Feeds

Google bod exposes Sophos Antivirus' gaping holes

Ormandy - Are you pleased with yourself? Probably yes

Website security in corporate America

A security researcher has discovered embarrassing and critical vulnerabilities in Sophos' enterprise protection software.

Tavis Ormandy, an information security engineer at Google, published a paper along with example attack code to highlight flaws present in Windows, Linux and Mac OS X builds of Sophos' antivirus product.

The holes can be reliably and easily exploited by hackers to compromise the computers the software is supposed to defend. Specifically, the antivirus scanner fails to safely examine encrypted PDFs and VisualBasic files, which could arrive in an email or website download; these documents can be crafted to trigger flaws within the software and gain control of the system.

In response, Sophos confirmed today that most of the eight vulnerabilities documented by Ormandy were patched a month after the security researcher reported the bugs in September. The company is adamant the flaws have not been exploited in the wild.

Nonetheless Ormandy - who said his work has nothing to do with his employer - argued in a post to the Full Disclosure mailing list on Monday that the risk is high.

"My paper includes a working pre-authentication remote root exploit that requires zero-interaction, and could be wormed within the next few days," he writes. "I would suggest administrators deploying Sophos products study my results urgently, and implement the recommendations."

Ormandy's dossier [PDF] also includes advice on best practices for Sophos users and is "intended to help administrators of high-value networks minimise the potential damage to their assets caused by Sophos". Even the name of the paper "sophailv2" alludes to failure.

His suggestion that IT bosses "exclude Sophos products from consideration for high-value networks and assets" is unlikely to find much favour at Sophos HQ.

Ormandy is also critical of the overall quality of programming and quality assurance testing by Sophos as well as the company's insistence that the exploitation of the holes is unlikely.

"A working exploit for Sophos 8.0.6 on Mac is available, however the techniques used in the exploit easily transfer to Windows and Linux due to multiple critical implementation flaws described in the paper. Test cases for the other flaws described in the paper are available on request," he wrote.

Ormandy reported the vulnerabilities to Sophos on 10 September. Five of the flaws were mitigated in a new version rolled out to users on 22 October. A further two security bugs were quashed on 5 November. The security firm promises a fix for a further bug, which causes its software to crash, by the end of the month.

As well as the PDF and Visual Basic blunders, vulnerabilities were found in the antivirus engine's handling of malformed CAB and RAR files, which corrupted the computer system's memory if triggered - another headache for sysadmins. The software also needlessly knackered the Windows operating system's ASLR defence mechanism against malicious code, and was vulnerable to cross-site scripting attacks. These flaws have been patched.

A demonstration of the Sophos Anti-Virus Sophail PDF Vulnerability, the worst of the vulnerabilities uncovered by Ormandy, can be found here as a Metasploit payload.

Best of enemies

There's a history between Sophos and Ormandy, which goes some way to explain the somewhat aggressive tone of their latest exchanges.

The Google engineer delivered a presentation on what he argued were shortcomings in Sophos software at Black Hat USA in August 2011. Prior to this writers on the Sophos Naked Security blog repeatedly criticised Ormandy over the allegedly "irresponsible disclosure" of a zero-day vulnerability in Windows Help and Support Center that affected Windows XP machines in June 2010.

Days later Sophos published an article provocatively titled Tavis Ormandy - are you pleased with yourself? Website exploits Microsoft zero-day. The revealed flaw was subsequently used by miscreants to infect more than 10,000 PCs in less than one month, according to Sophos.

El Reg counted five articles and a podcast openly critical of Ormandy on the Naked Security blog, not including the two posts on the vulnerabilities he's discovered in Sophos software, which are a bit passive aggressive but overall neutral in tone, if you discount the anger over the Windows flaw uncovered two years ago.

By comparison the crooks behind Operation Ghost Click, a massive online crime wave uncovered last year, are mentioned only twice, although in fairness the DNS Changer malware the crims peddled has been frequently covered by Sophos.

Love Bug worm author Onel de Guzman gets only three mentions. That's not to say Sophos blog writers hold Ormandy in lower regard than de Guzman, but it does suggest they may have gone a bit over the top with their criticism of Ormandy two years ago - something that may have encouraged subsequent probing of the UK-based software company's products.

Graham Cluley, a senior technology consultant at Sophos, welcomed Ormandy's efforts.

"Sophos products are better than they were three months ago and Tavis's research has helped," Cluley told El Reg. "He told us about vulnerabilities we didn't know about before, which we've successfully been able to patch."

Every security system vendor suffers from vulnerabilities from time to time, and it's far better that the flaws are reported by researchers such as Ormandy and fixed before they are exploited by hackers, Cluley added. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.