VoIP vulnerability woes not over for MS

While the company has patched its Internet Security and Acceleration server software against the glitch, it has conceded users of the company's NetMeeting software are most likely vulnerable to buffer overflow bugs found in implementations of the protocol, which could allow a remote attacker to take control of affected systems. Microsoft's security program manager at the company's security response centre, Stephen Toulouse, told ZDNet Australia "it's hard to say" how many of its users are still using NetMeeting -- however, the company is currently looking at the software to assess its potential vulnerability to the H.323 bug.

"Because NetMeeting implements H.323, the likelihood is yes, it's vulnerable," he said by phone from the U.S.

NetMeeting, which still ships with Windows XP -- albeit without a short-cut to the program installed by default -- serves primarily as communication software which allows users to hold audio and video conferencing sessions over the Internet. However, some system administrators have been known to use NetMeeting's remote administration capabilities to manage and configure systems over networks.

"It has been supplanted by a number of technologies," Tolouse said. "[But] I'm sure there are people still out there using it... we'll do whatever we need to do to protect those customers."

The H.323 flaw has affected a large number of vendors. The security bug, which was found by researchers at the University of Oulu in Finland, was discovered in a widely replicated implementation of the H.323 protocol, which meant the bug was effectively replicated in most incarnations of the protocol.

"It's one of those cases where security researchers found a flaw in the implementation of a protocol, and then anyone who had picked up on it or was adhering to that protocol was impacted by it," Tolouse said.

When asked if the case was similar to that of the discovery of flaws in a commonly used SNMP implementation in March, 2002, which affected a seemingly endless list of vendors, Tolouse said the "cases aren't that dissimilar at all," and pointed out that the University of Oulu also found that bug.