Microsoft Communicator vulnerable to DoS attacks
According to a report by VoIPshield, a VoIP security service provider, Microsoft's Office Communications Server (OCS), Office Communicator and Windows Messenger contain vulnerabilities that can be exploited for Denial of Service attacks. The applications can be crashed using specially crafted packets.
VoIPshield does not want to release more detailed information until Microsoft has fixed the flaw. The vendor has so far only revealed that the mentioned products crash when specially crafted RTCP receiver reports are received. Microsoft Communicator is also said to have an allergic reaction to receiving a large number of INVITE messages (INVITE flood), ceasing to respond for a certain amount of time as a result. In some cases the program even logs itself off the network.
Another flaw in Communicator's memory management is said to allow large areas of memory to be occupied with parallel sessions, which degrades the desktop experience. Sending victims a large number of instant messages containing emoticons is said to be enough to exploit this flaw.
According to the US media, VoIPshield even claims to have discovered a hole that allows attackers to access their victims' computers. 250 million users are estimated to use the VoIP applications for Windows.
- Microsoft Communicator INVITE Flood Denial of Service, report by VoIPshield
- Microsoft Communicator Emoticon Denial of Service, report by VoIPshield
- Microsoft Communicator Real-time Transport Control Protocol Report Block Denial of Service, report by VoIPshield
(djwm)