported.
G
Guest
Rebootski said:Thanks Karl. I was asked to provide one example of a patch provided by MS
that impacts NT and 2000, but "can't" be installed on NT, therefore requiring
an upgrade.
Yeah, it's an educated guess on anyone's part, because Microsoft doesn't
test or announce those vulns on retired OSes.
The last NT Server update was released Feb 8, 2005. You can go to
http://www.microsoft.com/technet/security/current.aspx
to see all the updates since then that affect Windows 2000 [remembering that
updates often represent more than one vulnerability]. You can also search
for all the NT 4 Server updates that were released after support for NT 4
workstation expired - last update appears to be Jul 30, 2004.
http://support.microsoft.com/gp/lifewinfaq#Windows NT Server
Anyways, even if the number was zero, which I doubt it is, a risk assessment
like this would ask, "What if a vuln is discovered tomorrow?" Of course,
given that NT patches ended in 2004, your risk tomorrow is probably about the
same as it was over the past year and a half.
Are you sure all 2000 patches cannot be installed on NT 4? Would that be
because of the upgrades included in 2000 that may be required for the patches
to work?
Windows 2000 patches are executables that check the currently running OS
version. If you're running NT, the patch won't install. You could extract
the files and manually copy them over, but the results would be
unpredictable, and of course, unsupported.
J
Joe Richards [MVP]
The latest round of patches for July 2006 has a mailslot vuln that
almost certainly impacts NT4. But as Karl says there could be numerous
vuln in NT4 since they stopped looking for holes in and patching NT4
some time ago.
I would not run NT4 except in a very sandboxed environment where it
couldn't talk to anything but very highly trusted machines. One bad bug
and its all over.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
============================================================================
Do not read this worthless blog entry on
Defending Security Infrastructures http://blog.joeware.net/2006/07/11/445/
I'm serious, you will learn absolutely nothing about
Defending Security Infrastructures.
============================================================================
almost certainly impacts NT4. But as Karl says there could be numerous
vuln in NT4 since they stopped looking for holes in and patching NT4
some time ago.
I would not run NT4 except in a very sandboxed environment where it
couldn't talk to anything but very highly trusted machines. One bad bug
and its all over.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
============================================================================
Do not read this worthless blog entry on
Defending Security Infrastructures http://blog.joeware.net/2006/07/11/445/
I'm serious, you will learn absolutely nothing about
Defending Security Infrastructures.
============================================================================
R
Roger Abell [MVP]
I do not recall the bulletin number but at about the end of all support
timeframe, there was a vulnerability, IIRC it was in RPC, that they did
not provide for NT4 a patch, saying t would be such a large rewrite
that it could not be done (for something at the end of its lifecycle).
You can pretty much bet that anything after that, issued for code that
has a parallel in NT 4, would be a likely candidate for your list of
unpatched flaws in NT 4.
timeframe, there was a vulnerability, IIRC it was in RPC, that they did
not provide for NT4 a patch, saying t would be such a large rewrite
that it could not be done (for something at the end of its lifecycle).
You can pretty much bet that anything after that, issued for code that
has a parallel in NT 4, would be a likely candidate for your list of
unpatched flaws in NT 4.
R
Ray
If you go over to http://www.eeye.com/html/research/advisories/index.html
and look through their advisories, you'll see they were still testing NT 4
during the first part of 2006. Check out the two DTC issues from May 9th,
for example.
Ray
and look through their advisories, you'll see they were still testing NT 4
during the first part of 2006. Check out the two DTC issues from May 9th,
for example.
Ray