ISSX Internet Security Systems

Internet Security Systems, Inc. (ISS) (NASDAQ: ISSX), the worldwide leader in preemptive, enterprise security, today announced that its X-Force(R) research and development team has discovered and provided protection for ISS customers from two vulnerabilities in the Inter-Asterisk eXchange protocol version 2 (IAX2). The vulnerabilities, if exploited, could lead to complete denial of office telephone or Internet services in environments where Asterisk private branch exchange (PBX) is in use. Asterisk is an open source, freely available application that allows organizations to access all of the features of a typical telephony PBX, including voicemail services, call conferencing, interactive voice response, call queuing, three-way calling and caller ID services. "Users of Voice over Internet Protocol (VoIP) systems must be mindful not only of denial-of-service vulnerabilities in their VoIP PBX implementations, such as the vulnerability discovered in Asterisk, but underlying VoIP protocol weaknesses that may leave organizations open to vishing, a new security threat which uses VoIP to steal user information, and spam over the VoIP network," said Chris Rouland, chief technology officer of Internet Security Systems. "By leveraging preemptive protection from Internet Security Systems, organizations can avoid the potential loss of productivity and the business ramifications caused by these VoIP flaws as well as the underlying operating systems vulnerabilities that VoIP platforms run on." ISS X-Force has discovered a denial of service vulnerability in the IAX2, which is used by Asterisk PBX to exchange Voice over Internet Protocol (VoIP) and call content. The vulnerability is apparent if an attacker floods the phone service with call requests, thereby preventing the phone service from handling new telephone calls. ISS X-Force discovered a second vulnerability that allows an attacker to leverage accounts without passwords on an Asterisk PBX network to flood another network with large amounts of traffic. The volume of traffic can saturate the victim's Internet connection and cause complete denial of Internet service to the victim. Additionally, victims of the attack may experience reduced quality of service. Asterisk has already released a patch to address the denial of service vulnerability. Asterisk users are urged to upgrade as soon as they can practically do so, or ensure that they do not expose IAX2 services to the public if it is not necessary. Asterisk users are strongly advised to ensure that no accounts are configured without passwords. For more details visit www.asterisk.org. ISS has provided customers with preemptive protection for these flaws through its Proventia(R) security platform. ISS' preemptive technology is based on the research and discoveries of its X-Force research and development team. By protecting against vulnerabilities rather than known exploits, ISS' Virtual Patch(R) technology keeps organizations ahead of Internet threats until they are able to obtain, test and apply patches from affected vendors. The ISS X-Force advisory on this vulnerability can be found at: http://xforce.iss.net/xforce/alerts/id/228 and http://xforce.iss.net/xforce/alerts/id/229. About Internet Security Systems, Inc. Internet Security Systems, Inc. (ISS) is the trusted security advisor to thousands of the world's leading businesses and governments, providing preemptive protection for networks, desktops and servers. An established leader in security since 1994, ISS' integrated security platform automatically protects against both known and unknown threats, keeping networks up and running and shielding customers from online attacks before they impact business assets. ISS products and services are based on the proactive security intelligence of its X-Force research and development team - the unequivocal world authority in vulnerability and threat research. ISS' product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362. Internet Security Systems is a trademark and X-Force, Proventia and Virtual Patch are registered trademarks of Internet Security Systems, Inc. All other companies and products mentioned are trademarks and property of their respective owners.