Microsoft issues patch for security flaw in NT4.0 after six-week wait

Microsoft has finally issued a software patch for a major flaw in NT4.0 that enables hackers to take over servers via the...

Microsoft has finally issued a software patch for a major flaw in NT4.0 that enables hackers to take over servers via the internet, after keeping users waiting for six weeks.

The vulnerability came to light in March after an attacker compromised a military server running Windows 2000 using the Webdav component of Microsoft Internet Information Services Server 5.0.

Microsoft released the patch in the same week as computer security firm Citadel Security Software warned of a new automated tool for exploiting a Webdav vulnerability on unpatched systems.

Last month Microsoft was forced to replace the original patch it issued for the Windows 2000 operating system after it was discovered that the patch was also affected by the flaw and caused some Windows 2000 servers to fail.

Simon Conant, security programme manager at Microsoft, said six weeks is "not an unreasonable test cycle" for a patch and denied that NT4.0 users had been left vulnerable.

He pointed out that the Webdav component does not exist in NT4.0 but stressed that users need to apply the patch as a "defence in depth".

Conant also denied that Microsoft was trying to get the large installed base of NT4.0 users to upgrade by raising concerns over security issues.

Analyst firm Meta Group estimates that at least 25% of UK servers running Microsoft are using NT4.0.

"We are committed to providing patches for NT4.0 during its entire lifecycle," said Conant. "If we were trying to kill off NT4.0, why would we release this patch?"

However, Ashim Pal, vice-president at Meta Group, believes Microsoft is trying to kill off NT4.0 as fast as it can.

"If Microsoft had a choice it would not spend a single euro on NT4.0. It will do what it needs to satisfy immediate customer pain and no more," he said.

Pal said users also have a responsibility to plan for the end of NT4.0 support, as the dates for the end of the NT4.0 lifecycle have been known for some time and have already been extended once.

Last month Microsoft said it would not be issuing a patch for another vulnerability found to be affecting NT4.0, despite the fact that mainstream support for NT4.0 is not due to end until June 2003, with extended support continuing until December 2004.

A flaw in the Remote Procedure Call protocol, which allows applications on networked PCs to communicate, leaves NT4.0 users' systems open to denial of service attacks.

Microsoft said architectural limitations make it "infeasible" to patch the RPC vulnerability. However, Pal called Microsoft's excuse for not providing a patch "lame".

Information on the latest NT4 patch

Read more on IT strategy