NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0319 New Scripting Attack Executes via VoIP Clients:
Security researchers have found a way to execute cross-site scripting attacks through VoIP
clients, introducing a dangerous new threat that almost no one is guarding against, according
to an online IT journal. "It's simply the first time we've seen what's regarded as a Web 2.0
exploit ... being used against VoIP," said Paul Henry of Secure Computing. "Few [people], if
anyone, bothers filtering the VoIP communications happening over SIP [Session Initiation Protocol]
because they don't want any performance degradation. Hence these types of attacks are going to
grow," he continued.
Security researchers discovered the flaw on 08 October and posted a description of the
vulnerability, along with proof of concept code, on the internet. The researchers found the
vulnerability in a LInksys VoIP product, according to the article. This particular cross-site
scripting attack could be used to install software on a PC allowing hackers to record and
listen to VoIP phone calls, according to Henry, noting that he is not yet aware of the attack
being used against real users.
The same flaw could also be exploited to target mass audiences by installing keystroke
loggers that steal user names, passwords, and other information that could help a criminal raid
a bank account, he added. The burden then falls on people deploying a VoIP system to install a
product that examines inbound traffic and blocks scripts with malicious intent, according to
Henry.
(www.pcworld.com 18OCT07)