News

Patches Provided for Windows NT 4 Despite End of Support

• By Scott Bekker
• January 11, 2005

Operating in the gray area between support and non-support, Microsoft chose to freely distribute the one new security bulletin that affected Windows NT Server 4.0 on Tuesday, 11 days after official support of the operating system expired.

Microsoft released three security bulletins on Tuesday (See related story).

For one of the two critical bulletins, MS05-002, Microsoft chose to provide a patch for free to all customers on Windows NT Server 4.0. Officially, support for Windows NT Server 4.0 ended on Dec. 31, 2004. Even that support deadline is a gray area, however. Microsoft is offering custom support contracts for up to two years for customers who are committed to migrating to a later version of Windows. The contracts cost a reported $200,000 a year.

As part of the contracts, Microsoft pledged to provide Windows NT 4.0 patches for all security flaws rated critical or important. Microsoft officials also say they will provide those patches for free to all customers for that subset of critical flaws that are extremely severe.

In this case, however, Microsoft's security team was just caught between the extended support phase in December and the new custom support phase.

"The majority of the steps that are required to address this vulnerability were completed before [the support deadline]. Therefore, we have decided to release a security update for this operating system version as part of this security bulletin," according to Microsoft's bulletin documentation.

"We do not anticipate doing this for future vulnerabilities that may affect this operating system version, but we reserve the right to produce updates and to make these updates available when necessary," the bulletin stated.

Microsoft reiterated that it should be a priority for customers to migrate from Windows NT Server 4.0 to supported operating systems as quickly as possible.

Bulletin MS05-002 fixed two flaws, one critical and one important. Both are patched for Windows NT Server 4.0. Microsoft also tested Windows NT 4.0 against the flaws patched in the other bulletins released on Tuesday. Neither affected the aging operating system. However, most customers running Windows NT Server 4.0 will be affected by the critical flaw in bulletin MS05-001. That flaw affects Internet Explorer 6.0 Service Pack 1, and customers who wanted support for Windows NT 4.0 were required to use that version of Microsoft's browser. A separate patch is available to protect IE 6 SP1 against the vulnerability.