Microsoft Patches Security Hole -- But Not For NT 4 Users

Microsoft posted fixes for Windows 2000 and Windows XP, but no NT patch is forthcoming; the company said a patch for NT is "infeasible."

The flaw is in the operating system's Remote Procedure Call (RPC) capabilities, which allows a program running on one computer to execute a program on another. In particular, the problem resides in the RPC endpoint mapper, which allows RPC clients to determine the port number assigned to a particular RPC service. The failure results in the incorrect handling of malformed messages.

"Architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove the vulnerability," Microsoft said in a statement online explaining the vulnerability and providing pointers to the patches.

RPC architecture was changed extensively during the development of Windows 2000.

"Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability," Microsoft said. To fix the problem in NT, changes would have to go beyond the RPC software, and might break application compatibility.

Microsoft said customers still using Windows NT 4.0 can protect systems by placing them behind a firewall filtering traffic on Port 135.

This story courtesy of InternetWeek.com.