Microsoft Unable to Patch Windows NT Flaw

from compwire

Microsoft Corp has said that it is unable to patch a security flaw in its Windows NT 4.0 operating system that could lead to a denial of service attack, due to the product's "architectural limitations".


The company's latest security bulletin outlines a vulnerability in the Remote Procedure Call protocol Endpoint Mapper process that could enable an attacker to initiate a denial of service attack via TCP/IP port 135. The flaw could enable an attacker to cause machines to fail, although they would not be able to modify or retrieve data or execute code, the company said.

The vulnerability has been rated by Microsoft as "important" and affects Windows NT 4.0, Windows 2000 and Windows XP. But while the company has issued patches to fix the later versions of its operating system, it said it was unable to provide a patch for Windows NT 4.0.

"Although Windows NT 4.0 is affected by this vulnerability, Microsoft is unable to provide a patch for this vulnerability for Windows NT 4.0," said the company in its security bulletin. "The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability."

Instead the company has urged Windows NT 4.0 users to protect their systems with a firewall that blocks port 135. "The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture," the company said. "Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0."

The company explained that to fix the vulnerability "would require re-architecting a very significant amount of the Windows NT 4.0 operating system. The product of such a re-architecture effort would be sufficiently incompatible with Windows NT 4.0 that there would be no assurance that applications designed to run on Windows NT 4.0 would continue to operate on the patched system."

While Windows 2000 and Windows XP users are able to download a patch from Microsoft's TechNet web site, it looks like Windows NT 4.0 users have little choice but to opt for the firewall workaround. "Microsoft has extensively investigated an engineering solution for NT 4.0 and found that the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future," the company concluded.

what would be the point of upgrading if all the bugs were fixed

Sil