Like last week, I have several high-profile enterprise-related stories to cover this week. This includes news about Microsoft's ever-evolving support story for Windows NT 4.0, which is edging ever closer to the sunset of its life cycle, and a fix (finally) for the infamous Microsoft Internet Explorer (IE) vulnerability that spawned the Bofra attack. Also, Microsoft just today released a release candidate (RC) for Windows Server 2003 Service Pack 1 (SP1).
Microsoft Extends NT 4.0 Custom Support
This week, Microsoft announced a revised support policy for Windows NT 4.0, which will reach the end of its Extended Support phase on December 31, 2004, less than a month from now. I wrote a general news article about this event for WinInfo Daily UPDATE (see the URL below), but I want to present some information here that is more relevant to Windows IT Pro UPDATE readers. If you're not aware of Microsoft's recent support policy changes, you need to be. The company now uses what it calls a "5+5" support lifecycle for its corporate-oriented products. This means that these products receive 5 years of Mainstream Support, in which Microsoft releases security and nonsecurity hotfixes for free, plus 5 years of Extended Support, in which only security updates are provided for free and customers can purchase an Extended Hotfix Support contract to receive nonsecurity fixes. After 10 years, products enter what Microsoft calls the Self-Help Online Support phase, which is exactly what it sounds like. I call that phase the "Migration phase," but whatever. NT 4.0 is the first Microsoft enterprise product to reach the end of its Extended Support phase, and because it's still widely used, some people have expressed concern that existing users will be left in the lurch. Microsoft has been fairly receptive to these concerns, and although the company is adamant that NT 4.0 users should migrate to a newer Windows Server version as soon as possible, it has also extended certain deadlines over the years to give NT 4.0 users more time to do so. This week, Microsoft came through again, but I suspect this will be the last extension. For NT 4.0 users attempting to migrate to Windows 2003 after December 31, Microsoft is offering a unique Custom Support Agreement--a fee-based service that will help NT 4.0 users remain protected while they figure out what to do. Originally scheduled to last for 1 year, Custom Support has been extended to 2 years and will now end on December 31, 2006, or roughly 10 years after Microsoft first released NT 4.0. Furthermore, customers that want to purchase the Custom Support service--which is a flat fee, regardless of the size of your NT 4.0 deployment--can now do so in 3-month chunks. Previously, you could buy only 6 months of service at a time. The Custom Support service offers access to new critical and important security fixes for NT 4.0 during the lifetime of your contract. (Until now, Microsoft promised to provide only critical fixes.) To find out more information, the software giant recommends that you contact your Microsoft account manager or technical account manager. A similar Custom Support Agreement is being made available to Microsoft Exchange Server 5.5 customers as well. Although I'm generally bewildered about Microsoft's lack of support for anything other than the latest version of a product, in this case, the company has a point. As Peter Houston, senior director of Windows Serviceability said, "Windows NT Server 4.0 was developed before the era of sophisticated Internet-based attacks. It has reached the point of architectural obsolescence. It would be irresponsible to convey a false sense of security by extending public support for this server product." It's time to move on, people.
IE IFRAME Vulnerability Fixed
In early November, Computer Emergency Response Team (CERT) security researchers reported a new vulnerability that affects Microsoft Internet Explorer (IE) 6.0, but not earlier versions (IE 5.0x and 5.5) or the version that Microsoft ships with Windows XP Service Pack 2 (SP2). Dubbed the IFRAME or HTML Elements vulnerability, the newly discovered security hole could let hackers construct a malicious Web page that could attack IE users who simply browsed to the page. Like many vulnerabilities these days, the IFRAME vulnerability takes advantage of a buffer overflow error to allow remote code execution. Soon after the vulnerability was revealed, an exploit variously named MyDoom.AG, MyDoom.AH, or Bofra began making the rounds. Bofra is a worm that spreads via email attachment or Web download, and it leverages the capabilities exposed by the IFRAME vulnerability to let hackers remotely control PCs and send more copies of the worm to other uses via an embedded email engine. By the end of November, Bofra had emerged as, perhaps, the most high profile electronic attack since the summer of 2003, when Blaster and Slammer were so damaging that Microsoft executives recast XP SP2 as a comprehensive security update. But Bofra quickly became infamous for two reasons: First, Microsoft didn't have a fix available for it for a month, but pledged that the problem was important enough that it would release one as soon as it was ready. Second, CERT, which had first published information about the vulnerability, ominously advised people to use a browser other than IE 6.0, noting, "there is no complete solution to this problem." Yikes. Fortunately, late last week, Microsoft issued a fix. As described in Microsoft Security Bulletin MS04-040 (Cumulative Security Update for Internet Explorer), which you can find at the second URL below, finally addresses the IFRAME vulnerability and patches previously susceptible machines. You can find out more information about the Microsoft Security Web site (URL below), but this patch has also been made available via Windows Update and Automatic Updates.
Windows Server 2003 SP1 RC1
Just as this issue of Windows IT Pro UPDATE was being prepared for publication, we received word that Microsoft had released the first RC for Windows 2003 SP1. I'll have more information about this important update next week, but if you're interested in evaluating Windows 2003 SP1 RC1, you can download the public beta from the Microsoft Web site today (See the URLs below).
Microsoft Extends Olive Branch to Corporate NT 4 Users
Microsoft Security Bulletin MS04-040: Cumulative Security Update for Internet Explorer
Windows Server 2003 SP1 RC1 (32-bit version)
Windows Server 2003 SP1 RC1 (Itanium version)