November 17th, 2008
VoIP vulnerabilities in Microsoft Communicator
Researchers at VoIPshield Labs have pinpointed a wide range of denial-of-service vulnerabilities in Microsoft Communicator, the unified communications that features business-grade instant messaging , voice, and video tools.
The flaws, rated “high severity,” could cripple VoIP-powered communications on Office Communications Server 2007, Office Communicator and Windows Live Messenger.
The skinny:
- Microsoft Communicator Emoticon: By issuing instant messages to a client which contain a very large number of emoticons it is possible to cause the Microsoft Communicator to become nonresponsive for a certain period of time. During this period of time the phone does not respond to incoming invite messages and can even be forced to go into an offline state, eventually requiring the phone to reregister.
- Microsoft Communicator INVITE Flood: Due to the manner in which sessions and authentication are managed it is possible to cause Microsoft Communicator to open a very large number of sessions resulting in the consumption of huge amounts of memory, potentially resulting in a Denial of Service.
- Microsoft Communicator Real-time Transport Control Protocol Report Block: Using a specially crafted RTCP receiver report packet it is possible cause a Denial of Service (DoS) against Microsoft Communicator, Office Communications Server (OCS) and Windows Live Messenger.
The company said Microsoft has acknowledged the issues.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
