SIP takes a hit

The CERT Coordination Center is warning of a vulnerability that is affecting products using the session initiation protocol (SIP).

CERT said the type of attack against the protocol can range from denial-of-service (DoS) attacks to the ability to execute arbitrary code on systems. However, the firm was not certain of all the products it was affecting.

According to CERT, the Oulu University Secure Programming Group has been examining vulnerabilities related to the SIP protocol. SIP is known as the signalling protocol for voice over IP (VoIP), Internet telephony and instant messaging (IM) applications.

The saving grace for many vendors is that they don’t ship products with the SIP protocol, including Apple Computer Inc., IBM and Hewlett-Packard Inc. Other tech heavyweights, including America Online Inc. and Microsoft Corp. have reported no vulnerabilities to date.

Cisco Systems is addressing the problem across its product line and has released an advisory, which can be found at

CERT is online at