March 28, 2003, 2:27 PM — Microsoft's statement on Wednesday that it would not offer a version of a security patch for NT 4.0 has called into question an earlier promise to continue supporting the operating system through the end of 2004 and raised concern among its customers.
The new vulnerability could expose computers running the operating systems to a denial of service attack, Microsoft warned in its security bulletin, MS03-010, on Wednesday. (http://www.microsoft.com/technet/security/bulletin/MS03-010.asp)
The flaw lies in Microsoft's implementation of a protocol called RPC (Remote Procedure Call), which allows applications on a computer to call applications on another computer in a network. An attack on the RPC service could cause the networking services on the system to fail, Microsoft said in its bulletin.
Microsoft's security bulletin contained links to software patches for both the Windows 2000 and Windows XP operating systems. Regarding Windows NT 4.0, however, Microsoft said that "the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future."
Major changes to the architecture of RPC in Windows 2000 were behind the Redmond, Washington company's stance on patching NT 4.0, according to the bulletin.
"Due to (the) fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability," Microsoft said.
Windows NT 4.0 customers were advised to put affected systems behind a firewall that blocks traffic on TCP/IP (Transmission Control Protocol/Internet Protocol) Port 135, the port used by the flawed RPC Endpoint Mapper process.
That change would protect organizations from outside attackers, Microsoft said.
Despite efforts to encourage its users to migrate from the NT platform to Windows 2000, more than a third of the company's installed base still consists of machines running the NT 4.0, according to Al Gillen, research director of systems software at IDC.
In January, Microsoft responded to calls from its customers to extend support of NT 4.0, announcing that pay-per-incident and premier support for Windows NT Server 4.0 will run through Dec. 31, 2004, but that non security-related hot fixes would end as of Jan. 1, 2004.
In its security bulletin Wednesday, Microsoft did not address the promise made in January to support NT 4.0.
The decision not to issue an RPC patch was probably not part of a move to withdraw NT 4.0 support, Gillen said.