Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaws Threaten VoIP Networks?

Posted by simoniker on from the flaws-flaws-everywhere dept.

jdkane writes "CNET News reports that security flaws have been found in products that use VoIP and text messaging, including those from Microsoft and Cisco Systems. What's interesting, in Microsoft's case, is that the Internet Security and Acceleration Server product that's also affected is designed to help protect companies' networks from online attacks. Specifically, a filter used in the server that secures VoIP communications is vulnerable to the flaw."

12 of 159 comments (clear)

  1. You linked to Microsoft's patch by ObviousGuy · · Score: 5, Insightful

    So it seems they've already fixed the problem.

    Should we blame lazy sysadmins for not keeping their systems patched?

    Or should we blame Microsoft?

    --
    I have been pwned because my /. password was too easy to guess.
    1. Re:You linked to Microsoft's patch by marine_recon · · Score: 2, Insightful

      i know im probably going to get pounded for saying this, but you think that microsoft would test for things like this before release. i know that they must do lots of testing, but still. not everything can be fixed by a patch two or three weeks later.

      --
      Jack the sound barrier. Bring the noise.
    2. Re:You linked to Microsoft's patch by Creepy+Crawler · · Score: 4, Insightful

      But when the patch is 40MB that "fixes" many things that were never broken, can you trust the patch?

      Knowing MS, they'll offload packs that will break something else, or require deps on Service Packs. How do I know that upgrading Win2K SP2 to SP4 wont break the medical reporting server?

      --
  2. Give them a break by odeee · · Score: 5, Insightful
    The same flaws affect many products - not just Microsoft. And the flaws are H.323 flaws - not necessarily ones introduced by Microsoft.

    In Cisco products - they are also vulnerable - and particularly when used as firewalls or edge devices.

    But then again it's more fun to blame MS isn't it ;-)

  3. wow by ThePretender · · Score: 4, Insightful

    Several other companies also produce products that may be affected, but as of midday Tuesday only Cisco and Microsoft had issued advisories and patches.
    Wow. While other companies are investigating, the MS patch machine has already spit one out. Give 'em a little credit. Nah, this was just lucky hehe

  4. Who will exploit this first? by Anonymous Coward · · Score: 1, Insightful

    Will is be script-kiddies or certain phone companies getting nervous about competitors going VoIP?

  5. It's not MS, it's VoIP -- expect more by Anonymous Coward · · Score: 5, Insightful
    It's not (juts) MS here that is having a problem. Bet on having a whole buncha security reports trickling in over the next few years with VoIP.

    1. It's an immature technology with immature implementations -- it's not shaken down yet to get all the flaws out (not just coding, but conceptual)
    2. The products and protocols (i.e. SIP (Silly Improvised Protocol)) are very ambitious and attempt to provide for making voice calls, IM, centrex features, user interaction with end point interfaces, presence, and emergency services, and cook your breakfast, too. Combined with #1 above, security flaws and problems are going to abound.
    3. Due to the ambitious, broad, and sprawling nature of the protocols and products, interoperability is going to be strained and painful, especially until a few dominant players shake out -- again expect problems due to interoperability side effects.
    4. As VoIP products and service spread, along with a plethora of devices, it is quite possible that a killer app or a brand new application shows up -- that manages to stretch the implements in unforeseen ways. (i.e. cookies with HTTP). Once consumer fads and marketing start driving the product development tooooo fast, expect more flaws until things mature.


    Taken all together, VoIP should be deployed very carefully in places where network security is important. You might even run into a case where even if your computer network is completely separate from the Internet, but you use VoIP over the internal LAN via a IP PBX, someone might hack your phone/VoIP endpoint through the encoded voice stream and gain access to your LAN. Stranger things have happened.
  6. Grass is always greener... by seigniory · · Score: 4, Insightful

    Percentage-wise, I'd bet a meeelion dollars that the folks here on /. are much more familiar with VoIP, TCP/IP, Cisco, MS, etc. than they are with whatever the heck the kids are using these days for enterprise analog voice networks.

    Is it any suprise that everyone on here, pulling from their "wide" experience on both types of networks, thinks that things are oh-so-much worse with VoIP than they were/are with analog?

    Look: vulnerabilities exist everywhere. If you had more people on this board that do analog telephony as a hobby/job than do PCs/*nix/etc. the articles would all be about Lucent/AT&T's switch vulnerabilities and how we should all switch to the "new bulletproof VoIP" stuff I keep hearing about.

    I'll also bet *2* meeeeeelion dollars that if MS wasn't mentioned in the article, that nowhere near as many people would be jumping on this (although that's a big fat DUH).

  7. Re:Imagine That by interiot · · Score: 4, Insightful

    Well, various Java VM's have had problems in the past, does that mean we should just throw them away? Similarly for user-privilege-separation in the linux kernel. The whole reason we write narrow pieces of code that focus on security is that we realize that it's impossible guarantee a piece of code is bug-free. So instead, we do the two things that helps clear out bugs the best: we make the important security-related code as small as possible, and we give it time for people to find bugs and for us to fix them. After a while, you have a simple and mature piece of code that enhances the security of everything else, allowing the code it protects to be fast-changing and complex yet. It really seems like the right way to go to me. Finding and repairing flaws over time is how you gain maturity.

  8. Re:Imagine That by Anonymous Coward · · Score: 1, Insightful

    Microsoft been around since 1975, how long do you intend maturity to set in. I think you try to hard.

  9. Re:Imagine That by cball2k · · Score: 2, Insightful

    ya, linux never has a flaw, or bug, the errata pages are there just for giggles...

    stones, glass house....

    --
    karma, hah...
  10. Acid Test by tacocat · · Score: 2, Insightful

    The acid test will be how long it will take for Vonage to respond to this Advisory. They ship affected Cisco routers.

    They can run a telephone communications business with a mere fraction of the people that AT&T does, but can they effectively managed their system when something goes wrong?