Companies running Microsoft NT Workstation 4 (NT4) must take "immediate action to protect" themselves in the wake of Microsoft's announcement of 10 Windows security vulnerabilities on 12 October 2004, according to research firm Gartner.
A newly published advisory by Gartner analsyts Michael Silver and Neil MacDonald said that although Microsoft has recently unveiled the multiple vulnerabilities affecting various versions of Windows and issued patches for them, the company has not publicly issued patches for NT4, because security support for that version ended on 30 June 2004.
Although Gartner estimates that between 10 per cent to 20 per cent of enterprise PCs still run NT4, Microsoft ended security fix support for NT4 on 30 June 2004, claiming the eight-year-old NT4 is no longer supportable.
Gartner said it "disagrees with this claim", because the code base for NT Server, which Microsoft does still support, and NT4 are largely the same.
"Microsoft's solution for customers running NT4 is for them to follow Microsoft mitigation and work-around instructions when they are provided, migrate to a supported version of Windows, pay Microsoft $200,000 for a custom support contract or wait for a patch that Microsoft would issue to the public after an attack occurs," the Gartner advisory stated.
The analyst firm went on to point out that Microsoft has already developed NT4 patches for customers that have paid for custom support, but says it does not want to give users a false sense of security by breaking its policy and releasing these fixes publicly.
Gartner accused Microsoft of being shortsighted in not publicly releasing fixes for critical holes in NT4, adding that the software gaint risks a "public-relations nightmare" if an attack based on the unpatched vulnerability shuts down a major corporation or government agency.
Gartner urged Microsoft to set a higher standard for the security support of older software products, and to immediately extend fixes to NT4.
Silver and MacDonald's analysis states that Gartner has previously advised companies to migrate critical systems off NT4 to Windows 2000 or Windows XP Professional. However, to avoid a forced upgrade, those still using the platform should consider host-based intrusion prevention products and investigate alternative ways of shielding systems - for example, by blocking specific ports and filtering web content.
Firms could also consider paying Microsoft for custom support if their company is highly risk-averse or demand that Microsoft make the NT4 critical patches public.