‘Important’ Patch Issued But Not for NT

Microsoft on Thursday labeled as “important” a
vulnerability found in the RPC Endpoint Mapper protocol that could lead to
denial-of-service attacks but while patches were issued for Windows XP and
Windows 2000 systems, the company said it was unable to provide a fix for
Windows NT 4.0.

The 10th security alert from Microsoft warned
of a flaw in the part of RPC that deals with message exchange over TCP/IP.
The failure results because of incorrect handling of malformed messages and
affects the RPC Endpoint Mapper process, which listens on TCP/IP port
135.

To exploit the bug, Microsoft said an attacker would have to establish a
TCP/IP connection to the Endpoint Mapper process on a remote machine and
begin the RPC connection negotiation before transmitting a malformed
message. “Because the Endpoint Mapper runs within the RPC service itself,
exploiting this vulnerability would cause the RPC service to fail, with the
attendant loss of any RPC-based services the server offers, as well as
potential loss of some COM functions,” the company cautioned.

“This vulnerability only permits a denial of service attack and does not
provide an attacker with the ability to modify or retrieve data on the
remote machine,” the company added.

Download locations for patches to two of the three vulnerable platforms
were issued on Microsoft’s TechNet database but there was no patch available for Windows NT 4.0.

Instead, the company suggested workarounds to secure vulnerable NT 4.0
systems. In its advisory, Microsoft appeared to be advising customers to
shift away from the NT platform. “The Windows NT 4.0 architecture is much
less robust than the more recent Windows 2000 architecture, Due to these
fundamental differences between Windows NT 4.0 and Windows 2000 and its
successors, it is infeasible to rebuild the software for Windows NT 4.0 to
eliminate the vulnerability.” Microsoft said.

It said a patch for the NT 4.0 flaw would require “rearchitecting a very
significant amount of the Windows NT 4.0 operating system, and not just the
RPC component affected,” adding that such a rearchitecture effort would be
incompatible with Windows NT 4.0 that there would be no assurance that
applications designed to run on Windows NT 4.0 would continue to operate on
the patched system.

Instead, NT 4.0 users are urged to protect those systems by placing them
behind a firewall which is filtering traffic on Port 135. “Microsoft has
extensively investigated an engineering solution for NT 4.0 and found that
the Windows NT 4.0 architecture will not support a fix to this issue, now or
in the future,” the company said.

Microsoft also recommended that sysadmins block all TCP/IP ports that are
not actually being used, warning that the RPC protocol over TCP is not
intended to be used in hostile environments such as the internet.