Microsoft Refuses To Patch NT4 Vulnerability

Another security vulnerability has been reported with Microsoftis line of server operating systems. While such news is nothing new to long-time Microsoft watchers, the difference between the new issue and past ones lies in the response from Redmond. According to an article published in the Register, Windows XP and 2000 users need to install a patch but NT 4.0 users are simply out of luck. According to the article:

The vulnerability involves the Microsoftis implementation of Remote Procedure Call protocol, more specifically the component that deals with message exchange over TCP/IP. Malformed messages received by the Endpoint Mapper process, which listens on TCP/IP port 135, might cause a server to hang.

The Microsoft TechNet bulletin, issued to address the possible denial of service attack states that they will never correct the flaw for NT 4.0 because it would be too difficult and could cause application incompatibility. From the bulletin:

The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture, Due to these fundamental differences ... it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Windows NT 4.0 operating system, and not just the RPC component affected.

Unfortunately, Microsoft only offers one suggestion for the massive number of customers still using the older operating system. It strongly recommends placing all Windows NT 4.0 servers behind a firewall that blocks service to the affected port.