The new vulnerability could expose computers running the operating systems to a denial of service attack, Microsoft warned in its security bulletin, MS03-010.
The flaw lies in Microsoft's implementation of a protocol called RPC (Remote Procedure Call), which allows applications on a computer to call applications on another computer in a network. Microsoft said an attack on the RPC service could cause the networking services on the system to fail.
Microsoft's security bulletin contained links to software patches for both the Windows 2000 and Windows XP operating systems. However, Microsoft said, "The Windows NT 4.0 architecture will not support a fix to this issue, now or in the future."
Major changes to the architecture of RPC in Windows 2000 were behind the company's stance on patching NT 4.0.
Microsoft said that because of fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it was "infeasible" to rebuild the software for Windows NT 4.0 to eliminate the vulnerability.
Windows NT 4.0 customers were advised to put affected systems behind a firewall that blocks traffic on TCP/IP (Transmission Control Protocol/Internet Protocol) Port 135, the port used by the flawed RPC Endpoint Mapper process. That change would protect organisations from outside attackers, Microsoft said.
Despite efforts to encourage its users to migrate from the NT platform to Windows 2000, more than a third of the company's installed base still consists of machines running the NT 4.0, according to Al Gillen, research director of systems software at IDC.
In January, Microsoft responded to calls from its customers to extend support of NT 4.0, announcing that pay-per-incident and premier support for Windows NT Server 4.0 will run through 31 December, 2004, but that non security-related hot fixes would end as of 1 January, 2004.
In its security bulletin on Wednesday, Microsoft did not address the promise made in January to support NT 4.0.
The decision not to issue an RPC patch was probably not part of a move to withdraw NT 4.0 support, Gillen said.
"If Microsoft was interested in twisting its customers' arms, they wouldn't have extended support of NT 4.0 earlier this year. It's inconsistent to extend support then say 'We're not going to patch this', or 'We're not going to patch that' to try to twist their arm," Gillen said.
Others disagree, saying the decision is part of a calculated effort to move customers off the ageing NT platform.
"Part of [Microsoft's] logic is 'We don't want to encourage people to stay on NT 4," said John Pescatore of research firm Gartner.
However, Pescatore was less critical about the RPC vulnerability.
"If this was a year ago, I would have said 'That's shoddy business practice'. But NT 4.0 is six years old and Windows 2000 has been out for three years," Pescatore said.
In addition, few business applications rely on TCP/IP port 135, which must now be blocked to resolve the RPC problem on NT 4, lessening the impact of the problem, he added.
While the install base for NT 4 has declined steadily from a year ago, when it was more than half of Microsoft's install base, Microsoft have to address the needs of its NT 4 customer for years to come, regardless of the availability of alternatives, Gillen said.
"I'm not of the opinion that Windows Server 2003 is going to create a surge in NT 4 upgrades. If these customers were so anxious to upgrade, they would have done it by now."
Pescatore added that Microsoft may still find itself putting considerable effort into NT4 patches if they fix a critical vulnerability that could lend to dangerous attack.
"For those that are, they should still issue the patch even if it leads to many lines of code," Pescatore said.
For those vulnerabilities that do not meet that standard, however, Pescatore warned users to expect more security patches that pass over NT 4.0 as Microsoft started to wind down NT 4.0.
This was first published in March 2003