The British government earlier this week revealed that it had discovered security flaws that affect the products of dozens of vendors. The flaws were found in software that support a variety of applications and technologies, including voice over IP, videoconferencing, text messaging, Session Initiation Protocol, devices and hardware, and critical networking equipment such as routers and firewalls.

The severity of the flaws vary from vendor to vendor, but the risks range from denial-of-service attacks to allowing access to malicious code, according to the United Kingdom National Infrastructure Security Co-Ordination Centre.

An advisory issued Thursday by the U.K. National Infrastructure Security Co-Ordination Centre, says the vulnerabilities affect the H.323 network protocol, a standard approved by International Telecommunications Union that helps the telephony and multimedia features on products from different vendors interoperate.

As many as 40 technology vendors may have products vulnerable to the flaws. Many are issuing security advisories and scrambling to inform their customers about the specific products that are vulnerable.

Details of the problem, and the response from vendors, are being posted on the Web by the CERT Coordination Center.

The H.323 flaw affects each product differently. If successfully attacked, some may freeze up and have to reboot. Other products could be taken over by attackers, giving them access to a business' technology systems. For example, earlier this week Microsoft patched an H.323 vulnerability that affected its Internet Security and Acceleration Server 2000, which is packaged with Small Business Server 2000 and 2003. According to Microsoft Bulletin MS04-001, which the vendor ranked as critical, the vulnerability could allow an attacker to gain complete control of the system.

The CERT advisory states that Microsoft and Cisco have addressed their vulnerable products. But CERT is awaiting statements from dozens of other vendors as to their potential susceptibility to the flaw. A complete list of potentially affected vendors is available at http://www.cert.org/advisories/CA-2004-01.html#vendors.

Cisco products that may be at risk include various voice-over-IP switches, versions 3.0 through 3.3 of CallManager, and Conference Connection.

CIOs need to be aware that voice over IP creates exposure to vulnerabilities, says David Fraley, a principal analyst at Gartner Dataquest. "While there are very real and neat opportunities with VoIP, as convergence increases, the risks to attacks to these systems are going to increase," he says.

Despite the vast number of affected vendors, the impact of the flaw should be minimal, says Paul Jones, who chairs the ITU group that is responsible for the H.323 standard. Jones says correcting the flaw is straightforward and that most vendors already have taken action to correct the issue.

The bulk of the problem is directly related to the Abstract Syntax Notation One, or ASN.1, vulnerability discovered in June 2002, which was present in networking gear from many vendors, according to Jones. He says some implementations of the H.323 protocol "fail to perform proper checks to ensure that messages are properly composed. These errors are programming oversights, wherein a system does not check for reasonable and proper message structures."