Microsoft issues warning about VOIP vulnerability

Microsoft has issued its first security patches of the new year, warning users about a critical vulnerability in a component of the Microsoft Internet Security and Acceleration (ISA) Server used to control IP (Internet protocol) telephony traffic.

Three bulletins, MS04-001 through MS04-003 have bee posted on Microsoft's website, including lower-priority patches for Exchange Server 2003 and the Microsoft Data Access Components (MDAC), which is used by certain versions of Windows and Microsoft SQL Server.

H.323 is a protocol that is used by IP telephony applications to send audio and video over IP networks. A buffer overflow in a filter for the H.323 data packets, which is part of ISA Server 2000, could enable a malicious hacker to run their own code on vulnerable servers, which would potentially grant them total control over the system. Attackers would have to send a special H.323 packet that was designed to trigger the overflow, Microsoft said.

Microsoft was just one of many companies that issued warnings about the H.323 vulnerability. Cisco Systems also issued software patches for versions of the Internetwork Operating System (IOS) that contain the vulnerability.

Attackers would not necessarily have to be using voice over IP to trigger the security hole, as long as the vulnerable service was enabled and listening for incoming H.323 traffic, virus research manager at Network Associates, Craig Schmugar, said.

"It's not like [attackers] have to punch a bunch of funny numbers into a phone to exploit this," he said.

The buffer overrun in a number of versions of MDAC, which support database operations in Windows and SQL Server, was also patched.

Attackers who successfully trigger the security hole, which Microsoft rated "important", could potentially elevate their level of permission on the vulnerable system to the same level as the user running the application that used MDAC, Microsoft said. (See

A third security patch for Exchange Server 2003 was rated "moderate" and fixed a flaw that could allow Outlook Web Access users to view the contents of other e-mail boxes on the Exchange server, Microsoft said.

To take advantage of the security hole, attackers would need a valid Exchange 2003 account. Also, attackers would not be able to select which e-mail box they view, the company said. (See:

The releases continue Microsoft's new policy of issuing monthly security updates for customers.

While there are no known exploits for any of the security holes Microsoft has patched, a fix for at least one actively exploited flaw in Internet Explorer was missing from the batch of patches, Schmugar said.

That vulnerability, commonly referred to as the "0x01 exploit" allows attackers to display a different Web address in Internet Explorer's Address field a from the actual location of the Web page that is being displayed. The problem is actively being exploited by online scam artists who use mock-ups of legitimate websites in so-called "phishing" scams to harvest online account and personal identification information, he said.

"It's hard to say why they haven't patched that yet, SChmugar said. "But as [the Internet Explorer exploit] becomes even hotter and is exploited more, I think you'll likely see a patch for that, also."