Microsoft Issues NT4 Denial Of Service

Company declines to patch a new hole in NT4 RPC Endpoint Mapper, writes Security Supersite Editor Larry Seltzer. Is it really an architectural limitation, or is Microsoft sending a signal?

Theres something new in Microsofts latest security bulletin.

The vulnerability disclosed in the bulletin applies to Windows NT4, Windows 2000 and Windows XP. The company announced, however, that options for fixing the former are limited: "Microsoft tested Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition. These platforms are vulnerable to the denial-of-service attack; however, due to architectural limitations it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability."

Instead, Microsoft recommends using the corporate firewall to block TCP Port 135, which is the attack vector for the problem. Its worth repeating that this attack is just a denial-of-service attack, not one that could compromise any data on the system. Blocking Port 135 would prevent the attack from the Internet, although compromised systems within the firewall could still launch an attack.

Taking a cynical approach, its really, really tempting not to take Microsoft at their word here, although thats probably unfair. I really dont know enough about the vulnerability to say whether, as Microsoft claims, NT4s RPC architecture is so brain-dead that implementing the fix on it would necessitate a substantial code rewrite that would probably break a large number of applications. Its perfectly possible that this explanation is correct.

On the other hand, NT4 is in its twilight years. You wont be able to buy a copy of it anywhere after June 30 of this year, and Microsoft will begin to withdraw support after that. Ive said for a while that the time would soon come when Microsoft would decline to fix some security problem in NT4, and NT4 users would regret not upgrading at that point.

This sort of policy is hardly unique to Microsoft. Both Sun and Red Hat have set policies about how old a version of their products they will support, even for security issues. Its something to think about when considering the security of your systems. Maybe the motto "If it aint broke, dont fix it" means youre asking for trouble down the road when it breaks and no fix is available.

Ever since the betas of Windows 2000 (when Microsoft was still calling it NT5), its been clear to me that its a substantially better product than Windows NT4. Its far more reliable, performs better, has better hardware support, and just plain works better than NT4 in every way. Yet the resistance to migrating to Windows 2000 was stiff, largely for two reasons: Corporations were intimidated by the steep learning curve of Active Directory, and many of the better features of Windows 2000 require Active Directory. Windows 2000 also came out after the great spending binge prompted by Y2K remediation. A lot of the hardware bought to prepare for Y2K might have been marginal or even inadequate to Windows 2000. I dont blame customers for putting a purchase off.

But its 2003 now, and there is still a ton of Windows NT4 out there. I know this anecdotally, but perhaps an informal survey will make the point. According to Netcraft, 16 of the FTSE 100s Web sites run Windows NT4. This is truly difficult to contemplate. Six of the NASDAQ 100 run it. I doubt any of these companies have anything to fear from this new RPC vulnerability; its the next one they should fear, or the one after that.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.