Computer Crime Research Center

people/Billi.jpg

Windows NT Users Beware!

Date: March 17, 2005
Source: securitypipeline
By: Gregg Keizer

Hundreds of thousands of Web sites running Windows NT 4 remain -- and will remain -- at risk from attack via a vulnerability patched for other operating systems a month ago, a U.S.-based security firm and a British-based Web monitoring vendor said Thursday.

The bug in a key Windows protocol, Server Message Block (SMB), was patched for Windows XP, Windows Server 2003, and Windows 2000 in February, but because NT 4 had reached the end of its support lifecycle December 31, 2004, no public fix was issued by Microsoft.

Microsoft does provide security patches for NT 4.0 customers who pay for custom support, a service available through the end of 2006.

However, that leaves a large number of Web sites vulnerable to hacks based on the SMB vulnerability, said Netcraft, a U.K.-based Web metrics and monitoring firm. According to Netcraft's most recent Web server survey, about 1.1 percent of Web-facing hostnames, or approximately 680,000, run on Windows NT 4.

Thousands of those hostnames, said Netcraft, are on SSL-enabled sites which may be conducting e-commerce, and thus particularly attractive to hackers.

"If your organization is unlucky enough to still have Windows NT 4.0 systems (most do) and you're not able to pay for extended support then you do not have a whole lot of options," wrote Marc Maiffret, the chief hacking officer at eEye Digital Security, in a message to the Bugtraq security mailing list.

Maiffret suggested a workaround that might mitigate some potential attacks. "...enable SMB signing. This does not truly mitigate the attack but instead it creates change in the SMB protocol that most attack tools I have seen do not support. Therefore it breaks them from being able to successfully exploit remote systems."

More information on how to turn on SMB signing can be found on Microsoft's Web site.

For its part, Microsoft has been aggressively pushing NT 4 customers to migrate to Windows Server 2003. In the February security bulletin on the SMB vulnerability, for instance, Microsoft stated, "It should be a priority for customers who have these [NT] operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities."

In later December 2004, as Microsoft was announcing a year extension of its custom support for NT 4, one of its executives was even more blunt.

"Windows NT Server 4.0 was developed before the era of sophisticated Internet based attacks," said Peter Houston, the senior director of the Windows serviceability group, in a statement. "It has reached the point of architectural obsolescence. It would be irresponsible to convey a false sense of security by extending public support for this server product."

SMB is used by Windows to share files, printers, and serial ports, and to communicate between computers, particularly between servers and client desktops. The vulnerability disclosed last month could allow a hacker to take complete control of the targeted system by sending it a specially-crafted SMB packet.
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo