VoIPshield made its third announcement of security vulnerabilities in VoIP systems marketed by Avaya, Cisco and Nortel. This brings the total number of vulnerability groups reported to VoIP vendors in 2008 to over sixty, representing over 200 unique vulnerabilities. The vulnerability groups will be disclosed in limited detail at noon EDT today on VoIPshield's website at www.voipshield.com/research.

Under its Responsible Disclosure Policy, VoIPshield works with the VoIP vendors to assist them in reproducing the vulnerabilities in their labs, thus facilitating the development of software patches for the affected products. Avaya, Cisco and Nortel are acknowledging these vulnerabilities today on their websites, and issuing their own security advisories and patches.

Vulnerabilities were also discovered in Microsoft's VoIP products, and these will be announced next month. Under VoIPshield's disclosure policy, vendors may request extra time to create and test patches for their applications.

To date, VoIPshield Labs has performed extensive security research and testing on the following VoIP products:

• Avaya - Communication Manager, Message Storage Server, SIP Enablement Server, IP hard-phones, and IP soft-phones.
• Nortel - Business Communication Manager, Communication Server 1000, Media Communication Server Applications, IP hard-phones, and IP soft-phones.
• Cisco - Call Manager, Unified Communication Manager, Unity Unified Communication, IP hard-phones, and IP soft-phones.
• Microsoft - Office Communications Server and Office Communicator.

Vulnerabilities are categorized into four exploit types based on their most likely malicious intent: remote code execution; unauthorized access; denial of service; and information gathering. Each vulnerability is assigned a severity rating of Critical, High, Medium or Low based on an industry-standard measurement system modified for VoIP.

Effective immediately, customers of VoIPshield's VoIPaudit and VoIPguard products, and customers with subscriptions to VoIPshield UpdateTM, can download the new plug-ins and signatures.

The VoIP vulnerabilities discovered by VoIPshield Labs, if successfully exploited, could result in losses to the corporation in the form of lost revenues, brand reputation, mitigation expenses, productivity loss and eventually compliance penalties.

In April, VoIPshield was named one of five "Cool Vendors in Infrastructure Protection for 2008" by Gartner. In September, VoIPshield was named one of Canada's "Top 50 companies" by Red Herring.