Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaws Threaten VoIP Networks?

Posted by simoniker on from the flaws-flaws-everywhere dept.

jdkane writes "CNET News reports that security flaws have been found in products that use VoIP and text messaging, including those from Microsoft and Cisco Systems. What's interesting, in Microsoft's case, is that the Internet Security and Acceleration Server product that's also affected is designed to help protect companies' networks from online attacks. Specifically, a filter used in the server that secures VoIP communications is vulnerable to the flaw."

10 of 159 comments (clear)

  1. Not to defend Microsoft by silconous · · Score: 3, Interesting

    But Cisco is just as vulnerable and wider spread as IOS 11.3 and greater is flawed

  2. Great quote by fiendo · · Score: 5, Interesting
    "It is kind of the same situation that we have seen--a certain level of human error is going to be present and that is true even for security software," said Stephen Toulouse, security program manager for Microsoft.

    Wow that ought to really bolster a customer's confidence: NOt only are you saying this type of mistake is common in your experience, your excuse is "Hey we're only human"! Uh isn't that why you're supposed to have quality assurance?

    --
    I went to the city because I wished to live without deliberation.
  3. Re:Imagine That by bfree · · Score: 5, Interesting

    Vulnerable (updates available): Cisco and Microsoft
    Unknown: Avaya, Fujitsu, Hewlett-Packard, Lucent and Nortel
    Safe: Apple, Hitachi, NetBSD, Red Hat and Symantec
    Is that a point for Security through open source as the two open products are already in the safe pile?

    --

    Never underestimate the dark side of the Source

  4. Re:wow by marine_recon · · Score: 2, Interesting

    makes you wonder. they issuse a patch so quickly that you must wonder, do they really work that fast? or was the problem so simple that it was easy to fix? not that getting a patch out quickly is bad, mind you, its just that you hope quality dosnt suffer. all we need is a patch for the bugs in the last three patches.

    --
    Jack the sound barrier. Bring the noise.
  5. Re:Imagine That by Alien+Being · · Score: 3, Interesting

    "...where could you find a reporter who would care?"

    Nation Public Radio (WBUR 90.9MHz to you fellow Bostonians) for one. Believe it or not, the great unwashed masses are starting to become aware of the problem with Microsoft.

  6. What about Open H.323 by Anonymous Coward · · Score: 3, Interesting

    What about Open H.323.
    Anyone know whether that project is going to be
    suffering the same vunerability ?

  7. meh... by netwiz · · Score: 4, Interesting

    just a buffer overflow. I'm not really surprised; sooner or later this was going to happen. I'm just surprised that it popped up in Cisco's case.

    Altho, as I think about it, I get the feeling that Cisco got a bunch of network multimedia handling code from MS. I remember back in '98 or '99, they announced a software partnership w/ MS, causing much hand-wringing on /. to the effect that we might see NT-based routers. IOS is too heavily leveraged in Cisco's products, but the actual processes and services that run on it could come from anybody.

    The fact that this looks to a few vendors (MS and Cisco being the biggies), and knowing how MS looks to diversify only makes me wonder how much of MS's wonderful code has managed to worm it's way into the other devices I use...

    Hmm... Maybe this had something to do w/ all the dreadful STP and bridging issues I had on the Catalyst 8540 platform...

    1. Re:meh... by zbaron · · Score: 2, Interesting

      We were an early adopter of Cisco CallManager and IP handsets (our director was taken to lots of lunches by Cisco reps), we used uOne as the voicemail because it was before Unity was available. Within 12 months, it was being pulled out, partly due to the fact that Cisco q.sig was different from NEC q.sig and the PABX and the "PABX" could not talk to each other, partly due to the platform it was deployed on, especially when we were told Exchange had to be part of the mix. All feedback to Cisco was based around how they wanted us to replace our 99.999 carrier grade PABX systems, with ... well Windows servers. We told them straight that we'd look at a CallManager solution again when it was running on IOS, Solaris or Linux. Many of the Cisco products that run on Windows are actually now appearing as applicances that run either Linux or a flavour of BSD.

  8. Re:Thats nothing by strider3700 · · Score: 2, Interesting

    I work at a POS company. Our customers split about 50/50 terminal vs PC but on the PC they basically just get a terminal shell. The we refuse to support the PC stations so it doesn't affect us much, but we do see a lot of people switching back to terminals unless they do other work on the PC. On the back end server we use a piece of shit OS called theos, it's being replaced with Linux in a massive rewrite. Noone in their right mind would run something as important as a POS system on windows, it's just too vulnerable.

  9. Expect such flaws in 2.6 soon by kris · · Score: 3, Interesting

    The current H.323 flaw is based on bugs on the ASN.1 parser used in these products. The big bugs in almost all SNMP implementations a year ago or so also was based in ASN.1 parsing failures. Many openssl bugs are based in ASN.1 parsing failures.

    The linux kernel 2.6 just got ASN.1 parsing INSIDE THE KERNEL in order to implement AUTH_KERB as part of the NFS/Kerberos client. Expect ASN.1 parsing based bugs inside the Linux kernel real soon now.