VoIP vulnerabilities in Microsoft Communicator

Researchers at VoIPshield Labs have pinpointed a wide range of denial-of-service vulnerabilities in Microsoft Communicator, the unified communications that features business-grade instant messaging , voice, and video tools.The flaws, rated "high severity," could cripple VoIP-powered communications on Office Communications Server 2007, Office Communicator and Windows Live Messenger.

VOIP Vulnerabilities in Microsoft Communicator
Researchers at VoIPshield Labs have pinpointed a wide range of denial-of-service vulnerabilities in Microsoft Communicator, the unified communications that features business-grade instant messaging , voice, and video tools.

The flaws, rated "high severity," could cripple VoIP-powered communications on Office Communications Server 2007, Office Communicator and Windows Live Messenger.

The skinny:

  • Microsoft Communicator Emoticon:  By issuing instant messages to a client which contain a very large number of emoticons it is possible to cause the Microsoft Communicator to become nonresponsive for a certain period of time. During this period of time the phone does not respond to incoming invite messages and can even be forced to go into an offline state, eventually requiring the phone to reregister.
  • Microsoft Communicator INVITE Flood: Due to the manner in which sessions and authentication are managed it is possible to cause Microsoft Communicator to open a very large number of sessions resulting in the consumption of huge amounts of memory, potentially resulting in a Denial of Service.
  • Microsoft Communicator Real-time Transport Control Protocol Report Block: Using a specially crafted RTCP receiver report packet it is possible cause a Denial of Service (DoS) against Microsoft Communicator, Office Communications Server (OCS) and Windows Live Messenger.

The company said Microsoft has acknowledged the issues.