Microsoft Communicator vulnerable to DoS attacksNovember 18, 2008 – 5:22 AM
According to a report by VoIPshield, a VoIP security service provider, Microsoft’s Office Communications Server (OCS), Office Communicator and Windows Messenger contain vulnerabilities that can be exploited for Denial of Service attacks. The applications can be crashed using specially crafted packets.
VoIPshield does not want to release more detailed information until Microsoft has fixed the flaw. The vendor has so far only revealed that the mentioned products crash when specially crafted RTCP receiver reports are received. Microsoft Communicator is also said to have an allergic reaction to receiving a large number of INVITE messages (INVITE flood), ceasing to respond for a certain amount of time as a result. In some cases the program even logs itself off the network.
Another flaw in Communicator’s memory management is said to allow large areas of memory to be occupied with parallel sessions, which degrades the desktop experience. Sending victims a large number of instant messages containing emoticons is said to be enough to exploit this flaw.