Security flaws in Microsoft VoIP products

VoIPshield is making its first-ever announcement in a new category of research related to security vulnerabilities in VoIP and Unified Communications (UC) systems. These vulnerabilities affect applications that use media stream protocols like RTP (Real-time Transport Protocol), a popular standardized packet format for delivering audio and instant messaging over the Internet.

The Microsoft products affected are Office Communications Server 2007, Office Communicator and Windows Live Messenger. These products deliver software-powered VoIP, presence, instant messaging and audio/video/Web conferencing functionality to end users. Microsoft estimates that over 250 million computers worldwide run these applications. All use RTP to deliver the content of the message; therefore all are vulnerable to this class of attack.

The Microsoft vulnerabilities announced today, if exploited, cause a Denial of Service condition against not only the stated applications but the entire desktop environment.

Under its Responsible Disclosure Policy, VoIPshield confidentially discloses full details of the vulnerabilities to the affected vendors, and works with them to facilitate the development of application fixes. Details of the vulnerabilities are not publicly disclosed.

Securing the media stream is particularly challenging because once the messaging session is established, the flow of voice packets is not always monitored and managed by the call server.