Microsoft will not patch NT4 hole

Users of Windows NT 4.0 have been left open to denial of service attacks after Microsoft said "architectural limitations" make it...

Users of Windows NT 4.0 have been left open to denial of service attacks after Microsoft said "architectural limitations" make it "infeasible" (sic) to patch a vulnerability on the platform - even though mainstream support for NT 4.0 is not due to end until June 2003 and extended support continues until 31 December 2004.

The lack of a patch will come as a blow to the large number of UK users still running NT 4.0. It will also add to scepticism over Microsoft's Trustworthy Computing initiative - last month the company issued a patch that caused some Windows 2000 servers to fail.

Ashim Pal, vice-president at analyst firm Meta Group, said the vast number of NT 4.0 users in the UK would be "screaming blue murder" about the patch not being available. "At least 25% of UK servers running Microsoft are NT 4.0," he said.

Pal said Microsoft's excuse for not providing a patch was "lame". On its website the company said, "Due to architectural limitations it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability." Pal advised NT 4.0 users to put pressure on Microsoft, because the company could be testing customer reactions.

"Microsoft is trying to kill NT 4.0 as fast as it can," said Pal, who warned that this unpatched vulnerability might not be the last.

Roger Ellis, treasurer of IT user group Elite, said Microsoft's action was "poor" and the supplier should still be offering support for users. He said NT 4.0 is still the bedrock of many companies' IT infrastructures and suggested that Microsoft was holding out for the June deadline, when mainstream support for NT 4.0 will end.

However, although the situation is not ideal, Ellis said the company has provided an escape route because users could resolve the problem by upgrading to Windows 2000 or XP.

Microsoft has issued a patch for Windows XP and 2000, which are also affected by the vulnerability outlined in security bulletin MS03-010. It has advised NT 4.0 users to shield vulnerable NT servers behind a firewall, but this would still leave networks open to an internal attack.

The vulnerability lies in the Remote Procedure Call protocol that allows applications on networked PCs to communicate. An attack on the RPC service could cause the networking services on the system to fail.

Simon Conant, security programme manager at Microsoft, said it was not possible to patch the vulnerability on NT 4.0. The problem is that Windows 2000 introduced an RPC architecture that does not exist in NT 4.0. "We are not in a position to Band Aid it - you can't code a patch," he said.

Conant said a solution for the flaw would involve re-engineering the networking for NT 4.0 from the ground up. "We are talking years here," he said.

This would also result in a new product, NT 4.5, and existing applications running on NT 4.0 would have to be tested to see if they could run on the new system, he added.

Windows denial of service danger

What is the problem?

There is a vulnerability in the part of the RPC protocol used by Windows that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. It affects the RPC endpoint mapper process that listens on TCP/IP port 135.    

What systems are affected?

Windows NT 4.0  Windows 2000  Windows XP. 

What action should users take?

Windows 2000 and XP users can download a patch from the Microsoft website. There is currently no patch for NT 4.0, so users should shield vulnerable servers behind a firewall. Analyst Ashim Pal advised users to "hassle" Microsoft in the hope that user pressure would lead to the creation of a patch. However, Simon Conant, security programme manager at Microsoft, insisted it was "not possible" to patch the vulnerability on NT 4.0.

For more information see:

Read more on IT operations management and IT support