• PC World
• »Software
• »Operating Systems

Microsoft's statement on Wednesday that it would not offer a version of a security patch for NT 4 has called into question the company's earlier promise to continue supporting the operating system through the end of 2004, and has raised concern among its customers.

A new vulnerability could expose computers running certain Windows operating systems to a denial-of-service attack, Microsoft warns in a security bulletin, MS03-010.

The flaw lies in Microsoft's implementation of a protocol called RPC (Remote Procedure Call), which allows applications on a computer to call applications on another computer in a network. An attack on the RPC service could cause the networking services on the system to fail, Microsoft says in its bulletin.

Microsoft's security bulletin contains links to software patches for the Windows 2000 and Windows XP operating systems. Regarding Windows NT, however, Microsoft says that "the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future."

Major Changes

Significant differences in the architecture of RPC in Windows 2000 were behind the Redmond, Washington, company's stance on patching NT, according to the bulletin.

"Due to [the] fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability," Microsoft says.

Windows NT customers are advised to put affected systems behind a firewall that blocks traffic on TCP/IP Port 135, the port used by the flawed RPC Endpoint Mapper process.

That change would protect organizations from outside attackers, Microsoft says.

Tech-Support Stance

Despite efforts to encourage its users to migrate from the NT platform to Windows 2000, more than a third of the company's installed base still consists of machines running NT, according to Al Gillen, research director of systems software at IDC.

In January, Microsoft responded to calls from its customers to extend support of NT, announcing that pay-per-incident and premier support for Windows NT Server 4 will run through December 31, 2004, but that non-security-related hot fixes will end as of January 1, 2004.

In its security bulletin issued on Wednesday, Microsoft does not address the promise made in January to support NT.

The decision not to issue an RPC patch was probably not part of a move to withdraw NT support, Gillen says.

"If Microsoft was interested in twisting its customers' arms, they wouldn't have extended support of NT 4.0 earlier this year. It's inconsistent to extend support and then say, 'We're not going to patch this' or 'We're not going to patch that' to try to twist their arms," Gillen says.

Reason to Upgrade?

Others disagree, saying the decision is part of a calculated effort to move customers off the aging NT platform.

"Part of [Microsoft's] logic is, 'We don't want to encourage people to stay on Win NT 4,'" says John Pescatore of research firm Gartner.

However, Microsoft gets a pass from Pescatore on the RPC vulnerability.

"If this was a year ago, I would have said, 'That's shoddy business practice.' But NT 4.0 is six years old, and Windows 2000 has been out for three years," Pescatore says.

In addition, few business applications rely on TCP/IP port 135, which must now be blocked to resolve the RPC problem on NT, lessening the impact of the problem, he says.

While the install base for NT has declined steadily from one year ago, when it was more than half of Microsoft's install base, Microsoft will likely have to contend with the needs of its NT customers for years to come, regardless of the availability of alternatives, Gillen says.

"I'm not of the opinion that Windows Server 2003 is going to create a surge in NT 4.0 upgrades. If these customers were so anxious to upgrade, they would have done it by now," he says.

Despite Microsoft's product road map, most companies follow their own schedules for upgrading operating systems and computer hardware. Often those schedules plan on using an operating system for four or five years and then upgrading to whatever the most advanced platform is at the time.

Longer Life Cycles

That's the case at the Beth Israel Deaconess Medical Center in Boston, where half of the hospital's 200 servers and 4500 desktops run Windows NT, according to John Halamka, chief information officer of CareGroup Health System and the Harvard University Medical School.

Because of tight capital-allocation budgets at the hospital, BIDMC plans hardware and software upgrades on a five- or six-year cycle, Halamka says.

That makes moving from NT a practical impossibility for now on many of the hospital's systems.

"A lot of our desktops are still running on [Intel's] Pentium IIs or Pentium IIIs with 128MB of RAM. Windows 2000 is not optimal from a memory and CPU standpoint for five-year-old hardware," he says.

While BIDMC is planning to buy new hardware and migrate from NT, the process will take a couple of years, according to Halamka.

BIDMC's network configuration is such that the hospital is unlikely to be affected by the RPC vulnerability. However, the decision by Microsoft to not issue a security patch for NT is a concern, he says.

"I've had discussions with Microsoft personnel and told them that they need to understand the nature of life-cycle management in the health care and nonprofit sectors. [Microsoft] needs to think about a five- or six-year life cycle instead of a two-year life cycle," Halamka says.

Despite the unpatched vulnerability, Halamka says BIDMC will continue using NT.

"NT 4.0 still has a couple years left in it," Halamka says.

In addition, future security vulnerabilities may make it harder for Microsoft to pass on a patch, requiring the company to invest the time in resources to correct the code.

"Realistically, it's going to be a question of 'Okay, is this a critical vulnerability that could lend to a dangerous attack?' For those [vulnerabilities] that are, they should still make the call and issue the patch even if it leads to many lines of code," Pescatore says.

However, for vulnerabilities that don't meet that standard, Pescatore says to expect more security patches that pass over NT.

"You're going to see more of this type of thing as they start winding down [NT]," he says.

• See more like this:
• Windows 2000,
• Windows NT,
• Windows XP,
• Windows Server 2003,
• patch,
• flaw,
• security,
• hole,
• vulnerability,
• support,
• RPC,
• Beth Israel Deaconess Medical Center