Microsoft Issues NT4 Denial Of Service

By Larry Seltzer  |  Posted 2003-03-28 Print this article Print

Company declines to patch a new hole in NT4 RPC Endpoint Mapper, writes Security Supersite Editor Larry Seltzer. Is it really an architectural limitation, or is Microsoft sending a signal?

Theres something new in Microsofts latest security bulletin.

The vulnerability disclosed in the bulletin applies to Windows NT4, Windows 2000 and Windows XP. The company announced, however, that options for fixing the former are limited: "Microsoft tested Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition. These platforms are vulnerable to the denial-of-service attack; however, due to architectural limitations it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability."

Instead, Microsoft recommends using the corporate firewall to block TCP Port 135, which is the attack vector for the problem. Its worth repeating that this attack is just a denial-of-service attack, not one that could compromise any data on the system. Blocking Port 135 would prevent the attack from the Internet, although compromised systems within the firewall could still launch an attack.

Taking a cynical approach, its really, really tempting not to take Microsoft at their word here, although thats probably unfair. I really dont know enough about the vulnerability to say whether, as Microsoft claims, NT4s RPC architecture is so brain-dead that implementing the fix on it would necessitate a substantial code rewrite that would probably break a large number of applications. Its perfectly possible that this explanation is correct.

On the other hand, NT4 is in its twilight years. You wont be able to buy a copy of it anywhere after June 30 of this year, and Microsoft will begin to withdraw support after that. Ive said for a while that the time would soon come when Microsoft would decline to fix some security problem in NT4, and NT4 users would regret not upgrading at that point.

This sort of policy is hardly unique to Microsoft. Both Sun and Red Hat have set policies about how old a version of their products they will support, even for security issues. Its something to think about when considering the security of your systems. Maybe the motto "If it aint broke, dont fix it" means youre asking for trouble down the road when it breaks and no fix is available.

Ever since the betas of Windows 2000 (when Microsoft was still calling it NT5), its been clear to me that its a substantially better product than Windows NT4. Its far more reliable, performs better, has better hardware support, and just plain works better than NT4 in every way. Yet the resistance to migrating to Windows 2000 was stiff, largely for two reasons: Corporations were intimidated by the steep learning curve of Active Directory, and many of the better features of Windows 2000 require Active Directory. Windows 2000 also came out after the great spending binge prompted by Y2K remediation. A lot of the hardware bought to prepare for Y2K might have been marginal or even inadequate to Windows 2000. I dont blame customers for putting a purchase off.

But its 2003 now, and there is still a ton of Windows NT4 out there. I know this anecdotally, but perhaps an informal survey will make the point. According to Netcraft, 16 of the FTSE 100s Web sites run Windows NT4. This is truly difficult to contemplate. Six of the NASDAQ 100 run it. I doubt any of these companies have anything to fear from this new RPC vulnerability; its the next one they should fear, or the one after that.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel