Microsoft failure to patch NT 4.0 raises support issue

Microsoft’s statement Wednesday that it would not offer a version of a security patch for NT 4.0 has called into question an earlier promise to continue supporting the operating system through the end of 2004 and raised concern among its customers.

The new vulnerability could expose computers running the operating systems to a denial-of-service attack, Microsoft warned in its security bulletin, MS03-010, on Wednesday.

The flaw lies in Microsoft’s implementation of a protocol called Remote Procedure Call, which allows applications on a computer to call applications on another computer in a network. An attack on the RPC service could cause the networking services on the system to fail, Microsoft said in its bulletin.

Microsoft’s security bulletin contained links to software patches for the Windows 2000 and Windows XP operating systems. Regarding Windows NT 4.0, however, Microsoft said that “the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future.”

Major changes to the architecture of RPC in Windows 2000 were behind the Redmond, Wash., company’s stance on patching NT 4.0, according to the bulletin.

“Due to (the) fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability,” Microsoft said.

Windows NT 4.0 customers were advised to put affected systems behind a firewall that blocks traffic on TCP/IP Port 135, the port used by the flawed RPC Endpoint Mapper process.

That change would protect organizations from outside attackers, Microsoft said.

Despite efforts to encourage its users to migrate from the NT platform to Windows 2000, more than a third of the company’s installed base still consists of machines running the NT 4.0, according to Al Gillen, research director of systems software at IDC.

In January, Microsoft responded to calls from its customers to extend support of NT 4.0, announcing that pay-per-incident and premier support for Windows NT Server 4.0 will run through Dec. 31, 2004, but that non security-related hot fixes would end as of Jan. 1, 2004.

In its security bulletin Wednesday, Microsoft did not address the promise made in January to support NT 4.0.

The decision not to issue an RPC patch was probably not part of a move to withdraw NT 4.0 support, Gillen said.

“If Microsoft was interested in twisting its customers’ arms, they wouldn’t have extended support of NT 4.0 earlier this year. It’s inconsistent to extend support then say ‘We’re not going to patch this’, or ‘We’re not going to patch that’ to try to twist their arm,” Gillen said.

Others disagree, saying the decision is part of a calculated effort to move customers off the aging NT platform.

“Part of (Microsoft’s) logic is ‘We don’t want to encourage people to stay on Win NT 4,” said John Pescatore of research firm Gartner.

However, Microsoft gets a pass from Pescatore on the RPC vulnerability.

“If this was a year ago, I would have said ‘That’s shoddy business practice’. But NT 4.0 is six years old and Windows 2000 has been out for three years,” Pescatore said.

In addition, few business applications rely on TCP/IP port 135, which must now be blocked to resolve the RPC problem on NT 4, lessening the impact of the problem, he said.

While the install base for NT 4.0 has declined steadily from one year ago, when it was more than half of Microsoft’s install base, Microsoft will likely have to contend with the needs of its NT 4.0 customer for years to come, regardless of the availability of alternatives, Gillen said.

“I’m not of the opinion that Windows Server 2003 is going to create a surge in NT 4.0 upgrades. If these customers were so anxious to upgrade, they would have done it by now,” he said.

Despite Microsoft’s product road map, most companies follow their own schedules for upgrading computer hardware and operating systems. Often those schedules plan on using an operating system for four or five years, then upgrading to whatever the most advanced platform is at the time.

That’s the case at The Beth Israel Deaconess Medical Center (BIDMC) in Boston, where half of the hospital’s 200 servers and 4500 desktops run Windows NT 4.0, according to John Halamka, chief information officer of CareGroup Health System and the Harvard University Medical School.

Because of tight capital allocation budgets at the hospital, BIDMC plans hardware and software upgrades on a five or six year cycle, Halamka said.

That makes moving from NT 4.0 a practical impossibility for now on many of the hospital’s systems.

“A lot of our desktops are still running on (Intel’s) Pentium 2’s or Pentium 3’s with 128 M-bits of RAM. Windows 2000 is not optimal from a memory and CPU standpoint for five year-old hardware,” he said.

While BIDMC is planning to buy new hardware and migrate from NT 4.0, the process will take a couple years, according to Halamka.

BIDMC’s network configuration is such that the hospital is unlikely to be affected by the RPC vulnerability. However, the decision by Microsoft to not issue a security patch for NT 4.0 is a concern, he said.

“I’ve had discussions with Microsoft personnel and told them that they need to understand the nature of lifecycle management in the health care and nonprofit sectors. (Microsoft) needs to think about a five or six year lifecycle instead of a two year lifecycle,” Halamka said.

Despite the unpatched vulnerability, Halamka said BIDMC will continue using NT 4.0.

“NT 4.0 still has a couple years left in it,” Halamka said.

In addition, future security vulnerabilities may make it harder for Microsoft to “pass” on a patch, requiring the company to invest the time in resources to correct the code.

“Realistically, going forward it’s going to be a question of ‘OK, is this a critical vulnerability that could lend to dangerous attack’. For those that are, they should still make the call and issue the patch even if it leads to many lines of code,” Pescatore said.

For those vulnerabilities that don’t meet that standard, however, Pescatore said to expect more security patches that pass over NT 4.0.

“You’re going to see more of this type of thing as they start winding down (NT 4.0),” he said.