A technical review conducted by the British government has found several security flaws in products that use VoIP and text messaging, including those from Microsoft and Cisco Systems.
The flaws affect software and hardware that support the real-time multimedia communications and processing standard, known as the International Telecommunications Union (ITU) H.323 standard. The security problems can cause a product that supports H.323 to crash. For example, in Cisco telecommunications products running its IOS operating system, the vulnerability could be used to cause the devices to freeze or reboot. However, on Microsoft"s Internet Security and Acceleration Server 2000, which is included with Small Business Server 2000 and 2003 editions, the vulnerability could allow an attacker to take control of the system.
Ironically, in Microsoft"s case, the Internet Security and Acceleration Server is designed to help protect companies" networks from online attacks. Specifically, a filter used in the server that secures VoIP communications is vulnerable to the flaw. "It is kind of the same situation that we have seen--a certain level of human error is going to be present and that is true even for security software," said Stephen Toulouse, security program manager for Microsoft. Microsoft released a patch for its Internet Security and Acceleration Server on Tuesday and published ways to disable the affected service for customers that want to take time to test the software.