Earlier this week, Microsoft posted a security patch for a flaw that affects control of VoIP (voice over IP) traffic in its Internet Security and Acceleration Server 2000. The company rated the flaw’s severity as critical and urged users to patch it immediately.
According to the Microsoft Security Bulletin released last Tuesday, the security vulnerability in the ISA Server 2000 H.323 filter opens the door for a buffer overflow attack that can either crash the violated computer or allow an attacker to seize control of the system remotely.
Oliver Friedrichs, senior manager at Symantec Security Response, said the people who discovered the new VoIP vulnerability are the same ones who discovered the original flaw in SNMP (Simple Network Management Protocol) a year ago. Different protocols often share similar encoding. “It’s easier to take something that’s already out there rather than begin from scratch,” he told the E-Commerce Times.
VoIP, which lets users phone one another over TCP/IP connections rather than using traditional phone lines, is just beginning to take hold as an inexpensive means for individuals and entities to communicate. Could flaws such as this one slow movement toward this new technology?
Connectivity Trumps Security
Jim Hurley, vice president for security and privacy at Aberdeen Group, told the E-Commerce Times that he does not think the flaw will affect VoIP adoption rates. He said the technology’s convenience outweighs potential security flaws, whether they occur in Windows or in some other platform.
“Historically, consumers and businesses have tended to favor connectivity capabilities over security problems,” Hurley said. “VoIP, where it’s appropriate, offers opportunity to drop operating costs significantly.”
By using the Internet and IP telephony software, he added, individuals and businesses can place phone calls and set up videoconferencing capabilities essentially for the cost of their ISP or network connection.
Could Be Worse
Additionally, the vulnerability is not quite as bad as it could be. According to Oliver Friedrichs, senior manager at Symantec Security Response, users of VoIP are lucky because details of this flaw are not publicly available. “No explicit code is available for people to take down systems or to compromise them,” he told the E-Commerce Times.
Nevertheless, the vulnerability is still critical because it affects so many different systems and vendors, Friedrichs said, adding that Symantec encourages users to contact vendors for the appropriate patches.
Hurley agreed. Because VoIP adoption is not yet widespread enough to have become a standard in large companies, he added, individuals will have to take responsibility for patching their own systems.
“It’s not something the IT organization has to manage just yet,” Hurley said. “It’s very confined to individuals within companies, so it’s important to get word of patches out to these individuals.”