Microsoft Refuses To Patch NT4 Vulnerability

by , 8:00 AM EST, March 28th, 2003

Another security vulnerability has been reported with Microsoft's line of server operating systems. While such news is nothing new to long-time Microsoft watchers, the difference between the new issue and past ones lies in the response from Redmond. According to an article published in the Register, Windows XP and 2000 users need to install a patch but NT 4.0 users are simply out of luck. According to the article:

The vulnerability involves the Microsoft's implementation of Remote Procedure Call protocol, more specifically the component that deals with message exchange over TCP/IP. Malformed messages received by the Endpoint Mapper process, which listens on TCP/IP port 135, might cause a server to hang.

The Microsoft TechNet bulletin, issued to address the possible denial of service attack states that they will never correct the flaw for NT 4.0 because it would be too difficult and could cause application incompatibility. From the bulletin:

The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture, Due to these fundamental differences ... it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Windows NT 4.0 operating system, and not just the RPC component affected.

Unfortunately, Microsoft only offers one suggestion for the massive number of customers still using the older operating system. It strongly recommends placing all Windows NT 4.0 servers behind a firewall that blocks service to the affected port.

The Mac Observer Spin:

Despite the fact that Windows NT 4 is a discontinued product, it's horrible for Microsoft to just throw up its hands and declare that there is no, and never will be, a fix for the flaw. This is especially true since Microsoft freely admits fault through a flaw in its architecture. Also interesting to note is the fact that Microsoft didn't say it was impossible to fix, just that the company didn't want to spend the time to do it correctly.

Given its tendency to strive for ever-increasing sales, this looks like a move to convince administrators it is in their best interest to upgrade. Not only is it proclaiming NT4 to have an unfixable flaw but even goes so far as to call it "much less robust" in comparison to its currently available server products. It wouldn't surprise us to see more of these unfixable bugs pop up in the not-so-distant future.

This raises an interesting issue of corporate responsibility. Should an organization such as the Federal Trade Commission force Microsoft to either fix the flaw or compensate the users in the form of a rebate on a new operating system? Just how long should a company have to keep issuing patches on discontinued software?

The Register