Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Security Engineer Issues Sophos Warning

Posted by Soulskill on from the you-have-been-called-out dept.

angry tapir writes "Google security engineer Tavis Ormandy discovered several flaws in Sophos antivirus and says the product should be kept away from high value information systems unless the company can avoid easy mistakes and issue patches faster. Ormandy has released a scathing 30-page analysis (PDF) 'Sophail: Applied attacks against Sophos Antivirus,' in which he details several flaws 'caused by poor development practices and coding standards,' topped off by the company's sluggishly response to the warning he had working exploits for those flaws. One of the exploits Ormandy details is for a flaw in Sophos' on-access scanner, which could be used to unleash a worm on a network simply by targeting a company receiving an attack email via Outlook. Although the example he provided was on a Mac, the 'wormable, pre-authentication, zero-interaction, remote root' affected all platforms running Sophos. (Ormandy released the paper as an independent researcher, not in his role as a Google employee.)"

3 of 89 comments (clear)

  1. Official Sophos Response. by Deathlizard · · Score: 5, Informative

    From http://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/ and reprinted here in case of slashdotting...

    As a security company, keeping customers safe is Sophos's primary responsibility. As a result, Sophos experts investigate all vulnerability reports and implement the best course of action in the tightest time period possible.

    Recently, researcher Tavis Ormandy contacted Sophos about an examination he had done of Sophos's anti-virus product, identifying a number of issues:

    A remote code execution vulnerability was discovered in how the Sophos anti-virus engine scans malformed Visual Basic 6 compiled files. Sophos has seen no evidence of this vulnerability being exploited in the wild.
    First reported to Sophos: 10 September 2012
    Roll-out of a fix for Sophos customers completed: 22 October 2012 (42 days later)

    The Sophos web protection and web control Layered Service Provider (LSP) block page was found to include a XSS flaw. Sophos has seen no evidence of this vulnerability being exploited in the wild.
    First reported to Sophos: 10 September 2012
    Roll-out of a fix for Sophos customers completed: 22 October 2012 (42 days later)

    An issue was identified with the BOPS technology in Sophos Anti-Virus for Windows and how it interacted with ASLR on Windows Vista and later. Sophos has seen no evidence of this vulnerability being exploited in the wild.
    First reported to Sophos: 10 September 2012
    Roll-out of a fix for Sophos customers completed: 22 October 2012 (42 days later)

    An issue was identified in how Sophos protection interacts with Internet Explorer's Protected Mode. Sophos has seen no evidence of this vulnerability being exploited in the wild.
    First reported to Sophos: 10 September 2012
    Roll-out of a fix for Sophos customers cbegan: 5 November 2012 (56 days later)

    Vulnerabilities were found in how Sophos's anti-virus engine handles malformed CAB files. These vulnerabilities could cause the Sophos engine to corrupt memory. Sophos has seen no evidence of this vulnerability being exploited in the wild.
    First reported to Sophos: 10 September 2012
    Roll-out of a fix for Sophos customers completed: 22 October 2012 (42 days later)

    Vulnerabilities were found in how Sophos's anti-virus engine handles malformed RAR files. These vulnerabilities could cause the Sophos engine to corrupt memory. Sophos has seen no evidence of this vulnerability being exploited in the wild.
    First reported to Sophos: 10 September 2012
    Roll-out of a fix for Sophos customers began: 5 November 2012 (56 days later)

    A remote code execution vulnerability was discovered in how the Sophos anti-virus engine scans malformed PDF files. Sophos has seen no evidence of this vulnerability being exploited in the wild.
    First reported to Sophos: 5 October 2012
    Roll-out of a fix for Sophos customers began: 5 November 2012 (31 days later)

    Tavis Ormandy has provided examples of other malformed files which can cause the Sophos anti-virus engine to halt - these are being examined by Sophos experts. Sophos has seen no evidence of this occurring in the wild.
    First reported to Sophos: 4 October 2012
    Roll-out of a fix for Sophos customers will begin: 28 November 2012 (55 days later)

    Best practice
    Sophos customers are reminded of the following best practices:

    1. Keep systems patched and up to date

    2. Upgrade to the latest version of Sophos software to get the best protection

    Responsible disclosure
    Sophos believes in responsible disclosure.

    The work of Tavis Ormandy, and others like him in the research community, who choose to work alongside security companies, can significantly strengthen software products. On behalf of its partners and customers, Sophos appreciates Tavis Ormandy's efforts and responsible approach.

    --
    In Soviet Russia, Trojan exploits YOU!
    1. Re:Official Sophos Response. by Anonymous Coward · · Score: 5, Insightful

      What's worse?
      1. That a security company had so many serious flaws in a flagship product
      2. That the same security company considers it OK to take (on average) over 40 days to fix the issues. Remember that this is an Anti-virus product. One of the main use cases is to respond quickly to flaws in other software, to cover the period between the flaw becoming known, and the vendor releasing a fix.
      3. That most clients won't see a problem with 2.

  2. Re:Can someone explain by LordLimecat · · Score: 5, Informative

    Security essentials is packaged for businesses as Forefront, and can be managed centrally.

    Being "massive in the enterprise market" doesnt mean youre good at it.