XSS attack across SIP protocol leaves door open for malware attacks

There is a potential new method to gain control of a user’s PC utilizing an XSS attack via the VoIP protocol called SIP.

This XSS attack would allow malicious hackers to run their malware on any users’ PC via their VoIP connection. Radu State found the vulnerability in the LinkSys SPA a few days ago. The proof of concept code can be found here.

The issue is simple – attackers may have found a blind spot in today’s popular defenses, as most security products are not looking for Web 2.0 XSS attacks over SIP. It is recommended to use a solution that scans for malicious scripts and malware across every protocol that is permitted to enter the enterprise network.

While commenting this issue for Help Net Security, Paul Henry, VP of Technology Evangelism at Secure Computing said: “With the seemingly complete disregard for security in VoIP deployments the recent release of Proof of Concept code for a XSS that can allow malware to be downloaded to a VoIP users desktop represents only the tip of the iceberg on VoIP vulnerabilities that are sure to come.”