From: "Tony Ingenoso" 

A trivial "fix" could be to simply disable port 135 in the TCP/IP
options. What would that take?  Maybe 50 lines of code

"Geo."  wrote in message
news:3e821db7$1{at}w3.nls.net...
> from
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> bulletin/MS03-010.asp
>
> If Windows NT 4.0 is listed as an affected product, why is Microsoft not
> issuing a patch for it?
>
> During the development of Windows 2000, significant enhancements were made
> to the underlying architecture of RPC. In some areas these changes involved
> making fundamental changes to the way the RPC server software was built. The
> Windows NT 4.0 architecture is much less robust than the more recent Windows
> 2000 architecture, Due to these fundamental differences between Windows NT
> 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the
> software for Windows NT 4.0 to eliminate the vulnerability. To do so would
> require rearchitecting a very significant amount of the Windows NT 4.0
> operating system, and not just the RPC component affected. The product of
> such a rearchitecture effort would be sufficiently incompatible with Windows
> NT 4.0 that there would be no assurance that applications designed to run on
> Windows NT 4.0 would continue to operate on the patched system.
>
> Microsoft strongly recommends that customers still using Windows NT 4.0
> protect those systems by placing them behind a firewall which is filtering
> traffic on Port 135. Such a firewall will block attacks attempting to
> exploit this vulnerability, as discussed in the workarounds section below.
>
> Will Microsoft issue a patch for Windows NT 4.0 sometime in the future?
>
> Microsoft has extensively investigated an engineering solution for NT 4.0
> and found that the Windows NT 4.0 architecture will not support a fix to
> this issue, now or in the future.
>
> What's the scope of this vulnerability?
>
> This is a denial of service vulnerability. An attacker who successfully
> exploited this vulnerability could cause a remote computer to fail. However,
> the attacker could not modify or retrieve data or execute code of his or her
> choice on the remote machine.
>
> To carry out such an attack, an attacker would require the ability to make a
> TCP/IP connection to the Endpoint Mapper running on the target machine. Once
> a TCP connection had been made, the attacker could send a malformed message
> to the RPC service and thereby cause the target machine to fail.
>
> The best defense against remote RPC attacks from the Internet is to
> configure the firewall to block port 135. RPC over TCP is not intended to be
> used across hostile environments such as the Internet
>
>

--- BBBS/NT v4.01 Flag-4