Feeds

Google bod exposes Sophos Antivirus' gaping holes

Ormandy - Are you pleased with yourself? Probably yes

The Essential Guide to IT Transformation

A security researcher has discovered embarrassing and critical vulnerabilities in Sophos' enterprise protection software.

Tavis Ormandy, an information security engineer at Google, published a paper along with example attack code to highlight flaws present in Windows, Linux and Mac OS X builds of Sophos' antivirus product.

The holes can be reliably and easily exploited by hackers to compromise the computers the software is supposed to defend. Specifically, the antivirus scanner fails to safely examine encrypted PDFs and VisualBasic files, which could arrive in an email or website download; these documents can be crafted to trigger flaws within the software and gain control of the system.

In response, Sophos confirmed today that most of the eight vulnerabilities documented by Ormandy were patched a month after the security researcher reported the bugs in September. The company is adamant the flaws have not been exploited in the wild.

Nonetheless Ormandy - who said his work has nothing to do with his employer - argued in a post to the Full Disclosure mailing list on Monday that the risk is high.

"My paper includes a working pre-authentication remote root exploit that requires zero-interaction, and could be wormed within the next few days," he writes. "I would suggest administrators deploying Sophos products study my results urgently, and implement the recommendations."

Ormandy's dossier [PDF] also includes advice on best practices for Sophos users and is "intended to help administrators of high-value networks minimise the potential damage to their assets caused by Sophos". Even the name of the paper "sophailv2" alludes to failure.

His suggestion that IT bosses "exclude Sophos products from consideration for high-value networks and assets" is unlikely to find much favour at Sophos HQ.

Ormandy is also critical of the overall quality of programming and quality assurance testing by Sophos as well as the company's insistence that the exploitation of the holes is unlikely.

"A working exploit for Sophos 8.0.6 on Mac is available, however the techniques used in the exploit easily transfer to Windows and Linux due to multiple critical implementation flaws described in the paper. Test cases for the other flaws described in the paper are available on request," he wrote.

Ormandy reported the vulnerabilities to Sophos on 10 September. Five of the flaws were mitigated in a new version rolled out to users on 22 October. A further two security bugs were quashed on 5 November. The security firm promises a fix for a further bug, which causes its software to crash, by the end of the month.

As well as the PDF and Visual Basic blunders, vulnerabilities were found in the antivirus engine's handling of malformed CAB and RAR files, which corrupted the computer system's memory if triggered - another headache for sysadmins. The software also needlessly knackered the Windows operating system's ASLR defence mechanism against malicious code, and was vulnerable to cross-site scripting attacks. These flaws have been patched.

A demonstration of the Sophos Anti-Virus Sophail PDF Vulnerability, the worst of the vulnerabilities uncovered by Ormandy, can be found here as a Metasploit payload.

Best of enemies

There's a history between Sophos and Ormandy, which goes some way to explain the somewhat aggressive tone of their latest exchanges.

The Google engineer delivered a presentation on what he argued were shortcomings in Sophos software at Black Hat USA in August 2011. Prior to this writers on the Sophos Naked Security blog repeatedly criticised Ormandy over the allegedly "irresponsible disclosure" of a zero-day vulnerability in Windows Help and Support Center that affected Windows XP machines in June 2010.

Days later Sophos published an article provocatively titled Tavis Ormandy - are you pleased with yourself? Website exploits Microsoft zero-day. The revealed flaw was subsequently used by miscreants to infect more than 10,000 PCs in less than one month, according to Sophos.

El Reg counted five articles and a podcast openly critical of Ormandy on the Naked Security blog, not including the two posts on the vulnerabilities he's discovered in Sophos software, which are a bit passive aggressive but overall neutral in tone, if you discount the anger over the Windows flaw uncovered two years ago.

By comparison the crooks behind Operation Ghost Click, a massive online crime wave uncovered last year, are mentioned only twice, although in fairness the DNS Changer malware the crims peddled has been frequently covered by Sophos.

Love Bug worm author Onel de Guzman gets only three mentions. That's not to say Sophos blog writers hold Ormandy in lower regard than de Guzman, but it does suggest they may have gone a bit over the top with their criticism of Ormandy two years ago - something that may have encouraged subsequent probing of the UK-based software company's products.

Graham Cluley, a senior technology consultant at Sophos, welcomed Ormandy's efforts.

"Sophos products are better than they were three months ago and Tavis's research has helped," Cluley told El Reg. "He told us about vulnerabilities we didn't know about before, which we've successfully been able to patch."

Every security system vendor suffers from vulnerabilities from time to time, and it's far better that the flaws are reported by researchers such as Ormandy and fixed before they are exploited by hackers, Cluley added. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.