A few weeks ago, Microsoft released Security Bulletin MS03-010 (Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks) and its associated article at http://support.microsoft.com/?kbid=331953 . To me, this flaw might lead not just to Denial of Service (DoS) attacks but to a "denial of existence" ultimatum for Windows NT 4.0.
At first glance, the bulletin is just another in a series of security-related bugs that Microsoft has identified, and I'm glad that Microsoft has stepped up its efforts to find these problems and tell us about them. What I find troublesome is that Microsoft released patches for Windows XP and Windows 2000 (presumably Windows Server 2003 doesn't have the problem)--but not for NT 4.0. The article states that NT 4.0 contains the vulnerability but goes on to say, "The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability."
In other words, Microsoft has discovered a flaw in NT 4.0 that, if left unfixed, greatly reduces NT 4.0's value. The message to the world in general seems to be that anyone still running NT 4.0 Server or Workstation is vulnerable to attack through port 135. (I realize that some people feel that anyone who puts a server on the Internet and exposes port 135 is unwise--and that's sometimes true--but not always.) Further, Microsoft says that no one can fix this problem; after all, if NT's creator can't fix it, who can?
Am I the only one who thinks this situation seems awfully convenient? For years Microsoft has wanted NT 4.0 to just go away, and I understand why. Microsoft is a for-profit firm that isn't selling any more NT 4.0 product, at least as far as I know. NT 4.0 is, then, just a source of expense (writing patches and bulletins costs money) and denies the company revenue because firms that still run NT 4.0 would probably buy Windows 2003, XP, or Win2K if they decided to upgrade. Clearly a flaw such as this one, if left unfixed because it's unfixable, might be the final straw that convinces the NT 4.0 holdouts to upgrade. So I think examining the "architectural limitations" argument is a reasonable step.
I believe Microsoft could have reacted to knowledge of a flaw in NT 4.0 in one of five ways: 1. Don't tell anyone about the flaw. I'm not sure this option is as ridiculous as it first sounds. Is it ethical to reveal an unfixable flaw in a widely distributed product if that flaw is known to only a few people? I'm not certain. But now that every malicious user knows about this hole and that Microsoft isn't going to fix it, I'm certain we'll see an "NT 4.0 terminator toy" bouncing around the script-kiddy world sometime in the next 6 months. Sure, the bug might have surfaced eventually and the hacker tool would still have appeared--but probably not for another year or two. By then, far fewer NT 4.0 targets would exist.
However, Microsoft probably had to tell the public about the bug because it affects XP and Win2K. Sending out a bulletin that didn't include NT 4.0 would have been suspicious.
2. Release an NT 4.0 patch. This would be the best solution, but according to Microsoft, it's not an option.
3. Adopt the approach that Intel took with the Pentium processor: Acknowledge the flaw and offer free upgrades to the fixed product. When someone discovered that the processor had a serious error in an arithmetic routine, Intel initially tried to downplay its importance but eventually did the right thing by offering to swap the troubled chips for new ones. That solution cost Intel a lot of money because the math-challenged chips weren't reusable.
The RPC port mapper is an integral part of an NT system. To suggest otherwise is to suggest that NT's file-sharing ability (which relies on the port mapper) is an insignificant function. If the port mapper is broken, the company should adopt the Intel approach and make good on its broken product. If, as Microsoft says, NT 4.0 is unfixable, then the ethical thing to do would probably be to buy the copies back. Remember, we're not talking about a $20 program; many people paid around a $1000 per copy of NT 4.0.
4. Explain that creating a patch is impossible, and release the source code to prove it. Fixing NT 4.0 might well be impossible, but we'll never be certain because of the Digital Millennium Copyright Act (DMCA) of 1998. DMCA makes disassembling or reverse-engineering copyrighted computer code unlawful. So if someone were to examine the RPC port mapper code and create a fix, Microsoft could take legal action against that person.
In contrast, if Honda were to tell me that the brakes on my Insight were defective and the company couldn't fix or replace them, I could hire an engineer to take the brakes apart. If the engineer determined a way to fix the brakes, I could sell the plans to fix that model of brake, whether Honda liked it or not. But DMCA protects software vendors from users who would like to verify vendors' statements.
Why not, then, release some of the RPC source code so that the whole world can see the truth of Microsoft's statements? It's not like the company would have to release all of the NT 4.0 code; I imagine the RPC source code would probably account for less than 1 percent.
5. Develop an NT 4.0 patch that fixes the problem but reduces the OS's functionality. From the information Microsoft has released about the flaw, the DoS attack probably works by confusing the port mapper software, perhaps messing up an attempt to negotiate a connection and leaving the software in an undefined state. Microsoft could write some software that stops certain types of RPC behaviors--protecting a system from a DoS attack, but at the cost of disabling certain programs. The company might be able to offer some type of administrative interface that would disable this patch on the fly so that a firm that needs full RPC port mapper functionality could restore it for a brief time without a reboot.
I think that any of these five options would have been better than Microsoft's response that it can't fix the problem and that NT 4.0 users have few options other than upgrading their systems. I'm not claiming that this is some dark Microsoft conspiracy or that Microsoft is evil; publicly held firms are supposed to protect the shareholder's wealth. But, I find it plausible that Microsoft might not fix an NT 4.0 problem with as much gusto as it would a Windows 2003 or XP problem. I hope that Microsoft will reconsider.
