Windows NT4 Holdouts Open to Security Hole

Hundreds of thousands of web sites that continue to run the Windows NT4 face a security dilemma, with no public patch available for a vulnerability in a key Windows networking protocol. The critical flaw in the Server Message Block (SMB) protocol could allow remote attackers to seize control of servers.

Microsoft addressed the SMB issue in its February security update. But the monthly Windows patches no longer include fixes for Windows NT4, which is beyond its end-of-life and remains vulnerable to SMB exploits, according to an advisory from eEye Security.

Microsoft retired NT Server 4.0 on Dec. 31, and now only offers custom paid support for the eight-year old OS. But about 1.1 percent of web-facing hostnames continue to run on Windows NT4, according to this month's Web Server Survey. Thousands of those hostnames are on SSL-enabled web sites which may be conducting e-commerce.

The SMB protocol allows Windows computers to share files and printers on a network. A flaw in the way SMB handles incoming data provides an opening for hackers. "An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft says in its advisory. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

"If your organization is unlucky enough to still have Windows NT 4.0 systems ... then you do not have a whole lot of options," wrote eEye's Marc Maiffret, who noted that enabling SMB signing could offer additional protection for some NT4 servers, but might also interfere with existing applications.

Microsoft has been urging Windows server customers to update to Windows Server 2003, citing security as a motivation to migrate fropm NT4. "Windows NT Server 4.0 was developed before the era of sophisticated Internet based attacks. It has reached the point of architectural obsolescence," said Peter Houston, Microsoft's senior director of Windows Serviceability. "It would be irresponsible to convey a false sense of security by extending public support for this server product."