Modernizing Authentication — What It Takes to Transform Secure Access
on Thursday labeled as "important" a vulnerability found in the RPC Endpoint Mapper protocol that could lead to denial-of-service attacks but while patches were issued for Windows XP and Windows 2000 systems, the company said it was unable to provide a fix for Windows NT 4.0.
The 10th security alert from Microsoft warned of a flaw in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages and affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135.
To exploit the bug, Microsoft said an attacker would have to establish a TCP/IP connection to the Endpoint Mapper process on a remote machine and begin the RPC connection negotiation before transmitting a malformed message. "Because the Endpoint Mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions," the company cautioned.
"This vulnerability only permits a denial of service attack and does not provide an attacker with the ability to modify or retrieve data on the remote machine," the company added.
https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=iDownload locations for patches to two of the three vulnerable platforms were issued on Microsoft's TechNet database but there was no patch available for Windows NT 4.0.
Instead, the company suggested workarounds to secure vulnerable NT 4.0 systems. In its advisory, Microsoft appeared to be advising customers to shift away from the NT platform. "The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture, Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability." Microsoft said.
It said a patch for the NT 4.0 flaw would require "rearchitecting a very significant amount of the Windows NT 4.0 operating system, and not just the RPC component affected," adding that such a rearchitecture effort would be incompatible with Windows NT 4.0 that there would be no assurance that applications designed to run on Windows NT 4.0 would continue to operate on the patched system.
Instead, NT 4.0 users are urged to protect those systems by placing them behind a firewall which is filtering traffic on Port 135. "Microsoft has extensively investigated an engineering solution for NT 4.0 and found that the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future," the company said.
Microsoft also recommended that sysadmins block all TCP/IP ports that are not actually being used, warning that the RPC protocol over TCP is not intended to be used in hostile environments such as the internet.