Users who do not upgrade when product support ends are left with vulnerable PCs, with no means of patching, said Graham Titterington, principal analyst at Ovum. "Any insecure computer on a network is a risk to the whole network," he said.
In the past, Microsoft was committed to supporting a product for five years from the day it shipped. Users could then buy extended support to provide security fixes for a further two years.
After this time, any user who wanted to continue running the software supported could approach Microsoft for a custom contract, which could cost as much as £100,000 a year.
Now users who purchase extended support from Microsoft will receive five years of security support on top of the five years of mainstream product support.
Lars Ahlgren, global marketing manager for Microsoft services, said Microsoft would provide patches for products in extended support, but warned that it would not produce patches for every security alert. "This will not mean automatic patches," he said.
Ahlgren also said the lifecycle guarantee only applies to products currently in mainstream support. Users running Windows 2000, where mainstream support ends in June 2005, can buy extended support until June 2010, but those running NT4 are not covered.
Explaining the decision, Ahlgren said, "Products in the extended phase [of support] are very difficult to patch and make secure." Microsoft was confident it could maintain security on Windows 2000, he said, because it had a lot of similarities with Windows 2003.
Gartner said Microsoft's reluctance to release fixes for holes in Windows NT 4 Workstation until it sees a serious exploit "in the wild" was somewhat short-sighted. Since Microsoft will already be creating critical security fixes for enterprise NT users paying for custom support until the end of 2005, it should make these fixes available to all NTW4 customers, said Gartner.