Among the more than 20 patches that Microsoft released Tuesday, none were for the aged operating system, which saw its security fix support end June 30, 2004. Microsoft will only release free fixes for OSes like NTW4 when a vulnerability is actively exploited on the Internet.
"Microsoft is being shortsighted in not publicly releasing fixes for critical holes in NTW4," wrote Gartner analysts Michael Silver and Neil MacDonald in an advisory published Thursday. "[It] risks a public-relations nightmare if an attack based on the unpatched vulnerability shuts down a major corporation or government agency."
The pair urged that Microsoft "set a higher standard for the security support of older products" by extending fixes to NTW4. That's doable, they added, since such fixes are already available. Companies that have signed $200,000 custom support contracts with Microsoft receive security patches on older, non-supported operating systems.
"Microsoft has already developed NTW4 patches for customers that have paid for custom support," Silver and MacDonald wrote. "But [it] says it does not want to give users a false sense of security by breaking its policy and releasing these fixes publicly."
Microsoft should rethink that policy, the pair concluded.